From 8de66b27ad6388735b3a20ed47001722a33cbcbb Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 7 May 2020 20:51:06 +0200
Subject: [PATCH 01/80] flows/*: Initial flows stage1 implementation

---
 passbook/flows/__init__.py                   |   0
 passbook/flows/apps.py                       |  11 ++
 passbook/flows/migrations/0001_initial.py    | 108 +++++++++++++++++++
 passbook/flows/migrations/__init__.py        |   0
 passbook/flows/models.py                     |  71 ++++++++++++
 passbook/flows/urls.py                       |   2 +
 passbook/policies/apps.py                    |  10 ++
 passbook/policies/migrations/0001_initial.py |  77 +++++++++++++
 passbook/policies/migrations/__init__.py     |   0
 passbook/policies/models.py                  |  31 ++++++
 passbook/root/settings.py                    |   2 +
 passbook/root/urls.py                        |   6 +-
 12 files changed, 317 insertions(+), 1 deletion(-)
 create mode 100644 passbook/flows/__init__.py
 create mode 100644 passbook/flows/apps.py
 create mode 100644 passbook/flows/migrations/0001_initial.py
 create mode 100644 passbook/flows/migrations/__init__.py
 create mode 100644 passbook/flows/models.py
 create mode 100644 passbook/flows/urls.py
 create mode 100644 passbook/policies/apps.py
 create mode 100644 passbook/policies/migrations/0001_initial.py
 create mode 100644 passbook/policies/migrations/__init__.py
 create mode 100644 passbook/policies/models.py

diff --git a/passbook/flows/__init__.py b/passbook/flows/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/passbook/flows/apps.py b/passbook/flows/apps.py
new file mode 100644
index 000000000..11f2d21d4
--- /dev/null
+++ b/passbook/flows/apps.py
@@ -0,0 +1,11 @@
+"""passbook flows app config"""
+from django.apps import AppConfig
+
+
+class PassbookFlowsConfig(AppConfig):
+    """passbook flows app config"""
+
+    name = "passbook.flows"
+    label = "passbook_flows"
+    mountpoint = "flows/"
+    verbose_name = "passbook Flows"
diff --git a/passbook/flows/migrations/0001_initial.py b/passbook/flows/migrations/0001_initial.py
new file mode 100644
index 000000000..e07d2ce27
--- /dev/null
+++ b/passbook/flows/migrations/0001_initial.py
@@ -0,0 +1,108 @@
+# Generated by Django 3.0.3 on 2020-05-07 18:35
+
+import uuid
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("passbook_policies", "0001_initial"),
+        ("passbook_core", "0011_auto_20200222_1822"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="Flow",
+            fields=[
+                (
+                    "uuid",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("name", models.TextField()),
+                ("slug", models.SlugField(unique=True)),
+                (
+                    "designation",
+                    models.CharField(
+                        choices=[
+                            ("AUTHENTICATION", "authentication"),
+                            ("ENROLLMENT", "enrollment"),
+                            ("RECOVERY", "recovery"),
+                        ],
+                        max_length=100,
+                    ),
+                ),
+                (
+                    "pbm",
+                    models.OneToOneField(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        related_name="+",
+                        to="passbook_policies.PolicyBindingModel",
+                    ),
+                ),
+            ],
+            options={"verbose_name": "Flow", "verbose_name_plural": "Flows",},
+            bases=("passbook_policies.policybindingmodel", models.Model),
+        ),
+        migrations.CreateModel(
+            name="FlowFactorBinding",
+            fields=[
+                (
+                    "policybindingmodel_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        to="passbook_policies.PolicyBindingModel",
+                    ),
+                ),
+                (
+                    "uuid",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("order", models.IntegerField()),
+                (
+                    "factor",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="passbook_core.Factor",
+                    ),
+                ),
+                (
+                    "flow",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="passbook_flows.Flow",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Flow Factor Binding",
+                "verbose_name_plural": "Flow Factor Bindings",
+                "unique_together": {("flow", "factor", "order")},
+            },
+            bases=("passbook_policies.policybindingmodel", models.Model),
+        ),
+        migrations.AddField(
+            model_name="flow",
+            name="factors",
+            field=models.ManyToManyField(
+                through="passbook_flows.FlowFactorBinding", to="passbook_core.Factor"
+            ),
+        ),
+    ]
diff --git a/passbook/flows/migrations/__init__.py b/passbook/flows/migrations/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/passbook/flows/models.py b/passbook/flows/models.py
new file mode 100644
index 000000000..a2d9a1a3a
--- /dev/null
+++ b/passbook/flows/models.py
@@ -0,0 +1,71 @@
+"""Flow models"""
+from enum import Enum
+from typing import Tuple
+
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+
+from passbook.core.models import Factor
+from passbook.lib.models import UUIDModel
+from passbook.policies.models import PolicyBindingModel
+
+
+class FlowDesignation(Enum):
+    """Designation of what a Flow should be used for. At a later point, this
+    should be replaced by a database entry."""
+
+    AUTHENTICATION = "authentication"
+    ENROLLMENT = "enrollment"
+    RECOVERY = "recovery"
+
+    @staticmethod
+    def as_choices() -> Tuple[Tuple[str, str]]:
+        """Generate choices of actions used for database"""
+        return tuple(
+            (x, y.value) for x, y in getattr(FlowDesignation, "__members__").items()
+        )
+
+
+class Flow(PolicyBindingModel, UUIDModel):
+    """Flow describes how a series of Factors should be executed to authenticate/enroll/recover
+    a user. Additionally, policies can be applied, to specify which users
+    have access to this flow."""
+
+    name = models.TextField()
+    slug = models.SlugField(unique=True)
+
+    designation = models.CharField(max_length=100, choices=FlowDesignation.as_choices())
+
+    factors = models.ManyToManyField(Factor, through="FlowFactorBinding")
+
+    pbm = models.OneToOneField(
+        PolicyBindingModel, parent_link=True, on_delete=models.CASCADE, related_name="+"
+    )
+
+    def __str__(self) -> str:
+        return f"Flow {self.name} ({self.slug})"
+
+    class Meta:
+
+        verbose_name = _("Flow")
+        verbose_name_plural = _("Flows")
+
+
+class FlowFactorBinding(PolicyBindingModel, UUIDModel):
+    """Relationship between Flow and Factor. Order is required and unique for
+    each flow-factor Binding. Additionally, policies can be specified, which determine if
+    this Binding applies to the current user"""
+
+    flow = models.ForeignKey("Flow", on_delete=models.CASCADE)
+    factor = models.ForeignKey(Factor, on_delete=models.CASCADE)
+
+    order = models.IntegerField()
+
+    def __str__(self) -> str:
+        return f"Flow Factor Binding {self.flow} -> {self.factor}"
+
+    class Meta:
+
+        verbose_name = _("Flow Factor Binding")
+        verbose_name_plural = _("Flow Factor Bindings")
+        unique_together = (("flow", "factor", "order"),)
diff --git a/passbook/flows/urls.py b/passbook/flows/urls.py
new file mode 100644
index 000000000..a55895878
--- /dev/null
+++ b/passbook/flows/urls.py
@@ -0,0 +1,2 @@
+"""flow urls"""
+urlpatterns = []
diff --git a/passbook/policies/apps.py b/passbook/policies/apps.py
new file mode 100644
index 000000000..5795355b6
--- /dev/null
+++ b/passbook/policies/apps.py
@@ -0,0 +1,10 @@
+"""passbook policies app config"""
+from django.apps import AppConfig
+
+
+class PassbookPoliciesConfig(AppConfig):
+    """passbook policies app config"""
+
+    name = "passbook.policies"
+    label = "passbook_policies"
+    verbose_name = "passbook Policies"
diff --git a/passbook/policies/migrations/0001_initial.py b/passbook/policies/migrations/0001_initial.py
new file mode 100644
index 000000000..bc0f6b7ef
--- /dev/null
+++ b/passbook/policies/migrations/0001_initial.py
@@ -0,0 +1,77 @@
+# Generated by Django 3.0.3 on 2020-05-07 18:35
+
+import uuid
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("passbook_core", "0011_auto_20200222_1822"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="PolicyBinding",
+            fields=[
+                (
+                    "uuid",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("enabled", models.BooleanField(default=True)),
+                ("order", models.IntegerField(default=0)),
+                (
+                    "policy",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="+",
+                        to="passbook_core.Policy",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Policy Binding",
+                "verbose_name_plural": "Policy Bindings",
+            },
+        ),
+        migrations.CreateModel(
+            name="PolicyBindingModel",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name="ID",
+                    ),
+                ),
+                (
+                    "policies",
+                    models.ManyToManyField(
+                        related_name="_policybindingmodel_policies_+",
+                        through="passbook_policies.PolicyBinding",
+                        to="passbook_core.Policy",
+                    ),
+                ),
+            ],
+        ),
+        migrations.AddField(
+            model_name="policybinding",
+            name="target",
+            field=models.ForeignKey(
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name="+",
+                to="passbook_policies.PolicyBindingModel",
+            ),
+        ),
+    ]
diff --git a/passbook/policies/migrations/__init__.py b/passbook/policies/migrations/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/passbook/policies/models.py b/passbook/policies/models.py
new file mode 100644
index 000000000..1fae3ab4b
--- /dev/null
+++ b/passbook/policies/models.py
@@ -0,0 +1,31 @@
+"""Policy base models"""
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+
+from passbook.core.models import Policy
+from passbook.lib.models import UUIDModel
+
+
+class PolicyBindingModel(models.Model):
+    """Base Model for objects which have Policies applied to them"""
+
+    policies = models.ManyToManyField(Policy, through="PolicyBinding", related_name="+")
+
+
+class PolicyBinding(UUIDModel):
+    """Relationship between a Policy and a PolicyBindingModel."""
+
+    enabled = models.BooleanField(default=True)
+
+    policy = models.ForeignKey(Policy, on_delete=models.CASCADE, related_name="+")
+    target = models.ForeignKey(
+        PolicyBindingModel, on_delete=models.CASCADE, related_name="+"
+    )
+
+    # default value and non-unique for compatibility
+    order = models.IntegerField(default=0)
+
+    class Meta:
+
+        verbose_name = _("Policy Binding")
+        verbose_name_plural = _("Policy Bindings")
diff --git a/passbook/root/settings.py b/passbook/root/settings.py
index 3f4ad769a..9b22a0174 100644
--- a/passbook/root/settings.py
+++ b/passbook/root/settings.py
@@ -83,6 +83,8 @@ INSTALLED_APPS = [
     "passbook.admin.apps.PassbookAdminConfig",
     "passbook.api.apps.PassbookAPIConfig",
     "passbook.lib.apps.PassbookLibConfig",
+    "passbook.flows.apps.PassbookFlowsConfig",
+    "passbook.policies.apps.PassbookPoliciesConfig",
     "passbook.audit.apps.PassbookAuditConfig",
     "passbook.crypto.apps.PassbookCryptoConfig",
     "passbook.recovery.apps.PassbookRecoveryConfig",
diff --git a/passbook/root/urls.py b/passbook/root/urls.py
index b9741a118..b7e44d7cd 100644
--- a/passbook/root/urls.py
+++ b/passbook/root/urls.py
@@ -30,7 +30,11 @@ for _passbook_app in get_apps():
             ),
         )
         urlpatterns.append(_path)
-        LOGGER.debug("Mounted URLs", app_name=_passbook_app.name)
+        LOGGER.debug(
+            "Mounted URLs",
+            app_name=_passbook_app.name,
+            mountpoint=_passbook_app.mountpoint,
+        )
 
 urlpatterns += [
     # Administration

From 5400882d78858265eabb2ee4b43372be0158a56a Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 7 May 2020 21:30:52 +0200
Subject: [PATCH 02/80] flows/: more migration progress, consolidate views

---
 .../core/templates/login/factors/backend.html |  2 +-
 .../core/tests/test_views_authentication.py   |  2 +-
 passbook/core/urls.py                         | 15 -------------
 passbook/core/views/authentication.py         |  4 ++--
 passbook/factors/captcha/factor.py            |  2 +-
 passbook/factors/captcha/forms.py             |  2 +-
 passbook/factors/dummy/factor.py              |  2 +-
 passbook/factors/dummy/forms.py               |  2 +-
 passbook/factors/email/factor.py              |  2 +-
 passbook/factors/email/forms.py               |  2 +-
 passbook/factors/otp/factors.py               |  2 +-
 passbook/factors/otp/forms.py                 |  2 +-
 passbook/factors/password/factor.py           |  4 ++--
 passbook/factors/password/forms.py            |  2 +-
 .../{factors/base.py => flows/factor_base.py} |  2 +-
 passbook/{factors => flows}/forms.py          |  0
 ..._flowfactorbinding_re_evaluate_policies.py | 21 ++++++++++++++++++
 passbook/flows/models.py                      |  7 ++++++
 passbook/{factors => flows}/tests.py          | 22 +++++++++----------
 passbook/flows/urls.py                        | 18 ++++++++++++++-
 passbook/{factors => flows}/view.py           |  4 ++--
 passbook/policies/expression/evaluator.py     |  2 +-
 passbook/sources/oauth/views/core.py          |  4 ++--
 23 files changed, 77 insertions(+), 48 deletions(-)
 rename passbook/{factors/base.py => flows/factor_base.py} (95%)
 rename passbook/{factors => flows}/forms.py (100%)
 create mode 100644 passbook/flows/migrations/0002_flowfactorbinding_re_evaluate_policies.py
 rename passbook/{factors => flows}/tests.py (86%)
 rename passbook/{factors => flows}/view.py (98%)

diff --git a/passbook/core/templates/login/factors/backend.html b/passbook/core/templates/login/factors/backend.html
index a88dd6b0a..2115e9682 100644
--- a/passbook/core/templates/login/factors/backend.html
+++ b/passbook/core/templates/login/factors/backend.html
@@ -4,6 +4,6 @@
 
 {% block beneath_form %}
 {% if show_password_forget_notice %}
-<a href="{% url 'passbook_core:auth-process' %}?password-forgotten">{% trans 'Forgot password?' %}</a>
+<a href="{% url 'passbook_flows:auth-process' %}?password-forgotten">{% trans 'Forgot password?' %}</a>
 {% endif %}
 {% endblock %}
diff --git a/passbook/core/tests/test_views_authentication.py b/passbook/core/tests/test_views_authentication.py
index 4dd0b0954..870484223 100644
--- a/passbook/core/tests/test_views_authentication.py
+++ b/passbook/core/tests/test_views_authentication.py
@@ -77,7 +77,7 @@ class TestAuthenticationViews(TestCase):
             reverse("passbook_core:auth-login"), data=self.login_data
         )
         self.assertEqual(login_response.status_code, 302)
-        self.assertEqual(login_response.url, reverse("passbook_core:auth-process"))
+        self.assertEqual(login_response.url, reverse("passbook_flows:auth-process"))
 
     def test_sign_up_view_post(self):
         """Test account.sign_up view POST (Anonymous)"""
diff --git a/passbook/core/urls.py b/passbook/core/urls.py
index 154cc12f1..3e3ce066f 100644
--- a/passbook/core/urls.py
+++ b/passbook/core/urls.py
@@ -1,11 +1,7 @@
 """passbook URL Configuration"""
 from django.urls import path
-from structlog import get_logger
 
 from passbook.core.views import authentication, overview, user
-from passbook.factors import view
-
-LOGGER = get_logger()
 
 urlpatterns = [
     # Authentication views
@@ -17,22 +13,11 @@ urlpatterns = [
         authentication.SignUpConfirmView.as_view(),
         name="auth-sign-up-confirm",
     ),
-    path(
-        "auth/process/denied/",
-        view.FactorPermissionDeniedView.as_view(),
-        name="auth-denied",
-    ),
     path(
         "auth/password/reset/<uuid:nonce>/",
         authentication.PasswordResetView.as_view(),
         name="auth-password-reset",
     ),
-    path("auth/process/", view.AuthenticationView.as_view(), name="auth-process"),
-    path(
-        "auth/process/<slug:factor>/",
-        view.AuthenticationView.as_view(),
-        name="auth-process",
-    ),
     # User views
     path("_/user/", user.UserSettingsView.as_view(), name="user-settings"),
     path("_/user/delete/", user.UserDeleteView.as_view(), name="user-delete"),
diff --git a/passbook/core/views/authentication.py b/passbook/core/views/authentication.py
index 4749beeda..2c34a3fec 100644
--- a/passbook/core/views/authentication.py
+++ b/passbook/core/views/authentication.py
@@ -16,7 +16,7 @@ from passbook.core.forms.authentication import LoginForm, SignUpForm
 from passbook.core.models import Invitation, Nonce, Source, User
 from passbook.core.signals import invitation_used, user_signed_up
 from passbook.factors.password.exceptions import PasswordPolicyInvalid
-from passbook.factors.view import AuthenticationView, _redirect_with_qs
+from passbook.flows.view import AuthenticationView, _redirect_with_qs
 from passbook.lib.config import CONFIG
 
 LOGGER = get_logger()
@@ -72,7 +72,7 @@ class LoginView(UserPassesTestMixin, FormView):
             # No user found
             return self.invalid_login(self.request)
         self.request.session[AuthenticationView.SESSION_PENDING_USER] = pre_user.pk
-        return _redirect_with_qs("passbook_core:auth-process", self.request.GET)
+        return _redirect_with_qs("passbook_flows:auth-process", self.request.GET)
 
     def invalid_login(
         self, request: HttpRequest, disabled_user: User = None
diff --git a/passbook/factors/captcha/factor.py b/passbook/factors/captcha/factor.py
index 88fdd4c15..67e2970ba 100644
--- a/passbook/factors/captcha/factor.py
+++ b/passbook/factors/captcha/factor.py
@@ -2,8 +2,8 @@
 
 from django.views.generic import FormView
 
-from passbook.factors.base import AuthenticationFactor
 from passbook.factors.captcha.forms import CaptchaForm
+from passbook.flows.factor_base import AuthenticationFactor
 
 
 class CaptchaFactor(FormView, AuthenticationFactor):
diff --git a/passbook/factors/captcha/forms.py b/passbook/factors/captcha/forms.py
index 9ac94ddeb..c19a3eeb4 100644
--- a/passbook/factors/captcha/forms.py
+++ b/passbook/factors/captcha/forms.py
@@ -5,7 +5,7 @@ from django.contrib.admin.widgets import FilteredSelectMultiple
 from django.utils.translation import gettext_lazy as _
 
 from passbook.factors.captcha.models import CaptchaFactor
-from passbook.factors.forms import GENERAL_FIELDS
+from passbook.flows.forms import GENERAL_FIELDS
 
 
 class CaptchaForm(forms.Form):
diff --git a/passbook/factors/dummy/factor.py b/passbook/factors/dummy/factor.py
index 63fce66c1..9b3320d2f 100644
--- a/passbook/factors/dummy/factor.py
+++ b/passbook/factors/dummy/factor.py
@@ -1,7 +1,7 @@
 """passbook multi-factor authentication engine"""
 from django.http import HttpRequest
 
-from passbook.factors.base import AuthenticationFactor
+from passbook.flows.factor_base import AuthenticationFactor
 
 
 class DummyFactor(AuthenticationFactor):
diff --git a/passbook/factors/dummy/forms.py b/passbook/factors/dummy/forms.py
index c3a0bdf7f..72de002c9 100644
--- a/passbook/factors/dummy/forms.py
+++ b/passbook/factors/dummy/forms.py
@@ -4,7 +4,7 @@ from django.contrib.admin.widgets import FilteredSelectMultiple
 from django.utils.translation import gettext as _
 
 from passbook.factors.dummy.models import DummyFactor
-from passbook.factors.forms import GENERAL_FIELDS
+from passbook.flows.forms import GENERAL_FIELDS
 
 
 class DummyFactorForm(forms.ModelForm):
diff --git a/passbook/factors/email/factor.py b/passbook/factors/email/factor.py
index 082d7ef8a..07401a90d 100644
--- a/passbook/factors/email/factor.py
+++ b/passbook/factors/email/factor.py
@@ -6,9 +6,9 @@ from django.utils.translation import gettext as _
 from structlog import get_logger
 
 from passbook.core.models import Nonce
-from passbook.factors.base import AuthenticationFactor
 from passbook.factors.email.tasks import send_mails
 from passbook.factors.email.utils import TemplateEmailMessage
+from passbook.flows.factor_base import AuthenticationFactor
 from passbook.lib.config import CONFIG
 
 LOGGER = get_logger()
diff --git a/passbook/factors/email/forms.py b/passbook/factors/email/forms.py
index 862e90959..8429a0870 100644
--- a/passbook/factors/email/forms.py
+++ b/passbook/factors/email/forms.py
@@ -4,7 +4,7 @@ from django.contrib.admin.widgets import FilteredSelectMultiple
 from django.utils.translation import gettext_lazy as _
 
 from passbook.factors.email.models import EmailFactor
-from passbook.factors.forms import GENERAL_FIELDS
+from passbook.flows.forms import GENERAL_FIELDS
 
 
 class EmailFactorForm(forms.ModelForm):
diff --git a/passbook/factors/otp/factors.py b/passbook/factors/otp/factors.py
index e16d8111b..c7053731b 100644
--- a/passbook/factors/otp/factors.py
+++ b/passbook/factors/otp/factors.py
@@ -5,9 +5,9 @@ from django.views.generic import FormView
 from django_otp import match_token, user_has_device
 from structlog import get_logger
 
-from passbook.factors.base import AuthenticationFactor
 from passbook.factors.otp.forms import OTPVerifyForm
 from passbook.factors.otp.views import OTP_SETTING_UP_KEY, EnableView
+from passbook.flows.factor_base import AuthenticationFactor
 
 LOGGER = get_logger()
 
diff --git a/passbook/factors/otp/forms.py b/passbook/factors/otp/forms.py
index b71198a80..c6c6816a5 100644
--- a/passbook/factors/otp/forms.py
+++ b/passbook/factors/otp/forms.py
@@ -7,8 +7,8 @@ from django.utils.safestring import mark_safe
 from django.utils.translation import gettext_lazy as _
 from django_otp.models import Device
 
-from passbook.factors.forms import GENERAL_FIELDS
 from passbook.factors.otp.models import OTPFactor
+from passbook.flows.forms import GENERAL_FIELDS
 
 OTP_CODE_VALIDATOR = RegexValidator(
     r"^[0-9a-z]{6,8}$", _("Only alpha-numeric characters are allowed.")
diff --git a/passbook/factors/password/factor.py b/passbook/factors/password/factor.py
index 0aaf7c7d0..d71600b99 100644
--- a/passbook/factors/password/factor.py
+++ b/passbook/factors/password/factor.py
@@ -11,9 +11,9 @@ from django.views.generic import FormView
 from structlog import get_logger
 
 from passbook.core.models import User
-from passbook.factors.base import AuthenticationFactor
 from passbook.factors.password.forms import PasswordForm
-from passbook.factors.view import AuthenticationView
+from passbook.flows.factor_base import AuthenticationFactor
+from passbook.flows.view import AuthenticationView
 from passbook.lib.config import CONFIG
 from passbook.lib.utils.reflection import path_to_class
 
diff --git a/passbook/factors/password/forms.py b/passbook/factors/password/forms.py
index 1594ab876..50b48e5c0 100644
--- a/passbook/factors/password/forms.py
+++ b/passbook/factors/password/forms.py
@@ -4,8 +4,8 @@ from django.conf import settings
 from django.contrib.admin.widgets import FilteredSelectMultiple
 from django.utils.translation import gettext_lazy as _
 
-from passbook.factors.forms import GENERAL_FIELDS
 from passbook.factors.password.models import PasswordFactor
+from passbook.flows.forms import GENERAL_FIELDS
 from passbook.lib.utils.reflection import path_to_class
 
 
diff --git a/passbook/factors/base.py b/passbook/flows/factor_base.py
similarity index 95%
rename from passbook/factors/base.py
rename to passbook/flows/factor_base.py
index ec44b213d..05766cfd1 100644
--- a/passbook/factors/base.py
+++ b/passbook/flows/factor_base.py
@@ -5,7 +5,7 @@ from django.utils.translation import gettext as _
 from django.views.generic import TemplateView
 
 from passbook.core.models import User
-from passbook.factors.view import AuthenticationView
+from passbook.flows.view import AuthenticationView
 from passbook.lib.config import CONFIG
 
 
diff --git a/passbook/factors/forms.py b/passbook/flows/forms.py
similarity index 100%
rename from passbook/factors/forms.py
rename to passbook/flows/forms.py
diff --git a/passbook/flows/migrations/0002_flowfactorbinding_re_evaluate_policies.py b/passbook/flows/migrations/0002_flowfactorbinding_re_evaluate_policies.py
new file mode 100644
index 000000000..bbd5bf15c
--- /dev/null
+++ b/passbook/flows/migrations/0002_flowfactorbinding_re_evaluate_policies.py
@@ -0,0 +1,21 @@
+# Generated by Django 3.0.3 on 2020-05-07 19:18
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_flows", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="flowfactorbinding",
+            name="re_evaluate_policies",
+            field=models.BooleanField(
+                default=False,
+                help_text="When this option is enabled, the planner will re-evaluate policies bound to this.",
+            ),
+        ),
+    ]
diff --git a/passbook/flows/models.py b/passbook/flows/models.py
index a2d9a1a3a..7fa595ef5 100644
--- a/passbook/flows/models.py
+++ b/passbook/flows/models.py
@@ -59,6 +59,13 @@ class FlowFactorBinding(PolicyBindingModel, UUIDModel):
     flow = models.ForeignKey("Flow", on_delete=models.CASCADE)
     factor = models.ForeignKey(Factor, on_delete=models.CASCADE)
 
+    re_evaluate_policies = models.BooleanField(
+        default=False,
+        help_text=_(
+            "When this option is enabled, the planner will re-evaluate policies bound to this."
+        ),
+    )
+
     order = models.IntegerField()
 
     def __str__(self) -> str:
diff --git a/passbook/factors/tests.py b/passbook/flows/tests.py
similarity index 86%
rename from passbook/factors/tests.py
rename to passbook/flows/tests.py
index 3311081a3..ec1f444bf 100644
--- a/passbook/factors/tests.py
+++ b/passbook/flows/tests.py
@@ -10,7 +10,7 @@ from django.urls import reverse
 from passbook.core.models import User
 from passbook.factors.dummy.models import DummyFactor
 from passbook.factors.password.models import PasswordFactor
-from passbook.factors.view import AuthenticationView
+from passbook.flows.view import AuthenticationView
 
 
 class TestFactorAuthentication(TestCase):
@@ -37,13 +37,13 @@ class TestFactorAuthentication(TestCase):
 
     def test_unauthenticated_raw(self):
         """test direct call to AuthenticationView"""
-        response = self.client.get(reverse("passbook_core:auth-process"))
+        response = self.client.get(reverse("passbook_flows:auth-process"))
         # Response should be 400 since no pending user is set
         self.assertEqual(response.status_code, 400)
 
     def test_unauthenticated_prepared(self):
         """test direct call but with pending_uesr in session"""
-        request = RequestFactory().get(reverse("passbook_core:auth-process"))
+        request = RequestFactory().get(reverse("passbook_flows:auth-process"))
         request.user = AnonymousUser()
         request.session = {}
         request.session[AuthenticationView.SESSION_PENDING_USER] = self.user.pk
@@ -55,21 +55,21 @@ class TestFactorAuthentication(TestCase):
         """Test with all factors disabled"""
         self.factor.enabled = False
         self.factor.save()
-        request = RequestFactory().get(reverse("passbook_core:auth-process"))
+        request = RequestFactory().get(reverse("passbook_flows:auth-process"))
         request.user = AnonymousUser()
         request.session = {}
         request.session[AuthenticationView.SESSION_PENDING_USER] = self.user.pk
 
         response = AuthenticationView.as_view()(request)
         self.assertEqual(response.status_code, 302)
-        self.assertEqual(response.url, reverse("passbook_core:auth-denied"))
+        self.assertEqual(response.url, reverse("passbook_flows:auth-denied"))
         self.factor.enabled = True
         self.factor.save()
 
     def test_authenticated(self):
         """Test with already logged in user"""
         self.client.force_login(self.user)
-        response = self.client.get(reverse("passbook_core:auth-process"))
+        response = self.client.get(reverse("passbook_flows:auth-process"))
         # Response should be 400 since no pending user is set
         self.assertEqual(response.status_code, 400)
         self.client.logout()
@@ -77,7 +77,7 @@ class TestFactorAuthentication(TestCase):
     def test_unauthenticated_post(self):
         """Test post request as unauthenticated user"""
         request = RequestFactory().post(
-            reverse("passbook_core:auth-process"), data={"password": self.password}
+            reverse("passbook_flows:auth-process"), data={"password": self.password}
         )
         request.user = AnonymousUser()
         middleware = SessionMiddleware()
@@ -93,7 +93,7 @@ class TestFactorAuthentication(TestCase):
     def test_unauthenticated_post_invalid(self):
         """Test post request as unauthenticated user"""
         request = RequestFactory().post(
-            reverse("passbook_core:auth-process"),
+            reverse("passbook_flows:auth-process"),
             data={"password": self.password + "a"},
         )
         request.user = AnonymousUser()
@@ -110,7 +110,7 @@ class TestFactorAuthentication(TestCase):
         """Test view with multiple active factors"""
         DummyFactor.objects.get_or_create(name="dummy", slug="dummy", order=1)
         request = RequestFactory().post(
-            reverse("passbook_core:auth-process"), data={"password": self.password}
+            reverse("passbook_flows:auth-process"), data={"password": self.password}
         )
         request.user = AnonymousUser()
         middleware = SessionMiddleware()
@@ -122,10 +122,10 @@ class TestFactorAuthentication(TestCase):
         session_copy = request.session.items()
         self.assertEqual(response.status_code, 302)
         # Verify view redirects to itself after auth
-        self.assertEqual(response.url, reverse("passbook_core:auth-process"))
+        self.assertEqual(response.url, reverse("passbook_flows:auth-process"))
 
         # Run another request with same session which should result in a logged in user
-        request = RequestFactory().post(reverse("passbook_core:auth-process"))
+        request = RequestFactory().post(reverse("passbook_flows:auth-process"))
         request.user = AnonymousUser()
         middleware = SessionMiddleware()
         middleware.process_request(request)
diff --git a/passbook/flows/urls.py b/passbook/flows/urls.py
index a55895878..a4b507bde 100644
--- a/passbook/flows/urls.py
+++ b/passbook/flows/urls.py
@@ -1,2 +1,18 @@
 """flow urls"""
-urlpatterns = []
+from django.urls import path
+
+from passbook.flows.view import AuthenticationView, FactorPermissionDeniedView
+
+urlpatterns = [
+    path("auth/process/", AuthenticationView.as_view(), name="auth-process"),
+    path(
+        "auth/process/<slug:factor>/",
+        AuthenticationView.as_view(),
+        name="auth-process",
+    ),
+    path(
+        "auth/process/denied/",
+        FactorPermissionDeniedView.as_view(),
+        name="auth-denied",
+    ),
+]
diff --git a/passbook/factors/view.py b/passbook/flows/view.py
similarity index 98%
rename from passbook/factors/view.py
rename to passbook/flows/view.py
index a26877edc..d99387408 100644
--- a/passbook/factors/view.py
+++ b/passbook/flows/view.py
@@ -178,7 +178,7 @@ class AuthenticationView(UserPassesTestMixin, View):
             ] = self.pending_factors
             self.request.session[AuthenticationView.SESSION_FACTOR] = next_factor
             LOGGER.debug("Rendering Factor", next_factor=next_factor)
-            return _redirect_with_qs("passbook_core:auth-process", self.request.GET)
+            return _redirect_with_qs("passbook_flows:auth-process", self.request.GET)
         # User passed all factors
         LOGGER.debug("User passed all factors, logging in", user=self.pending_user)
         return self._user_passed()
@@ -188,7 +188,7 @@ class AuthenticationView(UserPassesTestMixin, View):
         This should only be shown if user authenticated successfully, but is disabled/locked/etc"""
         LOGGER.debug("User invalid")
         self.cleanup()
-        return _redirect_with_qs("passbook_core:auth-denied", self.request.GET)
+        return _redirect_with_qs("passbook_flows:auth-denied", self.request.GET)
 
     def _user_passed(self) -> HttpResponse:
         """User Successfully passed all factors"""
diff --git a/passbook/policies/expression/evaluator.py b/passbook/policies/expression/evaluator.py
index a2c4d1b3a..fb97e8a29 100644
--- a/passbook/policies/expression/evaluator.py
+++ b/passbook/policies/expression/evaluator.py
@@ -8,7 +8,7 @@ from jinja2.exceptions import TemplateSyntaxError, UndefinedError
 from jinja2.nativetypes import NativeEnvironment
 from structlog import get_logger
 
-from passbook.factors.view import AuthenticationView
+from passbook.flows.view import AuthenticationView
 from passbook.lib.utils.http import get_client_ip
 from passbook.policies.types import PolicyRequest, PolicyResult
 
diff --git a/passbook/sources/oauth/views/core.py b/passbook/sources/oauth/views/core.py
index 5c0508c0a..f5d822dae 100644
--- a/passbook/sources/oauth/views/core.py
+++ b/passbook/sources/oauth/views/core.py
@@ -13,7 +13,7 @@ from django.views.generic import RedirectView, View
 from structlog import get_logger
 
 from passbook.audit.models import Event, EventAction
-from passbook.factors.view import AuthenticationView, _redirect_with_qs
+from passbook.flows.view import AuthenticationView, _redirect_with_qs
 from passbook.sources.oauth.clients import get_client
 from passbook.sources.oauth.models import OAuthSource, UserOAuthSourceConnection
 
@@ -168,7 +168,7 @@ class OAuthCallback(OAuthClientMixin, View):
         self.request.session[AuthenticationView.SESSION_PENDING_USER] = user.pk
         self.request.session[AuthenticationView.SESSION_USER_BACKEND] = user.backend
         self.request.session[AuthenticationView.SESSION_IS_SSO_LOGIN] = True
-        return _redirect_with_qs("passbook_core:auth-process", self.request.GET)
+        return _redirect_with_qs("passbook_flows:auth-process", self.request.GET)
 
     # pylint: disable=unused-argument
     def handle_existing_user(self, source, user, access, info):

From e1f0fe45cbb787e5fd75b6280b2c40d52e2e4caa Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Fri, 8 May 2020 11:26:12 +0200
Subject: [PATCH 03/80] static: fix dashes being removed from slugs

---
 passbook/static/static/passbook/pf.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/passbook/static/static/passbook/pf.js b/passbook/static/static/passbook/pf.js
index 99f8609cd..4a8780884 100644
--- a/passbook/static/static/passbook/pf.js
+++ b/passbook/static/static/passbook/pf.js
@@ -41,8 +41,8 @@ document.querySelectorAll(".codemirror").forEach((cm) => {
 const convertToSlug = (text) => {
     return text
         .toLowerCase()
-        .replace(/[^\w ]+/g, '')
-        .replace(/ +/g, '-');
+        .replace(/ /g, '-')
+        .replace(/[^\w-]+/g, '');
 };
 
 document.querySelectorAll("input[name=name]").forEach((input) => {

From 97b5d120f8d317758e3c35525141900acdf75a2e Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Fri, 8 May 2020 11:26:26 +0200
Subject: [PATCH 04/80] providers/oauth: fix default cors settings

---
 passbook/providers/oauth/settings.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/passbook/providers/oauth/settings.py b/passbook/providers/oauth/settings.py
index 88903380b..b8bd2e1a0 100644
--- a/passbook/providers/oauth/settings.py
+++ b/passbook/providers/oauth/settings.py
@@ -1,6 +1,8 @@
 """passbook OAuth_Provider"""
+from django.conf import settings
+
+CORS_ORIGIN_ALLOW_ALL = settings.DEBUG
 
-CORS_ORIGIN_ALLOW_ALL = True
 REQUEST_APPROVAL_PROMPT = "auto"
 
 INSTALLED_APPS = [

From 114bb1b0bdebc5d0ca7c89d94625f4ea54cfd2c5 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Fri, 8 May 2020 14:33:14 +0200
Subject: [PATCH 05/80] flows: implement planner, start new executor

---
 passbook/core/views/authentication.py         |  2 +-
 passbook/factors/password/factor.py           |  2 +-
 passbook/flows/exceptions.py                  |  5 ++
 passbook/flows/factor_base.py                 |  2 +-
 .../migrations/0003_auto_20200508_1230.py     | 21 ++++++
 passbook/flows/models.py                      |  4 +-
 passbook/flows/planner.py                     | 66 +++++++++++++++++++
 passbook/flows/tests.py                       |  2 +-
 passbook/flows/urls.py                        |  7 +-
 passbook/flows/{view.py => views.py}          | 66 +++++++++++++++++++
 passbook/policies/expression/evaluator.py     |  2 +-
 .../migrations/0002_auto_20200508_1230.py     | 20 ++++++
 passbook/policies/models.py                   |  8 +++
 passbook/providers/saml/models.py             |  2 +-
 passbook/sources/oauth/views/core.py          |  2 +-
 15 files changed, 202 insertions(+), 9 deletions(-)
 create mode 100644 passbook/flows/exceptions.py
 create mode 100644 passbook/flows/migrations/0003_auto_20200508_1230.py
 create mode 100644 passbook/flows/planner.py
 rename passbook/flows/{view.py => views.py} (77%)
 create mode 100644 passbook/policies/migrations/0002_auto_20200508_1230.py

diff --git a/passbook/core/views/authentication.py b/passbook/core/views/authentication.py
index 2c34a3fec..70eac1105 100644
--- a/passbook/core/views/authentication.py
+++ b/passbook/core/views/authentication.py
@@ -16,7 +16,7 @@ from passbook.core.forms.authentication import LoginForm, SignUpForm
 from passbook.core.models import Invitation, Nonce, Source, User
 from passbook.core.signals import invitation_used, user_signed_up
 from passbook.factors.password.exceptions import PasswordPolicyInvalid
-from passbook.flows.view import AuthenticationView, _redirect_with_qs
+from passbook.flows.views import AuthenticationView, _redirect_with_qs
 from passbook.lib.config import CONFIG
 
 LOGGER = get_logger()
diff --git a/passbook/factors/password/factor.py b/passbook/factors/password/factor.py
index d71600b99..6c39eb148 100644
--- a/passbook/factors/password/factor.py
+++ b/passbook/factors/password/factor.py
@@ -13,7 +13,7 @@ from structlog import get_logger
 from passbook.core.models import User
 from passbook.factors.password.forms import PasswordForm
 from passbook.flows.factor_base import AuthenticationFactor
-from passbook.flows.view import AuthenticationView
+from passbook.flows.views import AuthenticationView
 from passbook.lib.config import CONFIG
 from passbook.lib.utils.reflection import path_to_class
 
diff --git a/passbook/flows/exceptions.py b/passbook/flows/exceptions.py
new file mode 100644
index 000000000..4f781897f
--- /dev/null
+++ b/passbook/flows/exceptions.py
@@ -0,0 +1,5 @@
+"""flow exceptions"""
+
+
+class FlowNonApplicableError(BaseException):
+    """Exception raised when a Flow does not apply to a user."""
diff --git a/passbook/flows/factor_base.py b/passbook/flows/factor_base.py
index 05766cfd1..0f01401a7 100644
--- a/passbook/flows/factor_base.py
+++ b/passbook/flows/factor_base.py
@@ -5,7 +5,7 @@ from django.utils.translation import gettext as _
 from django.views.generic import TemplateView
 
 from passbook.core.models import User
-from passbook.flows.view import AuthenticationView
+from passbook.flows.views import AuthenticationView
 from passbook.lib.config import CONFIG
 
 
diff --git a/passbook/flows/migrations/0003_auto_20200508_1230.py b/passbook/flows/migrations/0003_auto_20200508_1230.py
new file mode 100644
index 000000000..645c7a53d
--- /dev/null
+++ b/passbook/flows/migrations/0003_auto_20200508_1230.py
@@ -0,0 +1,21 @@
+# Generated by Django 3.0.3 on 2020-05-08 12:30
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_flows", "0002_flowfactorbinding_re_evaluate_policies"),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="flowfactorbinding",
+            options={
+                "ordering": ["order", "flow"],
+                "verbose_name": "Flow Factor Binding",
+                "verbose_name_plural": "Flow Factor Bindings",
+            },
+        ),
+    ]
diff --git a/passbook/flows/models.py b/passbook/flows/models.py
index 7fa595ef5..44cda4f35 100644
--- a/passbook/flows/models.py
+++ b/passbook/flows/models.py
@@ -69,10 +69,12 @@ class FlowFactorBinding(PolicyBindingModel, UUIDModel):
     order = models.IntegerField()
 
     def __str__(self) -> str:
-        return f"Flow Factor Binding {self.flow} -> {self.factor}"
+        return f"Flow Factor Binding #{self.order} {self.flow} -> {self.factor}"
 
     class Meta:
 
+        ordering = ["order", "flow"]
+
         verbose_name = _("Flow Factor Binding")
         verbose_name_plural = _("Flow Factor Bindings")
         unique_together = (("flow", "factor", "order"),)
diff --git a/passbook/flows/planner.py b/passbook/flows/planner.py
new file mode 100644
index 000000000..df0f2f73c
--- /dev/null
+++ b/passbook/flows/planner.py
@@ -0,0 +1,66 @@
+"""Flows Planner"""
+from dataclasses import dataclass, field
+from time import time
+from typing import List, Tuple
+
+from django.http import HttpRequest
+from structlog import get_logger
+
+from passbook.flows.exceptions import FlowNonApplicableError
+from passbook.flows.models import Factor, Flow
+from passbook.policies.engine import PolicyEngine
+
+LOGGER = get_logger()
+
+
+@dataclass
+class FlowPlan:
+    """This data-class is the output of a FlowPlanner. It holds a flat list
+    of all Factors that should be run."""
+
+    factors: List[Factor] = field(default_factory=list)
+
+    def next(self) -> Factor:
+        """Return next pending factor from the bottom of the list"""
+        factor_cls = self.factors.pop(0)
+        return factor_cls
+
+
+class FlowPlanner:
+    """Execute all policies to plan out a flat list of all Factors
+    that should be applied."""
+
+    flow: Flow
+
+    def __init__(self, flow: Flow):
+        self.flow = flow
+
+    def _check_flow_root_policies(self, request: HttpRequest) -> Tuple[bool, List[str]]:
+        engine = PolicyEngine(self.flow.policies.all(), request.user, request)
+        engine.build()
+        return engine.result
+
+    def plan(self, request: HttpRequest) -> FlowPlan:
+        """Check each of the flows' policies, check policies for each factor with PolicyBinding
+        and return ordered list"""
+        LOGGER.debug("Starting planning process", flow=self.flow)
+        start_time = time()
+        plan = FlowPlan()
+        # First off, check the flow's direct policy bindings
+        # to make sure the user even has access to the flow
+        root_passing, root_passing_messages = self._check_flow_root_policies(request)
+        if not root_passing:
+            raise FlowNonApplicableError(root_passing_messages)
+        # Check Flow policies
+        for factor in self.flow.factors.order_by("order").select_subclasses():
+            engine = PolicyEngine(factor.policies.all(), request.user, request)
+            engine.build()
+            passing, _ = engine.result
+            if passing:
+                LOGGER.debug("Factor passing", factor=factor)
+                plan.factors.append(factor)
+        end_time = time()
+        LOGGER.debug(
+            "Finished planning", flow=self.flow, duration_s=end_time - start_time
+        )
+        return plan
diff --git a/passbook/flows/tests.py b/passbook/flows/tests.py
index ec1f444bf..463f7eacb 100644
--- a/passbook/flows/tests.py
+++ b/passbook/flows/tests.py
@@ -10,7 +10,7 @@ from django.urls import reverse
 from passbook.core.models import User
 from passbook.factors.dummy.models import DummyFactor
 from passbook.factors.password.models import PasswordFactor
-from passbook.flows.view import AuthenticationView
+from passbook.flows.views import AuthenticationView
 
 
 class TestFactorAuthentication(TestCase):
diff --git a/passbook/flows/urls.py b/passbook/flows/urls.py
index a4b507bde..d1563f70a 100644
--- a/passbook/flows/urls.py
+++ b/passbook/flows/urls.py
@@ -1,7 +1,11 @@
 """flow urls"""
 from django.urls import path
 
-from passbook.flows.view import AuthenticationView, FactorPermissionDeniedView
+from passbook.flows.views import (
+    AuthenticationView,
+    FactorPermissionDeniedView,
+    FlowExecutorView,
+)
 
 urlpatterns = [
     path("auth/process/", AuthenticationView.as_view(), name="auth-process"),
@@ -15,4 +19,5 @@ urlpatterns = [
         FactorPermissionDeniedView.as_view(),
         name="auth-denied",
     ),
+    path("<slug:flow_slug>/", FlowExecutorView.as_view(), name="flow-executor"),
 ]
diff --git a/passbook/flows/view.py b/passbook/flows/views.py
similarity index 77%
rename from passbook/flows/view.py
rename to passbook/flows/views.py
index d99387408..bc4c7e0da 100644
--- a/passbook/flows/view.py
+++ b/passbook/flows/views.py
@@ -11,6 +11,9 @@ from structlog import get_logger
 
 from passbook.core.models import Factor, User
 from passbook.core.views.utils import PermissionDeniedView
+from passbook.flows.exceptions import FlowNonApplicableError
+from passbook.flows.models import Flow
+from passbook.flows.planner import FlowPlan, FlowPlanner
 from passbook.lib.config import CONFIG
 from passbook.lib.utils.reflection import class_to_path, path_to_class
 from passbook.lib.utils.urls import is_url_absolute
@@ -218,3 +221,66 @@ class AuthenticationView(UserPassesTestMixin, View):
 
 class FactorPermissionDeniedView(PermissionDeniedView):
     """User could not be authenticated"""
+
+
+SESSION_KEY_PLAN = "passbook_flows_plan"
+
+
+class FlowExecutorView(View):
+    """Stage 1 Flow executor, passing requests to Factor Views"""
+
+    flow: Flow
+
+    plan: FlowPlan
+    current_factor: Factor
+    current_factor_view: View
+
+    def setup(self, request: HttpRequest, flow_slug: str):
+        super().setup(request, flow_slug=flow_slug)
+        # TODO: Do we always need this?
+        self.flow = get_object_or_404(Flow, slug=flow_slug)
+
+    def dispatch(self, request: HttpRequest, flow_slug: str) -> HttpResponse:
+        # Early check if theres an active Plan for the current session
+        if SESSION_KEY_PLAN not in self.request.session:
+            LOGGER.debug(
+                "No active Plan found, initiating planner", flow_slug=flow_slug
+            )
+            try:
+                self.plan = self._initiate_plan()
+            except FlowNonApplicableError as exc:
+                LOGGER.warning("Flow not applicable to current user", exc=exc)
+                return redirect("passbook_core:index")
+        else:
+            LOGGER.debug("Continuing existing plan", flow_slug=flow_slug)
+            self.plan = self.request.session[SESSION_KEY_PLAN]
+        # We don't save the Plan after getting the next factor
+        # as it hasn't been successfully passed yet
+        self.current_factor = self.plan.next()
+        LOGGER.debug("Current factor", current_factor=self.current_factor)
+        factor_cls = path_to_class(self.current_factor.type)
+        self.current_factor_view = factor_cls(self)
+        # self.current_factor_view.pending_user = self.pending_user
+        self.current_factor_view.request = request
+        return super().dispatch(request)
+
+    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        """pass get request to current factor"""
+        LOGGER.debug(
+            "Passing GET", view_class=class_to_path(self.current_factor_view.__class__),
+        )
+        return self.current_factor_view.get(request, *args, **kwargs)
+
+    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        """pass post request to current factor"""
+        LOGGER.debug(
+            "Passing POST",
+            view_class=class_to_path(self.current_factor_view.__class__),
+        )
+        return self.current_factor_view.post(request, *args, **kwargs)
+
+    def _initiate_plan(self) -> FlowPlan:
+        planner = FlowPlanner(self.flow)
+        plan = planner.plan(self.request)
+        self.request.session[SESSION_KEY_PLAN] = plan
+        return plan
diff --git a/passbook/policies/expression/evaluator.py b/passbook/policies/expression/evaluator.py
index fb97e8a29..74b6adf60 100644
--- a/passbook/policies/expression/evaluator.py
+++ b/passbook/policies/expression/evaluator.py
@@ -8,7 +8,7 @@ from jinja2.exceptions import TemplateSyntaxError, UndefinedError
 from jinja2.nativetypes import NativeEnvironment
 from structlog import get_logger
 
-from passbook.flows.view import AuthenticationView
+from passbook.flows.views import AuthenticationView
 from passbook.lib.utils.http import get_client_ip
 from passbook.policies.types import PolicyRequest, PolicyResult
 
diff --git a/passbook/policies/migrations/0002_auto_20200508_1230.py b/passbook/policies/migrations/0002_auto_20200508_1230.py
new file mode 100644
index 000000000..a575fc02e
--- /dev/null
+++ b/passbook/policies/migrations/0002_auto_20200508_1230.py
@@ -0,0 +1,20 @@
+# Generated by Django 3.0.3 on 2020-05-08 12:30
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_policies", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="policybindingmodel",
+            options={
+                "verbose_name": "Policy Binding Model",
+                "verbose_name_plural": "Policy Binding Models",
+            },
+        ),
+    ]
diff --git a/passbook/policies/models.py b/passbook/policies/models.py
index 1fae3ab4b..42f85f74c 100644
--- a/passbook/policies/models.py
+++ b/passbook/policies/models.py
@@ -11,6 +11,11 @@ class PolicyBindingModel(models.Model):
 
     policies = models.ManyToManyField(Policy, through="PolicyBinding", related_name="+")
 
+    class Meta:
+
+        verbose_name = _("Policy Binding Model")
+        verbose_name_plural = _("Policy Binding Models")
+
 
 class PolicyBinding(UUIDModel):
     """Relationship between a Policy and a PolicyBindingModel."""
@@ -25,6 +30,9 @@ class PolicyBinding(UUIDModel):
     # default value and non-unique for compatibility
     order = models.IntegerField(default=0)
 
+    def __str__(self) -> str:
+        return f"PolicyBinding policy={self.policy} target={self.target} order={self.order}"
+
     class Meta:
 
         verbose_name = _("Policy Binding")
diff --git a/passbook/providers/saml/models.py b/passbook/providers/saml/models.py
index e55f3719c..1cae3fc84 100644
--- a/passbook/providers/saml/models.py
+++ b/passbook/providers/saml/models.py
@@ -164,5 +164,5 @@ class SAMLPropertyMapping(PropertyMapping):
 def get_provider_choices():
     """Return tuple of class_path, class name of all providers."""
     return [
-        (class_to_path(x), x.__name__) for x in Processor.__dict__["__subclasses__"]()
+        (class_to_path(x), x.__name__) for x in getattr(Processor, "__subclasses__")()
     ]
diff --git a/passbook/sources/oauth/views/core.py b/passbook/sources/oauth/views/core.py
index f5d822dae..5d9377e38 100644
--- a/passbook/sources/oauth/views/core.py
+++ b/passbook/sources/oauth/views/core.py
@@ -13,7 +13,7 @@ from django.views.generic import RedirectView, View
 from structlog import get_logger
 
 from passbook.audit.models import Event, EventAction
-from passbook.flows.view import AuthenticationView, _redirect_with_qs
+from passbook.flows.views import AuthenticationView, _redirect_with_qs
 from passbook.sources.oauth.clients import get_client
 from passbook.sources.oauth.models import OAuthSource, UserOAuthSourceConnection
 

From 2a85e5ae87c342cd878c8b0453814fdb5340f560 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Fri, 8 May 2020 16:10:27 +0200
Subject: [PATCH 06/80] flows: complete migration to FlowExecutorView, fully
 use context

---
 passbook/core/views/authentication.py         |  16 +-
 passbook/factors/captcha/factor.py            |   8 +-
 passbook/factors/dummy/factor.py              |   2 +-
 passbook/factors/email/factor.py              |  15 +-
 passbook/factors/otp/factors.py               |  20 +-
 passbook/factors/password/factor.py           |  21 +-
 .../templates/factors/password}/backend.html  |   0
 passbook/flows/factor_base.py                 |  22 +-
 passbook/flows/planner.py                     |   6 +-
 passbook/flows/tests.py                       | 137 ---------
 passbook/flows/urls.py                        |  17 +-
 passbook/flows/views.py                       | 288 +++++-------------
 passbook/lib/utils/urls.py                    |  12 +
 passbook/policies/expression/evaluator.py     |   5 +-
 passbook/sources/oauth/views/core.py          |  25 +-
 scripts/pre-commit.sh                         |   2 +-
 16 files changed, 180 insertions(+), 416 deletions(-)
 rename passbook/{core/templates/login/factors => factors/password/templates/factors/password}/backend.html (100%)
 delete mode 100644 passbook/flows/tests.py

diff --git a/passbook/core/views/authentication.py b/passbook/core/views/authentication.py
index 70eac1105..2951b2b7f 100644
--- a/passbook/core/views/authentication.py
+++ b/passbook/core/views/authentication.py
@@ -16,8 +16,11 @@ from passbook.core.forms.authentication import LoginForm, SignUpForm
 from passbook.core.models import Invitation, Nonce, Source, User
 from passbook.core.signals import invitation_used, user_signed_up
 from passbook.factors.password.exceptions import PasswordPolicyInvalid
-from passbook.flows.views import AuthenticationView, _redirect_with_qs
+from passbook.flows.models import Flow, FlowDesignation
+from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner
+from passbook.flows.views import SESSION_KEY_PLAN
 from passbook.lib.config import CONFIG
+from passbook.lib.utils.urls import redirect_with_qs
 
 LOGGER = get_logger()
 
@@ -71,8 +74,15 @@ class LoginView(UserPassesTestMixin, FormView):
         if not pre_user:
             # No user found
             return self.invalid_login(self.request)
-        self.request.session[AuthenticationView.SESSION_PENDING_USER] = pre_user.pk
-        return _redirect_with_qs("passbook_flows:auth-process", self.request.GET)
+        # We run the Flow planner here so we can pass the Pending user in the context
+        flow = get_object_or_404(Flow, designation=FlowDesignation.AUTHENTICATION)
+        planner = FlowPlanner(flow)
+        plan = planner.plan(self.request)
+        plan.context[PLAN_CONTEXT_PENDING_USER] = pre_user
+        self.request.session[SESSION_KEY_PLAN] = plan
+        return redirect_with_qs(
+            "passbook_flows:flow-executor", self.request.GET, flow_slug=flow.slug,
+        )
 
     def invalid_login(
         self, request: HttpRequest, disabled_user: User = None
diff --git a/passbook/factors/captcha/factor.py b/passbook/factors/captcha/factor.py
index 67e2970ba..130d6916b 100644
--- a/passbook/factors/captcha/factor.py
+++ b/passbook/factors/captcha/factor.py
@@ -12,14 +12,12 @@ class CaptchaFactor(FormView, AuthenticationFactor):
     form_class = CaptchaForm
 
     def form_valid(self, form):
-        return self.authenticator.user_ok()
+        return self.executor.factor_ok()
 
     def get_form(self, form_class=None):
         form = CaptchaForm(**self.get_form_kwargs())
-        form.fields["captcha"].public_key = self.authenticator.current_factor.public_key
-        form.fields[
-            "captcha"
-        ].private_key = self.authenticator.current_factor.private_key
+        form.fields["captcha"].public_key = self.executor.current_factor.public_key
+        form.fields["captcha"].private_key = self.executor.current_factor.private_key
         form.fields["captcha"].widget.attrs["data-sitekey"] = form.fields[
             "captcha"
         ].public_key
diff --git a/passbook/factors/dummy/factor.py b/passbook/factors/dummy/factor.py
index 9b3320d2f..5152c2753 100644
--- a/passbook/factors/dummy/factor.py
+++ b/passbook/factors/dummy/factor.py
@@ -9,4 +9,4 @@ class DummyFactor(AuthenticationFactor):
 
     def post(self, request: HttpRequest):
         """Just redirect to next factor"""
-        return self.authenticator.user_ok()
+        return self.executor.factor_ok()
diff --git a/passbook/factors/email/factor.py b/passbook/factors/email/factor.py
index 07401a90d..8c7d0527a 100644
--- a/passbook/factors/email/factor.py
+++ b/passbook/factors/email/factor.py
@@ -1,7 +1,7 @@
 """passbook multi-factor authentication engine"""
 from django.contrib import messages
 from django.http import HttpRequest
-from django.shortcuts import redirect, reverse
+from django.shortcuts import reverse
 from django.utils.translation import gettext as _
 from structlog import get_logger
 
@@ -9,6 +9,7 @@ from passbook.core.models import Nonce
 from passbook.factors.email.tasks import send_mails
 from passbook.factors.email.utils import TemplateEmailMessage
 from passbook.flows.factor_base import AuthenticationFactor
+from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER
 from passbook.lib.config import CONFIG
 
 LOGGER = get_logger()
@@ -24,12 +25,13 @@ class EmailFactorView(AuthenticationFactor):
         return super().get_context_data(**kwargs)
 
     def get(self, request, *args, **kwargs):
-        nonce = Nonce.objects.create(user=self.pending_user)
+        pending_user = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
+        nonce = Nonce.objects.create(user=pending_user)
         # Send mail to user
         message = TemplateEmailMessage(
             subject=_("Forgotten password"),
             template_name="email/account_password_reset.html",
-            to=[self.pending_user.email],
+            to=[pending_user.email],
             template_context={
                 "url": self.request.build_absolute_uri(
                     reverse(
@@ -39,11 +41,10 @@ class EmailFactorView(AuthenticationFactor):
                 )
             },
         )
-        send_mails(self.authenticator.current_factor, message)
-        self.authenticator.cleanup()
+        send_mails(self.executor.current_factor, message)
         messages.success(request, _("Check your E-Mails for a password reset link."))
-        return redirect("passbook_core:auth-login")
+        return self.executor.cancel()
 
     def post(self, request: HttpRequest):
         """Just redirect to next factor"""
-        return self.authenticator.user_ok()
+        return self.executor.factor_ok()
diff --git a/passbook/factors/otp/factors.py b/passbook/factors/otp/factors.py
index c7053731b..50ba3d21f 100644
--- a/passbook/factors/otp/factors.py
+++ b/passbook/factors/otp/factors.py
@@ -8,6 +8,7 @@ from structlog import get_logger
 from passbook.factors.otp.forms import OTPVerifyForm
 from passbook.factors.otp.views import OTP_SETTING_UP_KEY, EnableView
 from passbook.flows.factor_base import AuthenticationFactor
+from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER
 
 LOGGER = get_logger()
 
@@ -25,31 +26,34 @@ class OTPFactor(FormView, AuthenticationFactor):
 
     def get(self, request, *args, **kwargs):
         """Check if User has OTP enabled and if OTP is enforced"""
-        if not user_has_device(self.pending_user):
+        pending_user = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
+        if not user_has_device(pending_user):
             LOGGER.debug("User doesn't have OTP Setup.")
-            if self.authenticator.current_factor.enforced:
+            if self.executor.current_factor.enforced:
                 # Redirect to setup view
                 LOGGER.debug("OTP is enforced, redirecting to setup")
-                request.user = self.pending_user
-                LOGGER.debug("Passing GET to EnableView")
+                request.user = pending_user
                 messages.info(request, _("OTP is enforced. Please setup OTP."))
                 return EnableView.as_view()(request)
             LOGGER.debug("OTP is not enforced, skipping form")
-            return self.authenticator.user_ok()
+            return self.executor.user_ok()
         return super().get(request, *args, **kwargs)
 
     def post(self, request, *args, **kwargs):
         """Check if setup is in progress and redirect to EnableView"""
         if OTP_SETTING_UP_KEY in request.session:
             LOGGER.debug("Passing POST to EnableView")
-            request.user = self.pending_user
+            request.user = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
             return EnableView.as_view()(request)
         return super().post(self, request, *args, **kwargs)
 
     def form_valid(self, form: OTPVerifyForm):
         """Verify OTP Token"""
-        device = match_token(self.pending_user, form.cleaned_data.get("code"))
+        device = match_token(
+            self.executor.plan.context[PLAN_CONTEXT_PENDING_USER],
+            form.cleaned_data.get("code"),
+        )
         if device:
-            return self.authenticator.user_ok()
+            return self.executor.factor_ok()
         messages.error(self.request, _("Invalid OTP."))
         return self.form_invalid(form)
diff --git a/passbook/factors/password/factor.py b/passbook/factors/password/factor.py
index 6c39eb148..ce048b820 100644
--- a/passbook/factors/password/factor.py
+++ b/passbook/factors/password/factor.py
@@ -13,11 +13,12 @@ from structlog import get_logger
 from passbook.core.models import User
 from passbook.factors.password.forms import PasswordForm
 from passbook.flows.factor_base import AuthenticationFactor
-from passbook.flows.views import AuthenticationView
+from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER
 from passbook.lib.config import CONFIG
 from passbook.lib.utils.reflection import path_to_class
 
 LOGGER = get_logger()
+PLAN_CONTEXT_AUTHENTICATION_BACKEND = "user_backend"
 
 
 def authenticate(request, backends, **credentials) -> Optional[User]:
@@ -56,7 +57,7 @@ class PasswordFactor(FormView, AuthenticationFactor):
     """Authentication factor which authenticates against django's AuthBackend"""
 
     form_class = PasswordForm
-    template_name = "login/factors/backend.html"
+    template_name = "factors/password/backend.html"
 
     def form_valid(self, form):
         """Authenticate against django's authentication backend"""
@@ -65,18 +66,20 @@ class PasswordFactor(FormView, AuthenticationFactor):
             "password": form.cleaned_data.get("password"),
         }
         for uid_field in uid_fields:
-            kwargs[uid_field] = getattr(self.authenticator.pending_user, uid_field)
+            kwargs[uid_field] = getattr(
+                self.executor.plan.context[PLAN_CONTEXT_PENDING_USER], uid_field
+            )
         try:
             user = authenticate(
-                self.request, self.authenticator.current_factor.backends, **kwargs
+                self.request, self.executor.current_factor.backends, **kwargs
             )
             if user:
                 # User instance returned from authenticate() has .backend property set
-                self.authenticator.pending_user = user
-                self.request.session[
-                    AuthenticationView.SESSION_USER_BACKEND
+                self.executor.plan.context[PLAN_CONTEXT_PENDING_USER] = user
+                self.executor.plan.context[
+                    PLAN_CONTEXT_AUTHENTICATION_BACKEND
                 ] = user.backend
-                return self.authenticator.user_ok()
+                return self.executor.factor_ok()
             # No user was found -> invalid credentials
             LOGGER.debug("Invalid credentials")
             # Manually inject error into form
@@ -87,4 +90,4 @@ class PasswordFactor(FormView, AuthenticationFactor):
         except PermissionDenied:
             # User was found, but permission was denied (i.e. user is not active)
             LOGGER.debug("Denied access", **kwargs)
-            return self.authenticator.user_invalid()
+            return self.executor.factor_invalid()
diff --git a/passbook/core/templates/login/factors/backend.html b/passbook/factors/password/templates/factors/password/backend.html
similarity index 100%
rename from passbook/core/templates/login/factors/backend.html
rename to passbook/factors/password/templates/factors/password/backend.html
diff --git a/passbook/flows/factor_base.py b/passbook/flows/factor_base.py
index 0f01401a7..001b444a2 100644
--- a/passbook/flows/factor_base.py
+++ b/passbook/flows/factor_base.py
@@ -1,11 +1,13 @@
 """passbook multi-factor authentication engine"""
+from typing import Any, Dict
+
 from django.forms import ModelForm
 from django.http import HttpRequest
 from django.utils.translation import gettext as _
 from django.views.generic import TemplateView
 
-from passbook.core.models import User
-from passbook.flows.views import AuthenticationView
+from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER
+from passbook.flows.views import FlowExecutorView
 from passbook.lib.config import CONFIG
 
 
@@ -13,19 +15,19 @@ class AuthenticationFactor(TemplateView):
     """Abstract Authentication factor, inherits TemplateView but can be combined with FormView"""
 
     form: ModelForm = None
-    required: bool = True
-    authenticator: AuthenticationView
-    pending_user: User
+
+    executor: FlowExecutorView
+
     request: HttpRequest = None
     template_name = "login/form_with_user.html"
 
-    def __init__(self, authenticator: AuthenticationView):
-        self.authenticator = authenticator
-        self.pending_user = None
+    def __init__(self, executor: FlowExecutorView):
+        self.executor = executor
 
-    def get_context_data(self, **kwargs):
+    def get_context_data(self, **kwargs: Dict[str, Any]) -> Dict[str, Any]:
         kwargs["config"] = CONFIG.y("passbook")
         kwargs["title"] = _("Log in to your account")
         kwargs["primary_action"] = _("Log in")
-        kwargs["user"] = self.pending_user
+        if PLAN_CONTEXT_PENDING_USER in self.executor.plan.context:
+            kwargs["user"] = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
         return super().get_context_data(**kwargs)
diff --git a/passbook/flows/planner.py b/passbook/flows/planner.py
index df0f2f73c..7f0efa01a 100644
--- a/passbook/flows/planner.py
+++ b/passbook/flows/planner.py
@@ -1,7 +1,7 @@
 """Flows Planner"""
 from dataclasses import dataclass, field
 from time import time
-from typing import List, Tuple
+from typing import Any, Dict, List, Tuple
 
 from django.http import HttpRequest
 from structlog import get_logger
@@ -12,6 +12,9 @@ from passbook.policies.engine import PolicyEngine
 
 LOGGER = get_logger()
 
+PLAN_CONTEXT_PENDING_USER = "pending_user"
+PLAN_CONTEXT_SSO = "is_sso"
+
 
 @dataclass
 class FlowPlan:
@@ -19,6 +22,7 @@ class FlowPlan:
     of all Factors that should be run."""
 
     factors: List[Factor] = field(default_factory=list)
+    context: Dict[str, Any] = field(default_factory=dict)
 
     def next(self) -> Factor:
         """Return next pending factor from the bottom of the list"""
diff --git a/passbook/flows/tests.py b/passbook/flows/tests.py
deleted file mode 100644
index 463f7eacb..000000000
--- a/passbook/flows/tests.py
+++ /dev/null
@@ -1,137 +0,0 @@
-"""passbook Core Authentication Test"""
-import string
-from random import SystemRandom
-
-from django.contrib.auth.models import AnonymousUser
-from django.contrib.sessions.middleware import SessionMiddleware
-from django.test import RequestFactory, TestCase
-from django.urls import reverse
-
-from passbook.core.models import User
-from passbook.factors.dummy.models import DummyFactor
-from passbook.factors.password.models import PasswordFactor
-from passbook.flows.views import AuthenticationView
-
-
-class TestFactorAuthentication(TestCase):
-    """passbook Core Authentication Test"""
-
-    def setUp(self):
-        super().setUp()
-        self.password = "".join(
-            SystemRandom().choice(string.ascii_uppercase + string.digits)
-            for _ in range(8)
-        )
-        self.factor, _ = PasswordFactor.objects.get_or_create(
-            slug="password",
-            defaults={
-                "name": "password",
-                "slug": "password",
-                "order": 0,
-                "backends": ["django.contrib.auth.backends.ModelBackend"],
-            },
-        )
-        self.user = User.objects.create_user(
-            username="test", email="test@test.test", password=self.password
-        )
-
-    def test_unauthenticated_raw(self):
-        """test direct call to AuthenticationView"""
-        response = self.client.get(reverse("passbook_flows:auth-process"))
-        # Response should be 400 since no pending user is set
-        self.assertEqual(response.status_code, 400)
-
-    def test_unauthenticated_prepared(self):
-        """test direct call but with pending_uesr in session"""
-        request = RequestFactory().get(reverse("passbook_flows:auth-process"))
-        request.user = AnonymousUser()
-        request.session = {}
-        request.session[AuthenticationView.SESSION_PENDING_USER] = self.user.pk
-
-        response = AuthenticationView.as_view()(request)
-        self.assertEqual(response.status_code, 200)
-
-    def test_no_factors(self):
-        """Test with all factors disabled"""
-        self.factor.enabled = False
-        self.factor.save()
-        request = RequestFactory().get(reverse("passbook_flows:auth-process"))
-        request.user = AnonymousUser()
-        request.session = {}
-        request.session[AuthenticationView.SESSION_PENDING_USER] = self.user.pk
-
-        response = AuthenticationView.as_view()(request)
-        self.assertEqual(response.status_code, 302)
-        self.assertEqual(response.url, reverse("passbook_flows:auth-denied"))
-        self.factor.enabled = True
-        self.factor.save()
-
-    def test_authenticated(self):
-        """Test with already logged in user"""
-        self.client.force_login(self.user)
-        response = self.client.get(reverse("passbook_flows:auth-process"))
-        # Response should be 400 since no pending user is set
-        self.assertEqual(response.status_code, 400)
-        self.client.logout()
-
-    def test_unauthenticated_post(self):
-        """Test post request as unauthenticated user"""
-        request = RequestFactory().post(
-            reverse("passbook_flows:auth-process"), data={"password": self.password}
-        )
-        request.user = AnonymousUser()
-        middleware = SessionMiddleware()
-        middleware.process_request(request)
-        request.session.save()  # pylint: disable=no-member
-        request.session[AuthenticationView.SESSION_PENDING_USER] = self.user.pk
-
-        response = AuthenticationView.as_view()(request)
-        self.assertEqual(response.status_code, 302)
-        self.assertEqual(response.url, reverse("passbook_core:overview"))
-        self.client.logout()
-
-    def test_unauthenticated_post_invalid(self):
-        """Test post request as unauthenticated user"""
-        request = RequestFactory().post(
-            reverse("passbook_flows:auth-process"),
-            data={"password": self.password + "a"},
-        )
-        request.user = AnonymousUser()
-        middleware = SessionMiddleware()
-        middleware.process_request(request)
-        request.session.save()  # pylint: disable=no-member
-        request.session[AuthenticationView.SESSION_PENDING_USER] = self.user.pk
-
-        response = AuthenticationView.as_view()(request)
-        self.assertEqual(response.status_code, 200)
-        self.client.logout()
-
-    def test_multifactor(self):
-        """Test view with multiple active factors"""
-        DummyFactor.objects.get_or_create(name="dummy", slug="dummy", order=1)
-        request = RequestFactory().post(
-            reverse("passbook_flows:auth-process"), data={"password": self.password}
-        )
-        request.user = AnonymousUser()
-        middleware = SessionMiddleware()
-        middleware.process_request(request)
-        request.session.save()  # pylint: disable=no-member
-        request.session[AuthenticationView.SESSION_PENDING_USER] = self.user.pk
-
-        response = AuthenticationView.as_view()(request)
-        session_copy = request.session.items()
-        self.assertEqual(response.status_code, 302)
-        # Verify view redirects to itself after auth
-        self.assertEqual(response.url, reverse("passbook_flows:auth-process"))
-
-        # Run another request with same session which should result in a logged in user
-        request = RequestFactory().post(reverse("passbook_flows:auth-process"))
-        request.user = AnonymousUser()
-        middleware = SessionMiddleware()
-        middleware.process_request(request)
-        for key, value in session_copy:
-            request.session[key] = value
-        request.session.save()  # pylint: disable=no-member
-        response = AuthenticationView.as_view()(request)
-        self.assertEqual(response.status_code, 302)
-        self.assertEqual(response.url, reverse("passbook_core:overview"))
diff --git a/passbook/flows/urls.py b/passbook/flows/urls.py
index d1563f70a..060911c27 100644
--- a/passbook/flows/urls.py
+++ b/passbook/flows/urls.py
@@ -1,23 +1,8 @@
 """flow urls"""
 from django.urls import path
 
-from passbook.flows.views import (
-    AuthenticationView,
-    FactorPermissionDeniedView,
-    FlowExecutorView,
-)
+from passbook.flows.views import FlowExecutorView
 
 urlpatterns = [
-    path("auth/process/", AuthenticationView.as_view(), name="auth-process"),
-    path(
-        "auth/process/<slug:factor>/",
-        AuthenticationView.as_view(),
-        name="auth-process",
-    ),
-    path(
-        "auth/process/denied/",
-        FactorPermissionDeniedView.as_view(),
-        name="auth-denied",
-    ),
     path("<slug:flow_slug>/", FlowExecutorView.as_view(), name="flow-executor"),
 ]
diff --git a/passbook/flows/views.py b/passbook/flows/views.py
index bc4c7e0da..fed6e673f 100644
--- a/passbook/flows/views.py
+++ b/passbook/flows/views.py
@@ -1,228 +1,24 @@
 """passbook multi-factor authentication engine"""
-from typing import List, Optional, Tuple
+from typing import Optional
 
 from django.contrib.auth import login
-from django.contrib.auth.mixins import UserPassesTestMixin
 from django.http import HttpRequest, HttpResponse
-from django.shortcuts import get_object_or_404, redirect, reverse
-from django.utils.http import urlencode
+from django.shortcuts import get_object_or_404, redirect
 from django.views.generic import View
 from structlog import get_logger
 
-from passbook.core.models import Factor, User
-from passbook.core.views.utils import PermissionDeniedView
+from passbook.core.models import Factor
 from passbook.flows.exceptions import FlowNonApplicableError
 from passbook.flows.models import Flow
-from passbook.flows.planner import FlowPlan, FlowPlanner
+from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan, FlowPlanner
 from passbook.lib.config import CONFIG
 from passbook.lib.utils.reflection import class_to_path, path_to_class
-from passbook.lib.utils.urls import is_url_absolute
+from passbook.lib.utils.urls import is_url_absolute, redirect_with_qs
 from passbook.lib.views import bad_request_message
-from passbook.policies.engine import PolicyEngine
 
 LOGGER = get_logger()
 # Argument used to redirect user after login
 NEXT_ARG_NAME = "next"
-
-
-def _redirect_with_qs(view, get_query_set=None):
-    """Wrapper to redirect whilst keeping GET Parameters"""
-    target = reverse(view)
-    if get_query_set:
-        target += "?" + urlencode(get_query_set.items())
-    return redirect(target)
-
-
-class AuthenticationView(UserPassesTestMixin, View):
-    """Wizard-like Multi-factor authenticator"""
-
-    SESSION_FACTOR = "passbook_factor"
-    SESSION_PENDING_FACTORS = "passbook_pending_factors"
-    SESSION_PENDING_USER = "passbook_pending_user"
-    SESSION_USER_BACKEND = "passbook_user_backend"
-    SESSION_IS_SSO_LOGIN = "passbook_sso_login"
-
-    pending_user: User
-    pending_factors: List[Tuple[str, str]] = []
-
-    _current_factor_class: Factor
-
-    current_factor: Factor
-
-    # Allow only not authenticated users to login
-    def test_func(self) -> bool:
-        return AuthenticationView.SESSION_PENDING_USER in self.request.session
-
-    def _check_config_domain(self) -> Optional[HttpResponse]:
-        """Checks if current request's domain matches configured Domain, and
-        adds a warning if not."""
-        current_domain = self.request.get_host()
-        if ":" in current_domain:
-            current_domain, _ = current_domain.split(":")
-        config_domain = CONFIG.y("domain")
-        if current_domain != config_domain:
-            message = (
-                f"Current domain of '{current_domain}' doesn't "
-                f"match configured domain of '{config_domain}'."
-            )
-            LOGGER.warning(message)
-            return bad_request_message(self.request, message)
-        return None
-
-    def handle_no_permission(self) -> HttpResponse:
-        # Function from UserPassesTestMixin
-        if NEXT_ARG_NAME in self.request.GET:
-            return redirect(self.request.GET.get(NEXT_ARG_NAME))
-        if self.request.user.is_authenticated:
-            return _redirect_with_qs("passbook_core:overview", self.request.GET)
-        return _redirect_with_qs("passbook_core:auth-login", self.request.GET)
-
-    def get_pending_factors(self) -> List[Tuple[str, str]]:
-        """Loading pending factors from Database or load from session variable"""
-        # Write pending factors to session
-        if AuthenticationView.SESSION_PENDING_FACTORS in self.request.session:
-            return self.request.session[AuthenticationView.SESSION_PENDING_FACTORS]
-        # Get an initial list of factors which are currently enabled
-        # and apply to the current user. We check policies here and block the request
-        _all_factors = (
-            Factor.objects.filter(enabled=True).order_by("order").select_subclasses()
-        )
-        pending_factors = []
-        for factor in _all_factors:
-            factor: Factor
-            LOGGER.debug(
-                "Checking if factor applies to user",
-                factor=factor,
-                user=self.pending_user,
-            )
-            policy_engine = PolicyEngine(
-                factor.policies.all(), self.pending_user, self.request
-            )
-            policy_engine.build()
-            if policy_engine.passing:
-                pending_factors.append((factor.uuid.hex, factor.type))
-                LOGGER.debug("Factor applies", factor=factor, user=self.pending_user)
-        return pending_factors
-
-    def dispatch(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
-        # Check if user passes test (i.e. SESSION_PENDING_USER is set)
-        user_test_result = self.get_test_func()()
-        if not user_test_result:
-            incorrect_domain_message = self._check_config_domain()
-            if incorrect_domain_message:
-                return incorrect_domain_message
-            return self.handle_no_permission()
-        # Extract pending user from session (only remember uid)
-        self.pending_user = get_object_or_404(
-            User, id=self.request.session[AuthenticationView.SESSION_PENDING_USER]
-        )
-        self.pending_factors = self.get_pending_factors()
-        # Read and instantiate factor from session
-        factor_uuid, factor_class = None, None
-        if AuthenticationView.SESSION_FACTOR not in request.session:
-            # Case when no factors apply to user, return error denied
-            if not self.pending_factors:
-                # Case when user logged in from SSO provider and no more factors apply
-                if AuthenticationView.SESSION_IS_SSO_LOGIN in request.session:
-                    LOGGER.debug("User authenticated with SSO, logging in...")
-                    return self._user_passed()
-                return self.user_invalid()
-            factor_uuid, factor_class = self.pending_factors[0]
-        else:
-            factor_uuid, factor_class = request.session[
-                AuthenticationView.SESSION_FACTOR
-            ]
-        # Lookup current factor object
-        self.current_factor = (
-            Factor.objects.filter(uuid=factor_uuid).select_subclasses().first()
-        )
-        # Instantiate Next Factor and pass request
-        factor = path_to_class(factor_class)
-        self._current_factor_class = factor(self)
-        self._current_factor_class.pending_user = self.pending_user
-        self._current_factor_class.request = request
-        return super().dispatch(request, *args, **kwargs)
-
-    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
-        """pass get request to current factor"""
-        LOGGER.debug(
-            "Passing GET",
-            view_class=class_to_path(self._current_factor_class.__class__),
-        )
-        return self._current_factor_class.get(request, *args, **kwargs)
-
-    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
-        """pass post request to current factor"""
-        LOGGER.debug(
-            "Passing POST",
-            view_class=class_to_path(self._current_factor_class.__class__),
-        )
-        return self._current_factor_class.post(request, *args, **kwargs)
-
-    def user_ok(self) -> HttpResponse:
-        """Redirect to next Factor"""
-        LOGGER.debug(
-            "Factor passed",
-            factor_class=class_to_path(self._current_factor_class.__class__),
-        )
-        # Remove passed factor from pending factors
-        current_factor_tuple = (
-            self.current_factor.uuid.hex,
-            class_to_path(self._current_factor_class.__class__),
-        )
-        if current_factor_tuple in self.pending_factors:
-            self.pending_factors.remove(current_factor_tuple)
-        next_factor = None
-        if self.pending_factors:
-            next_factor = self.pending_factors.pop()
-            # Save updated pening_factor list to session
-            self.request.session[
-                AuthenticationView.SESSION_PENDING_FACTORS
-            ] = self.pending_factors
-            self.request.session[AuthenticationView.SESSION_FACTOR] = next_factor
-            LOGGER.debug("Rendering Factor", next_factor=next_factor)
-            return _redirect_with_qs("passbook_flows:auth-process", self.request.GET)
-        # User passed all factors
-        LOGGER.debug("User passed all factors, logging in", user=self.pending_user)
-        return self._user_passed()
-
-    def user_invalid(self) -> HttpResponse:
-        """Show error message, user cannot login.
-        This should only be shown if user authenticated successfully, but is disabled/locked/etc"""
-        LOGGER.debug("User invalid")
-        self.cleanup()
-        return _redirect_with_qs("passbook_flows:auth-denied", self.request.GET)
-
-    def _user_passed(self) -> HttpResponse:
-        """User Successfully passed all factors"""
-        backend = self.request.session[AuthenticationView.SESSION_USER_BACKEND]
-        login(self.request, self.pending_user, backend=backend)
-        LOGGER.debug("Logged in", user=self.pending_user)
-        # Cleanup
-        self.cleanup()
-        next_param = self.request.GET.get(NEXT_ARG_NAME, None)
-        if next_param and not is_url_absolute(next_param):
-            return redirect(next_param)
-        return _redirect_with_qs("passbook_core:overview")
-
-    def cleanup(self):
-        """Remove temporary data from session"""
-        session_keys = [
-            self.SESSION_FACTOR,
-            self.SESSION_PENDING_FACTORS,
-            self.SESSION_PENDING_USER,
-            self.SESSION_USER_BACKEND,
-        ]
-        for key in session_keys:
-            if key in self.request.session:
-                del self.request.session[key]
-        LOGGER.debug("Cleaned up sessions")
-
-
-class FactorPermissionDeniedView(PermissionDeniedView):
-    """User could not be authenticated"""
-
-
 SESSION_KEY_PLAN = "passbook_flows_plan"
 
 
@@ -240,6 +36,32 @@ class FlowExecutorView(View):
         # TODO: Do we always need this?
         self.flow = get_object_or_404(Flow, slug=flow_slug)
 
+    def _check_config_domain(self) -> Optional[HttpResponse]:
+        """Checks if current request's domain matches configured Domain, and
+        adds a warning if not."""
+        current_domain = self.request.get_host()
+        if ":" in current_domain:
+            current_domain, _ = current_domain.split(":")
+        config_domain = CONFIG.y("domain")
+        if current_domain != config_domain:
+            message = (
+                f"Current domain of '{current_domain}' doesn't "
+                f"match configured domain of '{config_domain}'."
+            )
+            LOGGER.warning(message)
+            return bad_request_message(self.request, message)
+        return None
+
+    def handle_flow_non_applicable(self) -> HttpResponse:
+        """When a flow is non-applicable check if user is on the correct domain"""
+        if NEXT_ARG_NAME in self.request.GET:
+            return redirect(self.request.GET.get(NEXT_ARG_NAME))
+        incorrect_domain_message = self._check_config_domain()
+        if incorrect_domain_message:
+            return incorrect_domain_message
+        # TODO: Add message
+        return redirect("passbook_core:index")
+
     def dispatch(self, request: HttpRequest, flow_slug: str) -> HttpResponse:
         # Early check if theres an active Plan for the current session
         if SESSION_KEY_PLAN not in self.request.session:
@@ -250,7 +72,7 @@ class FlowExecutorView(View):
                 self.plan = self._initiate_plan()
             except FlowNonApplicableError as exc:
                 LOGGER.warning("Flow not applicable to current user", exc=exc)
-                return redirect("passbook_core:index")
+                return self.handle_flow_non_applicable()
         else:
             LOGGER.debug("Continuing existing plan", flow_slug=flow_slug)
             self.plan = self.request.session[SESSION_KEY_PLAN]
@@ -260,7 +82,6 @@ class FlowExecutorView(View):
         LOGGER.debug("Current factor", current_factor=self.current_factor)
         factor_cls = path_to_class(self.current_factor.type)
         self.current_factor_view = factor_cls(self)
-        # self.current_factor_view.pending_user = self.pending_user
         self.current_factor_view.request = request
         return super().dispatch(request)
 
@@ -284,3 +105,48 @@ class FlowExecutorView(View):
         plan = planner.plan(self.request)
         self.request.session[SESSION_KEY_PLAN] = plan
         return plan
+
+    def _flow_done(self) -> HttpResponse:
+        """User Successfully passed all factors"""
+        backend = self.plan.context[PLAN_CONTEXT_PENDING_USER].backend
+        login(
+            self.request, self.plan.context[PLAN_CONTEXT_PENDING_USER], backend=backend
+        )
+        LOGGER.debug("Logged in", user=self.plan.context[PLAN_CONTEXT_PENDING_USER])
+        self.cancel()
+        next_param = self.request.GET.get(NEXT_ARG_NAME, None)
+        if next_param and not is_url_absolute(next_param):
+            return redirect(next_param)
+        return redirect_with_qs("passbook_core:overview")
+
+    def factor_ok(self) -> HttpResponse:
+        """Callback called by factors upon successful completion.
+        Persists updated plan and context to session."""
+        LOGGER.debug(
+            "Factor ok", factor_class=class_to_path(self.current_factor_view.__class__),
+        )
+        self.request.session[SESSION_KEY_PLAN] = self.plan
+        if self.plan.factors:
+            LOGGER.debug(
+                "Continuing with next factor", reamining=len(self.plan.factors)
+            )
+            return redirect_with_qs(
+                "passbook_flows:flow-executor", self.request.GET, **self.kwargs
+            )
+        # User passed all factors
+        LOGGER.debug(
+            "User passed all factors", user=self.plan.context[PLAN_CONTEXT_PENDING_USER]
+        )
+        return self._flow_done()
+
+    def factor_invalid(self) -> HttpResponse:
+        """Callback used factor when data is correct but a policy denies access
+        or the user account is disabled."""
+        LOGGER.debug("User invalid")
+        self.cancel()
+        return redirect_with_qs("passbook_flows:auth-denied", self.request.GET)
+
+    def cancel(self) -> HttpResponse:
+        """Cancel current execution and return a redirect"""
+        del self.request.session[SESSION_KEY_PLAN]
+        return redirect_with_qs("passbook_flows:auth-denied", self.request.GET)
diff --git a/passbook/lib/utils/urls.py b/passbook/lib/utils/urls.py
index 416266247..30cb25603 100644
--- a/passbook/lib/utils/urls.py
+++ b/passbook/lib/utils/urls.py
@@ -1,7 +1,19 @@
 """URL-related utils"""
 from urllib.parse import urlparse
 
+from django.http import HttpResponse
+from django.shortcuts import redirect, reverse
+from django.utils.http import urlencode
+
 
 def is_url_absolute(url):
     """Check if domain is absolute to prevent user from being redirect somewhere else"""
     return bool(urlparse(url).netloc)
+
+
+def redirect_with_qs(view: str, get_query_set=None, **kwargs) -> HttpResponse:
+    """Wrapper to redirect whilst keeping GET Parameters"""
+    target = reverse(view, kwargs=kwargs)
+    if get_query_set:
+        target += "?" + urlencode(get_query_set.items())
+    return redirect(target)
diff --git a/passbook/policies/expression/evaluator.py b/passbook/policies/expression/evaluator.py
index 74b6adf60..b50b663fc 100644
--- a/passbook/policies/expression/evaluator.py
+++ b/passbook/policies/expression/evaluator.py
@@ -8,7 +8,7 @@ from jinja2.exceptions import TemplateSyntaxError, UndefinedError
 from jinja2.nativetypes import NativeEnvironment
 from structlog import get_logger
 
-from passbook.flows.views import AuthenticationView
+from passbook.flows.planner import PLAN_CONTEXT_SSO
 from passbook.lib.utils.http import get_client_ip
 from passbook.policies.types import PolicyRequest, PolicyResult
 
@@ -54,8 +54,9 @@ class Evaluator:
         kwargs["pb_is_group_member"] = Evaluator.jinja2_func_is_group_member
         kwargs["pb_logger"] = get_logger()
         if request.http_request:
+            # TODO: Get access to current plan
             kwargs["pb_is_sso_flow"] = request.http_request.session.get(
-                AuthenticationView.SESSION_IS_SSO_LOGIN, False
+                PLAN_CONTEXT_SSO, False
             )
             kwargs["pb_client_ip"] = (
                 get_client_ip(request.http_request) or "255.255.255.255"
diff --git a/passbook/sources/oauth/views/core.py b/passbook/sources/oauth/views/core.py
index 5d9377e38..e794fff0e 100644
--- a/passbook/sources/oauth/views/core.py
+++ b/passbook/sources/oauth/views/core.py
@@ -13,7 +13,15 @@ from django.views.generic import RedirectView, View
 from structlog import get_logger
 
 from passbook.audit.models import Event, EventAction
-from passbook.flows.views import AuthenticationView, _redirect_with_qs
+from passbook.factors.password.factor import PLAN_CONTEXT_AUTHENTICATION_BACKEND
+from passbook.flows.models import Flow, FlowDesignation
+from passbook.flows.planner import (
+    PLAN_CONTEXT_PENDING_USER,
+    PLAN_CONTEXT_SSO,
+    FlowPlanner,
+)
+from passbook.flows.views import SESSION_KEY_PLAN
+from passbook.lib.utils.urls import redirect_with_qs
 from passbook.sources.oauth.clients import get_client
 from passbook.sources.oauth.models import OAuthSource, UserOAuthSourceConnection
 
@@ -165,10 +173,17 @@ class OAuthCallback(OAuthClientMixin, View):
         user = authenticate(
             source=access.source, identifier=access.identifier, request=self.request
         )
-        self.request.session[AuthenticationView.SESSION_PENDING_USER] = user.pk
-        self.request.session[AuthenticationView.SESSION_USER_BACKEND] = user.backend
-        self.request.session[AuthenticationView.SESSION_IS_SSO_LOGIN] = True
-        return _redirect_with_qs("passbook_flows:auth-process", self.request.GET)
+        # We run the Flow planner here so we can pass the Pending user in the context
+        flow = get_object_or_404(Flow, designation=FlowDesignation.AUTHENTICATION)
+        planner = FlowPlanner(flow)
+        plan = planner.plan(self.request)
+        plan.context[PLAN_CONTEXT_PENDING_USER] = user
+        plan.context[PLAN_CONTEXT_AUTHENTICATION_BACKEND] = user.backend
+        plan.context[PLAN_CONTEXT_SSO] = True
+        self.request.session[SESSION_KEY_PLAN] = plan
+        return redirect_with_qs(
+            "passbook_flows:flow-executor", self.request.GET, flow_slug=flow.slug,
+        )
 
     # pylint: disable=unused-argument
     def handle_existing_user(self, source, user, access, info):
diff --git a/scripts/pre-commit.sh b/scripts/pre-commit.sh
index e97bac37c..c5f6a7636 100755
--- a/scripts/pre-commit.sh
+++ b/scripts/pre-commit.sh
@@ -2,7 +2,7 @@
 isort -rc passbook
 pyright
 black passbook
-scripts/coverage.sh
+# scripts/coverage.sh
 bandit -r passbook
 pylint passbook
 prospector

From 273af0f1cb1c82779e7928d70682741c1040b34a Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Fri, 8 May 2020 16:43:22 +0200
Subject: [PATCH 07/80] core/auth: fix unittests for flows

---
 .../core/tests/test_views_authentication.py   |  7 +++-
 .../templates/factors/password/backend.html   |  1 +
 .../flows/migrations/0004_default_flows.py    | 37 +++++++++++++++++++
 scripts/pre-commit.sh                         |  2 +-
 4 files changed, 45 insertions(+), 2 deletions(-)
 create mode 100644 passbook/flows/migrations/0004_default_flows.py

diff --git a/passbook/core/tests/test_views_authentication.py b/passbook/core/tests/test_views_authentication.py
index 870484223..1144abbd7 100644
--- a/passbook/core/tests/test_views_authentication.py
+++ b/passbook/core/tests/test_views_authentication.py
@@ -7,6 +7,7 @@ from django.urls import reverse
 
 from passbook.core.forms.authentication import LoginForm, SignUpForm
 from passbook.core.models import User
+from passbook.flows.models import Flow, FlowDesignation
 
 
 class TestAuthenticationViews(TestCase):
@@ -77,7 +78,11 @@ class TestAuthenticationViews(TestCase):
             reverse("passbook_core:auth-login"), data=self.login_data
         )
         self.assertEqual(login_response.status_code, 302)
-        self.assertEqual(login_response.url, reverse("passbook_flows:auth-process"))
+        flow = Flow.objects.get(designation=FlowDesignation.AUTHENTICATION)
+        expected = reverse(
+            "passbook_flows:flow-executor", kwargs={"flow_slug": flow.slug}
+        )
+        self.assertEqual(login_response.url, expected)
 
     def test_sign_up_view_post(self):
         """Test account.sign_up view POST (Anonymous)"""
diff --git a/passbook/factors/password/templates/factors/password/backend.html b/passbook/factors/password/templates/factors/password/backend.html
index 2115e9682..e270a5bbc 100644
--- a/passbook/factors/password/templates/factors/password/backend.html
+++ b/passbook/factors/password/templates/factors/password/backend.html
@@ -4,6 +4,7 @@
 
 {% block beneath_form %}
 {% if show_password_forget_notice %}
+{# TODO: Link to dedicated recovery flow #}
 <a href="{% url 'passbook_flows:auth-process' %}?password-forgotten">{% trans 'Forgot password?' %}</a>
 {% endif %}
 {% endblock %}
diff --git a/passbook/flows/migrations/0004_default_flows.py b/passbook/flows/migrations/0004_default_flows.py
new file mode 100644
index 000000000..c04d55df1
--- /dev/null
+++ b/passbook/flows/migrations/0004_default_flows.py
@@ -0,0 +1,37 @@
+# Generated by Django 3.0.3 on 2020-05-08 14:30
+
+from django.apps.registry import Apps
+from django.db import migrations
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+from passbook.flows.models import FlowDesignation
+
+
+def create_default_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    Flow = apps.get_model("passbook_flows", "Flow")
+    FlowFactorBinding = apps.get_model("passbook_flows", "FlowFactorBinding")
+    PasswordFactor = apps.get_model("passbook_factors_password", "PasswordFactor")
+    db_alias = schema_editor.connection.alias
+
+    if Flow.objects.using(db_alias).all().exists():
+        # Only create default flow when none exist
+        return
+
+    pw_factor = PasswordFactor.objects.using(db_alias).first()
+    flow = Flow.objects.using(db_alias).create(
+        name="default-authentication-flow",
+        slug="default-authentication-flow",
+        designation=FlowDesignation.AUTHENTICATION,
+    )
+    FlowFactorBinding.objects.using(db_alias).create(
+        flow=flow, factor=pw_factor, order=0,
+    )
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_flows", "0003_auto_20200508_1230"),
+    ]
+
+    operations = [migrations.RunPython(create_default_flow)]
diff --git a/scripts/pre-commit.sh b/scripts/pre-commit.sh
index c5f6a7636..e97bac37c 100755
--- a/scripts/pre-commit.sh
+++ b/scripts/pre-commit.sh
@@ -2,7 +2,7 @@
 isort -rc passbook
 pyright
 black passbook
-# scripts/coverage.sh
+scripts/coverage.sh
 bandit -r passbook
 pylint passbook
 prospector

From c3e43a7c2f5f2169cdd5f63b57102edfc22e34a5 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Fri, 8 May 2020 16:50:50 +0200
Subject: [PATCH 08/80] flows: fix denied view not being registered

---
 passbook/core/urls.py   | 6 +++---
 passbook/flows/urls.py  | 3 ++-
 passbook/flows/views.py | 9 +++++++--
 passbook/root/urls.py   | 2 +-
 4 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/passbook/core/urls.py b/passbook/core/urls.py
index 3e3ce066f..083a142d3 100644
--- a/passbook/core/urls.py
+++ b/passbook/core/urls.py
@@ -19,10 +19,10 @@ urlpatterns = [
         name="auth-password-reset",
     ),
     # User views
-    path("_/user/", user.UserSettingsView.as_view(), name="user-settings"),
-    path("_/user/delete/", user.UserDeleteView.as_view(), name="user-delete"),
+    path("-/user/", user.UserSettingsView.as_view(), name="user-settings"),
+    path("-/user/delete/", user.UserDeleteView.as_view(), name="user-delete"),
     path(
-        "_/user/change_password/",
+        "-/user/change_password/",
         user.UserChangePasswordView.as_view(),
         name="user-change-password",
     ),
diff --git a/passbook/flows/urls.py b/passbook/flows/urls.py
index 060911c27..9198aab18 100644
--- a/passbook/flows/urls.py
+++ b/passbook/flows/urls.py
@@ -1,8 +1,9 @@
 """flow urls"""
 from django.urls import path
 
-from passbook.flows.views import FlowExecutorView
+from passbook.flows.views import FlowExecutorView, FlowPermissionDeniedView
 
 urlpatterns = [
     path("<slug:flow_slug>/", FlowExecutorView.as_view(), name="flow-executor"),
+    path("denied/", FlowPermissionDeniedView.as_view(), name="denied"),
 ]
diff --git a/passbook/flows/views.py b/passbook/flows/views.py
index fed6e673f..e10f07adb 100644
--- a/passbook/flows/views.py
+++ b/passbook/flows/views.py
@@ -8,6 +8,7 @@ from django.views.generic import View
 from structlog import get_logger
 
 from passbook.core.models import Factor
+from passbook.core.views.utils import PermissionDeniedView
 from passbook.flows.exceptions import FlowNonApplicableError
 from passbook.flows.models import Flow
 from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan, FlowPlanner
@@ -144,9 +145,13 @@ class FlowExecutorView(View):
         or the user account is disabled."""
         LOGGER.debug("User invalid")
         self.cancel()
-        return redirect_with_qs("passbook_flows:auth-denied", self.request.GET)
+        return redirect_with_qs("passbook_flows:denied", self.request.GET)
 
     def cancel(self) -> HttpResponse:
         """Cancel current execution and return a redirect"""
         del self.request.session[SESSION_KEY_PLAN]
-        return redirect_with_qs("passbook_flows:auth-denied", self.request.GET)
+        return redirect_with_qs("passbook_flows:denied", self.request.GET)
+
+
+class FlowPermissionDeniedView(PermissionDeniedView):
+    """User could not be authenticated"""
diff --git a/passbook/root/urls.py b/passbook/root/urls.py
index b7e44d7cd..8f3d09b83 100644
--- a/passbook/root/urls.py
+++ b/passbook/root/urls.py
@@ -45,4 +45,4 @@ urlpatterns += [
 if settings.DEBUG:
     import debug_toolbar
 
-    urlpatterns = [path("__debug__/", include(debug_toolbar.urls)),] + urlpatterns
+    urlpatterns = [path("-/debug/", include(debug_toolbar.urls)),] + urlpatterns

From f8af9d6ce0de4bfb5f22b069ec4f3504f3d3510c Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Fri, 8 May 2020 16:51:12 +0200
Subject: [PATCH 09/80] flows: make sure flow_slug is logged consistently

---
 passbook/flows/views.py | 29 +++++++++++++++++++++--------
 1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/passbook/flows/views.py b/passbook/flows/views.py
index e10f07adb..25a3ae890 100644
--- a/passbook/flows/views.py
+++ b/passbook/flows/views.py
@@ -49,7 +49,7 @@ class FlowExecutorView(View):
                 f"Current domain of '{current_domain}' doesn't "
                 f"match configured domain of '{config_domain}'."
             )
-            LOGGER.warning(message)
+            LOGGER.warning(message, flow_slug=self.flow.slug)
             return bad_request_message(self.request, message)
         return None
 
@@ -80,7 +80,7 @@ class FlowExecutorView(View):
         # We don't save the Plan after getting the next factor
         # as it hasn't been successfully passed yet
         self.current_factor = self.plan.next()
-        LOGGER.debug("Current factor", current_factor=self.current_factor)
+        LOGGER.debug("Current factor", current_factor=self.current_factor, flow_slug=self.flow.slug)
         factor_cls = path_to_class(self.current_factor.type)
         self.current_factor_view = factor_cls(self)
         self.current_factor_view.request = request
@@ -89,7 +89,9 @@ class FlowExecutorView(View):
     def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
         """pass get request to current factor"""
         LOGGER.debug(
-            "Passing GET", view_class=class_to_path(self.current_factor_view.__class__),
+            "Passing GET",
+            view_class=class_to_path(self.current_factor_view.__class__),
+            flow_slug=self.flow.slug,
         )
         return self.current_factor_view.get(request, *args, **kwargs)
 
@@ -98,6 +100,7 @@ class FlowExecutorView(View):
         LOGGER.debug(
             "Passing POST",
             view_class=class_to_path(self.current_factor_view.__class__),
+            flow_slug=self.flow.slug,
         )
         return self.current_factor_view.post(request, *args, **kwargs)
 
@@ -113,7 +116,11 @@ class FlowExecutorView(View):
         login(
             self.request, self.plan.context[PLAN_CONTEXT_PENDING_USER], backend=backend
         )
-        LOGGER.debug("Logged in", user=self.plan.context[PLAN_CONTEXT_PENDING_USER])
+        LOGGER.debug(
+            "Logged in",
+            user=self.plan.context[PLAN_CONTEXT_PENDING_USER],
+            flow_slug=self.flow.slug,
+        )
         self.cancel()
         next_param = self.request.GET.get(NEXT_ARG_NAME, None)
         if next_param and not is_url_absolute(next_param):
@@ -124,26 +131,32 @@ class FlowExecutorView(View):
         """Callback called by factors upon successful completion.
         Persists updated plan and context to session."""
         LOGGER.debug(
-            "Factor ok", factor_class=class_to_path(self.current_factor_view.__class__),
+            "Factor ok",
+            factor_class=class_to_path(self.current_factor_view.__class__),
+            flow_slug=self.flow.slug,
         )
         self.request.session[SESSION_KEY_PLAN] = self.plan
         if self.plan.factors:
             LOGGER.debug(
-                "Continuing with next factor", reamining=len(self.plan.factors)
+                "Continuing with next factor",
+                reamining=len(self.plan.factors),
+                flow_slug=self.flow.slug,
             )
             return redirect_with_qs(
                 "passbook_flows:flow-executor", self.request.GET, **self.kwargs
             )
         # User passed all factors
         LOGGER.debug(
-            "User passed all factors", user=self.plan.context[PLAN_CONTEXT_PENDING_USER]
+            "User passed all factors",
+            user=self.plan.context[PLAN_CONTEXT_PENDING_USER],
+            flow_slug=self.flow.slug,
         )
         return self._flow_done()
 
     def factor_invalid(self) -> HttpResponse:
         """Callback used factor when data is correct but a policy denies access
         or the user account is disabled."""
-        LOGGER.debug("User invalid")
+        LOGGER.debug("User invalid", flow_slug=self.flow.slug)
         self.cancel()
         return redirect_with_qs("passbook_flows:denied", self.request.GET)
 

From 872ecd93a659c57da3e7475809fd3bfb8b7c92ca Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Fri, 8 May 2020 18:29:18 +0200
Subject: [PATCH 10/80] flows: add to api and add forms

---
 passbook/api/v2/urls.py |  5 ++--
 passbook/flows/api.py   | 51 +++++++++++++++++++++++++++++++++++++++++
 passbook/flows/forms.py | 44 +++++++++++++++++++++++++++++++++++
 passbook/flows/views.py |  6 ++++-
 4 files changed, 103 insertions(+), 3 deletions(-)
 create mode 100644 passbook/flows/api.py

diff --git a/passbook/api/v2/urls.py b/passbook/api/v2/urls.py
index 061c16831..524de960e 100644
--- a/passbook/api/v2/urls.py
+++ b/passbook/api/v2/urls.py
@@ -22,6 +22,7 @@ from passbook.factors.dummy.api import DummyFactorViewSet
 from passbook.factors.email.api import EmailFactorViewSet
 from passbook.factors.otp.api import OTPFactorViewSet
 from passbook.factors.password.api import PasswordFactorViewSet
+from passbook.flows.api import FlowFactorBindingViewSet, FlowViewSet
 from passbook.lib.utils.reflection import get_apps
 from passbook.policies.expiry.api import PasswordExpiryPolicyViewSet
 from passbook.policies.expression.api import ExpressionPolicyViewSet
@@ -74,12 +75,12 @@ router.register("factors/dummy", DummyFactorViewSet)
 router.register("factors/email", EmailFactorViewSet)
 router.register("factors/otp", OTPFactorViewSet)
 router.register("factors/password", PasswordFactorViewSet)
+router.register("flows", FlowViewSet)
+router.register("flows/bindings", FlowFactorBindingViewSet)
 
 info = openapi.Info(
     title="passbook API",
     default_version="v2",
-    # description="Test description",
-    # terms_of_service="https://www.google.com/policies/terms/",
     contact=openapi.Contact(email="hello@beryju.org"),
     license=openapi.License(name="MIT License"),
 )
diff --git a/passbook/flows/api.py b/passbook/flows/api.py
new file mode 100644
index 000000000..09599ca6e
--- /dev/null
+++ b/passbook/flows/api.py
@@ -0,0 +1,51 @@
+"""Flow API Views"""
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import ModelViewSet
+
+from passbook.flows.models import Flow, FlowFactorBinding
+
+
+class FlowSerializer(ModelSerializer):
+    """Flow Serializer"""
+
+    class Meta:
+
+        model = Flow
+        fields = [
+            "pk",
+            "name",
+            "slug",
+            "designation",
+            "factors",
+            "policies"
+        ]
+
+
+class FlowViewSet(ModelViewSet):
+    """Flow Viewset"""
+
+    queryset = Flow.objects.all()
+    serializer_class = FlowSerializer
+
+
+class FlowFactorBindingSerializer(ModelSerializer):
+    """FlowFactorBinding Serializer"""
+
+    class Meta:
+
+        model = FlowFactorBinding
+        fields = [
+            "pk",
+            "flow",
+            "factor",
+            "re_evaluate_policies",
+            "order",
+            "policies"
+        ]
+
+
+class FlowFactorBindingViewSet(ModelViewSet):
+    """FlowFactorBinding Viewset"""
+
+    queryset = FlowFactorBinding.objects.all()
+    serializer_class = FlowFactorBindingSerializer
diff --git a/passbook/flows/forms.py b/passbook/flows/forms.py
index 6bc2443bb..b7936891e 100644
--- a/passbook/flows/forms.py
+++ b/passbook/flows/forms.py
@@ -1,3 +1,47 @@
 """factor forms"""
 
+from django import forms
+from django.contrib.admin.widgets import FilteredSelectMultiple
+from django.utils.translation import gettext_lazy as _
+
+from passbook.flows.models import Flow, FlowFactorBinding
+
 GENERAL_FIELDS = ["name", "slug", "order", "policies", "enabled"]
+
+
+class FlowForm(forms.ModelForm):
+    """Flow Form"""
+
+    class Meta:
+
+        model = Flow
+        fields = [
+            "name",
+            "slug",
+            "designation",
+            "factors",
+            "policies",
+        ]
+        widgets = {
+            "name": forms.TextInput(),
+            "factors": FilteredSelectMultiple(_("policies"), False),
+        }
+
+
+class FlowFactorBindingForm(forms.ModelForm):
+    """FlowFactorBinding Form"""
+
+    class Meta:
+
+        model = FlowFactorBinding
+        fields = [
+            "flow",
+            "factor",
+            "re_evaluate_policies",
+            "order",
+            "policies",
+        ]
+        widgets = {
+            "name": forms.TextInput(),
+            "factors": FilteredSelectMultiple(_("policies"), False),
+        }
diff --git a/passbook/flows/views.py b/passbook/flows/views.py
index 25a3ae890..1cf812d05 100644
--- a/passbook/flows/views.py
+++ b/passbook/flows/views.py
@@ -80,7 +80,11 @@ class FlowExecutorView(View):
         # We don't save the Plan after getting the next factor
         # as it hasn't been successfully passed yet
         self.current_factor = self.plan.next()
-        LOGGER.debug("Current factor", current_factor=self.current_factor, flow_slug=self.flow.slug)
+        LOGGER.debug(
+            "Current factor",
+            current_factor=self.current_factor,
+            flow_slug=self.flow.slug,
+        )
         factor_cls = path_to_class(self.current_factor.type)
         self.current_factor_view = factor_cls(self)
         self.current_factor_view.request = request

From 08c0eb2ec6d690dec1a9c27d1547e098feb86931 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Fri, 8 May 2020 18:45:53 +0200
Subject: [PATCH 11/80] admin: add flows

---
 manage.py                                     |  4 +-
 .../admin/templates/administration/base.html  |  6 ++
 .../templates/administration/flow/list.html   | 71 +++++++++++++++++
 passbook/admin/urls.py                        | 10 +++
 passbook/admin/views/flows.py                 | 77 +++++++++++++++++++
 passbook/flows/api.py                         | 18 +----
 .../migrations/0005_auto_20200508_1642.py     | 23 ++++++
 passbook/flows/models.py                      |  2 +-
 .../migrations/0003_auto_20200508_1642.py     | 24 ++++++
 passbook/policies/models.py                   |  4 +-
 10 files changed, 219 insertions(+), 20 deletions(-)
 create mode 100644 passbook/admin/templates/administration/flow/list.html
 create mode 100644 passbook/admin/views/flows.py
 create mode 100644 passbook/flows/migrations/0005_auto_20200508_1642.py
 create mode 100644 passbook/policies/migrations/0003_auto_20200508_1642.py

diff --git a/manage.py b/manage.py
index a9cc30054..5a70f4ada 100755
--- a/manage.py
+++ b/manage.py
@@ -6,8 +6,8 @@ from defusedxml import defuse_stdlib
 
 defuse_stdlib()
 
-if __name__ == '__main__':
-    os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'passbook.root.settings')
+if __name__ == "__main__":
+    os.environ.setdefault("DJANGO_SETTINGS_MODULE", "passbook.root.settings")
     try:
         from django.core.management import execute_from_command_line
     except ImportError as exc:
diff --git a/passbook/admin/templates/administration/base.html b/passbook/admin/templates/administration/base.html
index db483f1b9..51240c85e 100644
--- a/passbook/admin/templates/administration/base.html
+++ b/passbook/admin/templates/administration/base.html
@@ -52,6 +52,12 @@
                         {% trans 'Property Mappings' %}
                     </a>
                 </li>
+                <li class="pf-c-nav__item">
+                    <a href="{% url 'passbook_admin:flows' %}"
+                        class="pf-c-nav__link {% is_active 'passbook_admin:flows' 'passbook_admin:flow-create' 'passbook_admin:flow-update' 'passbook_admin:flow-delete' %}">
+                        {% trans 'Flows' %}
+                    </a>
+                </li>
                 <li class="pf-c-nav__item">
                     <a href="{% url 'passbook_admin:factors' %}"
                         class="pf-c-nav__link {% is_active 'passbook_admin:factors' 'passbook_admin:factor-create' 'passbook_admin:factor-update' 'passbook_admin:factor-delete' %}">
diff --git a/passbook/admin/templates/administration/flow/list.html b/passbook/admin/templates/administration/flow/list.html
new file mode 100644
index 000000000..c22b38dea
--- /dev/null
+++ b/passbook/admin/templates/administration/flow/list.html
@@ -0,0 +1,71 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load utils %}
+
+{% block content %}
+<section class="pf-c-page__main-section pf-m-light">
+    <div class="pf-c-content">
+        <h1>
+            <i class="pf-icon pf-icon-process-automation"></i>
+            {% trans 'Flows' %}
+        </h1>
+        <p>{% trans "Flows describe a chain of Stages to authenticate, enroll or recover a user. Stages are chosen based on policies applied to them." %}</p>
+    </div>
+</section>
+<section class="pf-c-page__main-section pf-m-no-padding-mobile">
+    <div class="pf-c-card">
+        <div class="pf-c-toolbar" id="page-layout-table-simple-toolbar-top">
+            <div class="pf-c-toolbar__action-group">
+                <a href="{% url 'passbook_admin:flow-create' %}?back={{ request.get_full_path }}" class="pf-c-button pf-m-primary" type="button">{% trans 'Create' %}</a>
+            </div>
+            {% include 'partials/pagination.html' %}
+        </div>
+        <table class="pf-c-table pf-m-compact pf-m-grid-xl" role="grid">
+            <thead>
+                <tr role="row">
+                    <th role="columnheader" scope="col">{% trans 'Name' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Designation' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Factors' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Policies' %}</th>
+                    <th role="cell"></th>
+                </tr>
+            </thead>
+            <tbody role="rowgroup">
+                {% for flow in object_list %}
+                <tr role="row">
+                    <th role="columnheader">
+                        <div>
+                            <div>{{ flow.name }}</div>
+                            <small>{{ flow.slug }}</small>
+                        </div>
+                    </th>
+                    <td role="cell">
+                        <span>
+                            {{ flow.designation }}
+                        </span>
+                    </td>
+                    <td role="cell">
+                        <span>
+                            {{ flow.factors.all|length }}
+                        </span>
+                    </td>
+                    <td role="cell">
+                        <span>
+                            {{ flow.policies.all|length }}
+                        </span>
+                    </td>
+                    <td>
+                        <a class="pf-c-button pf-m-secondary" href="{% url 'passbook_admin:flow-update' pk=flow.pk %}?back={{ request.get_full_path }}">{% trans 'Edit' %}</a>
+                        <a class="pf-c-button pf-m-danger" href="{% url 'passbook_admin:flow-delete' pk=flow.pk %}?back={{ request.get_full_path }}">{% trans 'Delete' %}</a>
+                    </td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+        <div class="pf-c-toolbar" id="page-layout-table-simple-toolbar-bottom">
+            {% include 'partials/pagination.html' %}
+        </div>
+    </div>
+</section>
+{% endblock %}
diff --git a/passbook/admin/urls.py b/passbook/admin/urls.py
index 7806471d7..6435a446d 100644
--- a/passbook/admin/urls.py
+++ b/passbook/admin/urls.py
@@ -7,6 +7,7 @@ from passbook.admin.views import (
     certificate_key_pair,
     debug,
     factors,
+    flows,
     groups,
     invitations,
     overview,
@@ -97,6 +98,15 @@ urlpatterns = [
         factors.FactorDeleteView.as_view(),
         name="factor-delete",
     ),
+    # Flows
+    path("flows/", flows.FlowListView.as_view(), name="flows"),
+    path("flows/create/", flows.FlowCreateView.as_view(), name="flow-create",),
+    path(
+        "flows/<uuid:pk>/update/", flows.FlowUpdateView.as_view(), name="flow-update",
+    ),
+    path(
+        "flows/<uuid:pk>/delete/", flows.FlowDeleteView.as_view(), name="flow-delete",
+    ),
     # Factors
     path(
         "property-mappings/",
diff --git a/passbook/admin/views/flows.py b/passbook/admin/views/flows.py
new file mode 100644
index 000000000..377cf93f4
--- /dev/null
+++ b/passbook/admin/views/flows.py
@@ -0,0 +1,77 @@
+"""passbook Flow administration"""
+from django.contrib import messages
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.urls import reverse_lazy
+from django.utils.translation import ugettext as _
+from django.views.generic import DeleteView, ListView, UpdateView
+from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
+
+from passbook.flows.forms import FlowForm
+from passbook.flows.models import Flow
+from passbook.lib.views import CreateAssignPermView
+
+
+class FlowListView(LoginRequiredMixin, PermissionListMixin, ListView):
+    """Show list of all flows"""
+
+    model = Flow
+    permission_required = "passbook_flows.view_flow"
+    ordering = "name"
+    paginate_by = 40
+    template_name = "administration/flow/list.html"
+
+
+class FlowCreateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    CreateAssignPermView,
+):
+    """Create new Flow"""
+
+    model = Flow
+    form_class = FlowForm
+    permission_required = "passbook_flows.add_flow"
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("passbook_admin:flows")
+    success_message = _("Successfully created Flow")
+
+    def get_context_data(self, **kwargs):
+        kwargs["type"] = "Flow"
+        return super().get_context_data(**kwargs)
+
+
+class FlowUpdateView(
+    SuccessMessageMixin, LoginRequiredMixin, PermissionRequiredMixin, UpdateView
+):
+    """Update flow"""
+
+    model = Flow
+    form_class = FlowForm
+    permission_required = "passbook_flows.change_flow"
+
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("passbook_admin:flows")
+    success_message = _("Successfully updated Flow")
+
+
+class FlowDeleteView(
+    SuccessMessageMixin, LoginRequiredMixin, PermissionRequiredMixin, DeleteView
+):
+    """Delete flow"""
+
+    model = Flow
+    permission_required = "passbook_flows.delete_flow"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("passbook_admin:flows")
+    success_message = _("Successfully deleted Flow")
+
+    def delete(self, request, *args, **kwargs):
+        messages.success(self.request, self.success_message)
+        return super().delete(request, *args, **kwargs)
diff --git a/passbook/flows/api.py b/passbook/flows/api.py
index 09599ca6e..9edc3d9e5 100644
--- a/passbook/flows/api.py
+++ b/passbook/flows/api.py
@@ -11,14 +11,7 @@ class FlowSerializer(ModelSerializer):
     class Meta:
 
         model = Flow
-        fields = [
-            "pk",
-            "name",
-            "slug",
-            "designation",
-            "factors",
-            "policies"
-        ]
+        fields = ["pk", "name", "slug", "designation", "factors", "policies"]
 
 
 class FlowViewSet(ModelViewSet):
@@ -34,14 +27,7 @@ class FlowFactorBindingSerializer(ModelSerializer):
     class Meta:
 
         model = FlowFactorBinding
-        fields = [
-            "pk",
-            "flow",
-            "factor",
-            "re_evaluate_policies",
-            "order",
-            "policies"
-        ]
+        fields = ["pk", "flow", "factor", "re_evaluate_policies", "order", "policies"]
 
 
 class FlowFactorBindingViewSet(ModelViewSet):
diff --git a/passbook/flows/migrations/0005_auto_20200508_1642.py b/passbook/flows/migrations/0005_auto_20200508_1642.py
new file mode 100644
index 000000000..3bf11a86e
--- /dev/null
+++ b/passbook/flows/migrations/0005_auto_20200508_1642.py
@@ -0,0 +1,23 @@
+# Generated by Django 3.0.3 on 2020-05-08 16:42
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_core", "0011_auto_20200222_1822"),
+        ("passbook_flows", "0004_default_flows"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="flow",
+            name="factors",
+            field=models.ManyToManyField(
+                blank=True,
+                through="passbook_flows.FlowFactorBinding",
+                to="passbook_core.Factor",
+            ),
+        ),
+    ]
diff --git a/passbook/flows/models.py b/passbook/flows/models.py
index 44cda4f35..5169fc1d8 100644
--- a/passbook/flows/models.py
+++ b/passbook/flows/models.py
@@ -36,7 +36,7 @@ class Flow(PolicyBindingModel, UUIDModel):
 
     designation = models.CharField(max_length=100, choices=FlowDesignation.as_choices())
 
-    factors = models.ManyToManyField(Factor, through="FlowFactorBinding")
+    factors = models.ManyToManyField(Factor, through="FlowFactorBinding", blank=True)
 
     pbm = models.OneToOneField(
         PolicyBindingModel, parent_link=True, on_delete=models.CASCADE, related_name="+"
diff --git a/passbook/policies/migrations/0003_auto_20200508_1642.py b/passbook/policies/migrations/0003_auto_20200508_1642.py
new file mode 100644
index 000000000..a9e6128ba
--- /dev/null
+++ b/passbook/policies/migrations/0003_auto_20200508_1642.py
@@ -0,0 +1,24 @@
+# Generated by Django 3.0.3 on 2020-05-08 16:42
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_core", "0011_auto_20200222_1822"),
+        ("passbook_policies", "0002_auto_20200508_1230"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="policybindingmodel",
+            name="policies",
+            field=models.ManyToManyField(
+                blank=True,
+                related_name="_policybindingmodel_policies_+",
+                through="passbook_policies.PolicyBinding",
+                to="passbook_core.Policy",
+            ),
+        ),
+    ]
diff --git a/passbook/policies/models.py b/passbook/policies/models.py
index 42f85f74c..033c818a0 100644
--- a/passbook/policies/models.py
+++ b/passbook/policies/models.py
@@ -9,7 +9,9 @@ from passbook.lib.models import UUIDModel
 class PolicyBindingModel(models.Model):
     """Base Model for objects which have Policies applied to them"""
 
-    policies = models.ManyToManyField(Policy, through="PolicyBinding", related_name="+")
+    policies = models.ManyToManyField(
+        Policy, through="PolicyBinding", related_name="+", blank=True
+    )
 
     class Meta:
 

From 212e966dd403767a2fd0a7f024e9b88a24e24d97 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Fri, 8 May 2020 19:46:39 +0200
Subject: [PATCH 12/80] factors: -> stage

---
 passbook/admin/urls.py                        | 22 +++----
 passbook/admin/views/overview.py              | 14 ++---
 .../admin/views/{factors.py => stages.py}     | 62 +++++++++----------
 passbook/api/v2/urls.py                       | 27 ++++----
 passbook/core/api/factors.py                  | 30 ---------
 .../core/migrations/0012_delete_factor.py     | 14 +++++
 passbook/core/models.py                       | 24 -------
 passbook/core/templates/user/base.html        | 12 ++--
 .../templatetags/passbook_user_settings.py    | 44 ++++++-------
 passbook/core/types.py                        |  2 +-
 passbook/core/views/authentication.py         |  2 +-
 passbook/core/views/user.py                   |  2 +-
 passbook/factors/captcha/api.py               | 21 -------
 passbook/factors/captcha/apps.py              | 10 ---
 passbook/factors/captcha/forms.py             | 35 -----------
 .../captcha/migrations/0001_initial.py        | 39 ------------
 .../migrations/0002_auto_20200221_1410.py     | 27 --------
 passbook/factors/dummy/api.py                 | 21 -------
 passbook/factors/dummy/apps.py                | 11 ----
 passbook/factors/dummy/factor.py              | 12 ----
 passbook/factors/dummy/forms.py               | 21 -------
 passbook/factors/dummy/models.py              | 19 ------
 passbook/factors/email/apps.py                | 15 -----
 .../migrations/0002_auto_20191011_1224.py     | 18 ------
 passbook/factors/otp/api.py                   | 21 -------
 passbook/factors/otp/apps.py                  | 12 ----
 passbook/factors/otp/models.py                | 34 ----------
 passbook/factors/password/api.py              | 30 ---------
 passbook/factors/password/apps.py             | 15 -----
 .../migrations/0002_auto_20191007_1411.py     | 24 -------
 .../0003_passwordfactor_reset_factors.py      | 21 -------
 .../migrations/0004_auto_20200221_1410.py     | 23 -------
 passbook/factors/password/signals.py          | 23 -------
 passbook/flows/api.py                         | 49 +++++++++++----
 passbook/flows/forms.py                       | 21 +++----
 passbook/flows/migrations/0001_initial.py     | 54 +++++++++++-----
 ...default_flows.py => 0002_default_flows.py} | 18 ++++--
 ..._flowfactorbinding_re_evaluate_policies.py | 21 -------
 .../migrations/0003_auto_20200508_1230.py     | 21 -------
 .../migrations/0005_auto_20200508_1642.py     | 23 -------
 passbook/flows/models.py                      | 46 ++++++++++----
 passbook/flows/planner.py                     | 31 ++++++----
 passbook/flows/{factor_base.py => stage.py}   |  6 +-
 passbook/flows/views.py                       | 61 +++++++++---------
 passbook/root/settings.py                     | 10 +--
 passbook/sources/oauth/views/core.py          |  4 +-
 passbook/{factors => stages}/__init__.py      |  0
 .../{factors => stages}/captcha/__init__.py   |  0
 passbook/stages/captcha/api.py                | 21 +++++++
 passbook/stages/captcha/apps.py               | 10 +++
 passbook/stages/captcha/forms.py              | 25 ++++++++
 .../stages/captcha/migrations/0001_initial.py | 49 +++++++++++++++
 .../captcha/migrations/__init__.py            |  0
 .../{factors => stages}/captcha/models.py     | 18 +++---
 .../{factors => stages}/captcha/settings.py   |  2 +-
 .../factor.py => stages/captcha/stage.py}     | 14 ++---
 .../{factors => stages}/dummy/__init__.py     |  0
 passbook/stages/dummy/api.py                  | 21 +++++++
 passbook/stages/dummy/apps.py                 | 11 ++++
 passbook/stages/dummy/forms.py                | 16 +++++
 .../dummy/migrations/0001_initial.py          | 16 ++---
 .../dummy/migrations/__init__.py              |  0
 passbook/stages/dummy/models.py               | 19 ++++++
 passbook/stages/dummy/stage.py                | 12 ++++
 .../{factors => stages}/email/__init__.py     |  0
 passbook/{factors => stages}/email/api.py     | 21 +++----
 passbook/stages/email/apps.py                 | 15 +++++
 passbook/{factors => stages}/email/forms.py   | 20 ++----
 .../email/migrations/0001_initial.py          | 18 +++---
 .../email/migrations/__init__.py              |  0
 passbook/{factors => stages}/email/models.py  | 18 +++---
 .../email/factor.py => stages/email/stage.py} | 18 +++---
 passbook/{factors => stages}/email/tasks.py   | 20 +++---
 passbook/{factors => stages}/email/utils.py   |  0
 passbook/{factors => stages}/otp/__init__.py  |  0
 passbook/stages/otp/api.py                    | 21 +++++++
 passbook/stages/otp/apps.py                   | 12 ++++
 passbook/{factors => stages}/otp/forms.py     | 19 ++----
 .../otp/migrations/0001_initial.py            | 19 +++---
 .../otp/migrations/__init__.py                |  0
 passbook/stages/otp/models.py                 | 34 ++++++++++
 passbook/{factors => stages}/otp/settings.py  |  0
 .../otp/factors.py => stages/otp/stage.py}    | 18 +++---
 .../otp/templates/stages}/otp/factor.html     |  0
 .../templates/stages}/otp/user_settings.html  |  4 +-
 passbook/{factors => stages}/otp/urls.py      |  2 +-
 passbook/{factors => stages}/otp/utils.py     |  0
 passbook/{factors => stages}/otp/views.py     | 20 +++---
 .../{factors => stages}/password/__init__.py  |  0
 passbook/stages/password/api.py               | 26 ++++++++
 passbook/stages/password/apps.py              | 10 +++
 .../password/exceptions.py                    |  0
 .../{factors => stages}/password/forms.py     | 19 ++----
 .../password/migrations/0001_initial.py       | 21 ++++---
 .../password/migrations/__init__.py           |  0
 .../{factors => stages}/password/models.py    | 22 +++----
 .../factor.py => stages/password/stage.py}    | 18 +++---
 .../templates/stages}/password/backend.html   |  0
 scripts/coverage.sh                           |  2 +-
 99 files changed, 745 insertions(+), 958 deletions(-)
 rename passbook/admin/views/{factors.py => stages.py} (62%)
 delete mode 100644 passbook/core/api/factors.py
 create mode 100644 passbook/core/migrations/0012_delete_factor.py
 delete mode 100644 passbook/factors/captcha/api.py
 delete mode 100644 passbook/factors/captcha/apps.py
 delete mode 100644 passbook/factors/captcha/forms.py
 delete mode 100644 passbook/factors/captcha/migrations/0001_initial.py
 delete mode 100644 passbook/factors/captcha/migrations/0002_auto_20200221_1410.py
 delete mode 100644 passbook/factors/dummy/api.py
 delete mode 100644 passbook/factors/dummy/apps.py
 delete mode 100644 passbook/factors/dummy/factor.py
 delete mode 100644 passbook/factors/dummy/forms.py
 delete mode 100644 passbook/factors/dummy/models.py
 delete mode 100644 passbook/factors/email/apps.py
 delete mode 100644 passbook/factors/email/migrations/0002_auto_20191011_1224.py
 delete mode 100644 passbook/factors/otp/api.py
 delete mode 100644 passbook/factors/otp/apps.py
 delete mode 100644 passbook/factors/otp/models.py
 delete mode 100644 passbook/factors/password/api.py
 delete mode 100644 passbook/factors/password/apps.py
 delete mode 100644 passbook/factors/password/migrations/0002_auto_20191007_1411.py
 delete mode 100644 passbook/factors/password/migrations/0003_passwordfactor_reset_factors.py
 delete mode 100644 passbook/factors/password/migrations/0004_auto_20200221_1410.py
 delete mode 100644 passbook/factors/password/signals.py
 rename passbook/flows/migrations/{0004_default_flows.py => 0002_default_flows.py} (58%)
 delete mode 100644 passbook/flows/migrations/0002_flowfactorbinding_re_evaluate_policies.py
 delete mode 100644 passbook/flows/migrations/0003_auto_20200508_1230.py
 delete mode 100644 passbook/flows/migrations/0005_auto_20200508_1642.py
 rename passbook/flows/{factor_base.py => stage.py} (84%)
 rename passbook/{factors => stages}/__init__.py (100%)
 rename passbook/{factors => stages}/captcha/__init__.py (100%)
 create mode 100644 passbook/stages/captcha/api.py
 create mode 100644 passbook/stages/captcha/apps.py
 create mode 100644 passbook/stages/captcha/forms.py
 create mode 100644 passbook/stages/captcha/migrations/0001_initial.py
 rename passbook/{factors => stages}/captcha/migrations/__init__.py (100%)
 rename passbook/{factors => stages}/captcha/models.py (53%)
 rename passbook/{factors => stages}/captcha/settings.py (90%)
 rename passbook/{factors/captcha/factor.py => stages/captcha/stage.py} (66%)
 rename passbook/{factors => stages}/dummy/__init__.py (100%)
 create mode 100644 passbook/stages/dummy/api.py
 create mode 100644 passbook/stages/dummy/apps.py
 create mode 100644 passbook/stages/dummy/forms.py
 rename passbook/{factors => stages}/dummy/migrations/0001_initial.py (64%)
 rename passbook/{factors => stages}/dummy/migrations/__init__.py (100%)
 create mode 100644 passbook/stages/dummy/models.py
 create mode 100644 passbook/stages/dummy/stage.py
 rename passbook/{factors => stages}/email/__init__.py (100%)
 rename passbook/{factors => stages}/email/api.py (54%)
 create mode 100644 passbook/stages/email/apps.py
 rename passbook/{factors => stages}/email/forms.py (60%)
 rename passbook/{factors => stages}/email/migrations/0001_initial.py (76%)
 rename passbook/{factors => stages}/email/migrations/__init__.py (100%)
 rename passbook/{factors => stages}/email/models.py (76%)
 rename passbook/{factors/email/factor.py => stages/email/stage.py} (75%)
 rename passbook/{factors => stages}/email/tasks.py (62%)
 rename passbook/{factors => stages}/email/utils.py (100%)
 rename passbook/{factors => stages}/otp/__init__.py (100%)
 create mode 100644 passbook/stages/otp/api.py
 create mode 100644 passbook/stages/otp/apps.py
 rename passbook/{factors => stages}/otp/forms.py (77%)
 rename passbook/{factors => stages}/otp/migrations/0001_initial.py (67%)
 rename passbook/{factors => stages}/otp/migrations/__init__.py (100%)
 create mode 100644 passbook/stages/otp/models.py
 rename passbook/{factors => stages}/otp/settings.py (100%)
 rename passbook/{factors/otp/factors.py => stages/otp/stage.py} (82%)
 rename passbook/{factors/otp/templates => stages/otp/templates/stages}/otp/factor.html (100%)
 rename passbook/{factors/otp/templates => stages/otp/templates/stages}/otp/user_settings.html (91%)
 rename passbook/{factors => stages}/otp/urls.py (89%)
 rename passbook/{factors => stages}/otp/utils.py (100%)
 rename passbook/{factors => stages}/otp/views.py (91%)
 rename passbook/{factors => stages}/password/__init__.py (100%)
 create mode 100644 passbook/stages/password/api.py
 create mode 100644 passbook/stages/password/apps.py
 rename passbook/{factors => stages}/password/exceptions.py (100%)
 rename passbook/{factors => stages}/password/forms.py (64%)
 rename passbook/{factors => stages}/password/migrations/0001_initial.py (62%)
 rename passbook/{factors => stages}/password/migrations/__init__.py (100%)
 rename passbook/{factors => stages}/password/models.py (63%)
 rename passbook/{factors/password/factor.py => stages/password/stage.py} (86%)
 rename passbook/{factors/password/templates/factors => stages/password/templates/stages}/password/backend.html (100%)

diff --git a/passbook/admin/urls.py b/passbook/admin/urls.py
index 6435a446d..0f3526713 100644
--- a/passbook/admin/urls.py
+++ b/passbook/admin/urls.py
@@ -6,7 +6,6 @@ from passbook.admin.views import (
     audit,
     certificate_key_pair,
     debug,
-    factors,
     flows,
     groups,
     invitations,
@@ -15,6 +14,7 @@ from passbook.admin.views import (
     property_mapping,
     providers,
     sources,
+    stages,
     users,
 )
 
@@ -85,18 +85,18 @@ urlpatterns = [
         providers.ProviderDeleteView.as_view(),
         name="provider-delete",
     ),
-    # Factors
-    path("factors/", factors.FactorListView.as_view(), name="factors"),
-    path("factors/create/", factors.FactorCreateView.as_view(), name="factor-create"),
+    # Stages
+    path("stages/", stages.StageListView.as_view(), name="stages"),
+    path("stages/create/", stages.StageCreateView.as_view(), name="stage-create"),
     path(
-        "factors/<uuid:pk>/update/",
-        factors.FactorUpdateView.as_view(),
-        name="factor-update",
+        "stages/<uuid:pk>/update/",
+        stages.StageUpdateView.as_view(),
+        name="stage-update",
     ),
     path(
-        "factors/<uuid:pk>/delete/",
-        factors.FactorDeleteView.as_view(),
-        name="factor-delete",
+        "stages/<uuid:pk>/delete/",
+        stages.StageDeleteView.as_view(),
+        name="stage-delete",
     ),
     # Flows
     path("flows/", flows.FlowListView.as_view(), name="flows"),
@@ -107,7 +107,7 @@ urlpatterns = [
     path(
         "flows/<uuid:pk>/delete/", flows.FlowDeleteView.as_view(), name="flow-delete",
     ),
-    # Factors
+    # Property Mappings
     path(
         "property-mappings/",
         property_mapping.PropertyMappingListView.as_view(),
diff --git a/passbook/admin/views/overview.py b/passbook/admin/views/overview.py
index 52025b50e..9248eac5b 100644
--- a/passbook/admin/views/overview.py
+++ b/passbook/admin/views/overview.py
@@ -5,15 +5,8 @@ from django.views.generic import TemplateView
 
 from passbook import __version__
 from passbook.admin.mixins import AdminRequiredMixin
-from passbook.core.models import (
-    Application,
-    Factor,
-    Invitation,
-    Policy,
-    Provider,
-    Source,
-    User,
-)
+from passbook.core.models import Application, Invitation, Policy, Provider, Source, User
+from passbook.flows.models import Flow, Stage
 from passbook.root.celery import CELERY_APP
 
 
@@ -35,7 +28,8 @@ class AdministrationOverviewView(AdminRequiredMixin, TemplateView):
         kwargs["user_count"] = len(User.objects.all())
         kwargs["provider_count"] = len(Provider.objects.all())
         kwargs["source_count"] = len(Source.objects.all())
-        kwargs["factor_count"] = len(Factor.objects.all())
+        kwargs["stage_count"] = len(Stage.objects.all())
+        kwargs["flow_count"] = len(Flow.objects.all())
         kwargs["invitation_count"] = len(Invitation.objects.all())
         kwargs["version"] = __version__
         kwargs["worker_count"] = len(CELERY_APP.control.ping(timeout=0.5))
diff --git a/passbook/admin/views/factors.py b/passbook/admin/views/stages.py
similarity index 62%
rename from passbook/admin/views/factors.py
rename to passbook/admin/views/stages.py
index 628c6a61f..c5623a22e 100644
--- a/passbook/admin/views/factors.py
+++ b/passbook/admin/views/stages.py
@@ -1,4 +1,4 @@
-"""passbook Factor administration"""
+"""passbook Stage administration"""
 from django.contrib import messages
 from django.contrib.auth.mixins import LoginRequiredMixin
 from django.contrib.auth.mixins import (
@@ -11,7 +11,7 @@ from django.utils.translation import ugettext as _
 from django.views.generic import DeleteView, ListView, UpdateView
 from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 
-from passbook.core.models import Factor
+from passbook.flows.models import Stage
 from passbook.lib.utils.reflection import path_to_class
 from passbook.lib.views import CreateAssignPermView
 
@@ -23,18 +23,18 @@ def all_subclasses(cls):
     )
 
 
-class FactorListView(LoginRequiredMixin, PermissionListMixin, ListView):
-    """Show list of all factors"""
+class StageListView(LoginRequiredMixin, PermissionListMixin, ListView):
+    """Show list of all flows"""
 
-    model = Factor
-    template_name = "administration/factor/list.html"
-    permission_required = "passbook_core.view_factor"
+    model = Stage
+    template_name = "administration/flow/list.html"
+    permission_required = "passbook_core.view_flow"
     ordering = "order"
     paginate_by = 40
 
     def get_context_data(self, **kwargs):
         kwargs["types"] = {
-            x.__name__: x._meta.verbose_name for x in all_subclasses(Factor)
+            x.__name__: x._meta.verbose_name for x in all_subclasses(Stage)
         }
         return super().get_context_data(**kwargs)
 
@@ -42,46 +42,46 @@ class FactorListView(LoginRequiredMixin, PermissionListMixin, ListView):
         return super().get_queryset().select_subclasses()
 
 
-class FactorCreateView(
+class StageCreateView(
     SuccessMessageMixin,
     LoginRequiredMixin,
     DjangoPermissionRequiredMixin,
     CreateAssignPermView,
 ):
-    """Create new Factor"""
+    """Create new Stage"""
 
-    model = Factor
+    model = Stage
     template_name = "generic/create.html"
-    permission_required = "passbook_core.add_factor"
+    permission_required = "passbook_core.add_flow"
 
-    success_url = reverse_lazy("passbook_admin:factors")
-    success_message = _("Successfully created Factor")
+    success_url = reverse_lazy("passbook_admin:flows")
+    success_message = _("Successfully created Stage")
 
     def get_context_data(self, **kwargs):
         kwargs = super().get_context_data(**kwargs)
-        factor_type = self.request.GET.get("type")
-        model = next(x for x in all_subclasses(Factor) if x.__name__ == factor_type)
+        flow_type = self.request.GET.get("type")
+        model = next(x for x in all_subclasses(Stage) if x.__name__ == flow_type)
         kwargs["type"] = model._meta.verbose_name
         return kwargs
 
     def get_form_class(self):
-        factor_type = self.request.GET.get("type")
-        model = next(x for x in all_subclasses(Factor) if x.__name__ == factor_type)
+        flow_type = self.request.GET.get("type")
+        model = next(x for x in all_subclasses(Stage) if x.__name__ == flow_type)
         if not model:
             raise Http404
         return path_to_class(model.form)
 
 
-class FactorUpdateView(
+class StageUpdateView(
     SuccessMessageMixin, LoginRequiredMixin, PermissionRequiredMixin, UpdateView
 ):
-    """Update factor"""
+    """Update flow"""
 
-    model = Factor
+    model = Stage
     permission_required = "passbook_core.update_application"
     template_name = "generic/update.html"
-    success_url = reverse_lazy("passbook_admin:factors")
-    success_message = _("Successfully updated Factor")
+    success_url = reverse_lazy("passbook_admin:flows")
+    success_message = _("Successfully updated Stage")
 
     def get_form_class(self):
         form_class_path = self.get_object().form
@@ -90,24 +90,24 @@ class FactorUpdateView(
 
     def get_object(self, queryset=None):
         return (
-            Factor.objects.filter(pk=self.kwargs.get("pk")).select_subclasses().first()
+            Stage.objects.filter(pk=self.kwargs.get("pk")).select_subclasses().first()
         )
 
 
-class FactorDeleteView(
+class StageDeleteView(
     SuccessMessageMixin, LoginRequiredMixin, PermissionRequiredMixin, DeleteView
 ):
-    """Delete factor"""
+    """Delete flow"""
 
-    model = Factor
+    model = Stage
     template_name = "generic/delete.html"
-    permission_required = "passbook_core.delete_factor"
-    success_url = reverse_lazy("passbook_admin:factors")
-    success_message = _("Successfully deleted Factor")
+    permission_required = "passbook_core.delete_flow"
+    success_url = reverse_lazy("passbook_admin:flows")
+    success_message = _("Successfully deleted Stage")
 
     def get_object(self, queryset=None):
         return (
-            Factor.objects.filter(pk=self.kwargs.get("pk")).select_subclasses().first()
+            Stage.objects.filter(pk=self.kwargs.get("pk")).select_subclasses().first()
         )
 
     def delete(self, request, *args, **kwargs):
diff --git a/passbook/api/v2/urls.py b/passbook/api/v2/urls.py
index 524de960e..d651e991f 100644
--- a/passbook/api/v2/urls.py
+++ b/passbook/api/v2/urls.py
@@ -9,7 +9,6 @@ from structlog import get_logger
 from passbook.api.permissions import CustomObjectPermissions
 from passbook.audit.api import EventViewSet
 from passbook.core.api.applications import ApplicationViewSet
-from passbook.core.api.factors import FactorViewSet
 from passbook.core.api.groups import GroupViewSet
 from passbook.core.api.invitations import InvitationViewSet
 from passbook.core.api.policies import PolicyViewSet
@@ -17,12 +16,7 @@ from passbook.core.api.propertymappings import PropertyMappingViewSet
 from passbook.core.api.providers import ProviderViewSet
 from passbook.core.api.sources import SourceViewSet
 from passbook.core.api.users import UserViewSet
-from passbook.factors.captcha.api import CaptchaFactorViewSet
-from passbook.factors.dummy.api import DummyFactorViewSet
-from passbook.factors.email.api import EmailFactorViewSet
-from passbook.factors.otp.api import OTPFactorViewSet
-from passbook.factors.password.api import PasswordFactorViewSet
-from passbook.flows.api import FlowFactorBindingViewSet, FlowViewSet
+from passbook.flows.api import FlowStageBindingViewSet, FlowViewSet, StageViewSet
 from passbook.lib.utils.reflection import get_apps
 from passbook.policies.expiry.api import PasswordExpiryPolicyViewSet
 from passbook.policies.expression.api import ExpressionPolicyViewSet
@@ -36,6 +30,11 @@ from passbook.providers.oidc.api import OpenIDProviderViewSet
 from passbook.providers.saml.api import SAMLPropertyMappingViewSet, SAMLProviderViewSet
 from passbook.sources.ldap.api import LDAPPropertyMappingViewSet, LDAPSourceViewSet
 from passbook.sources.oauth.api import OAuthSourceViewSet
+from passbook.stages.captcha.api import CaptchaStageViewSet
+from passbook.stages.dummy.api import DummyStageViewSet
+from passbook.stages.email.api import EmailStageViewSet
+from passbook.stages.otp.api import OTPStageViewSet
+from passbook.stages.password.api import PasswordStageViewSet
 
 LOGGER = get_logger()
 router = routers.DefaultRouter()
@@ -69,14 +68,14 @@ router.register("providers/saml", SAMLProviderViewSet)
 router.register("propertymappings/all", PropertyMappingViewSet)
 router.register("propertymappings/ldap", LDAPPropertyMappingViewSet)
 router.register("propertymappings/saml", SAMLPropertyMappingViewSet)
-router.register("factors/all", FactorViewSet)
-router.register("factors/captcha", CaptchaFactorViewSet)
-router.register("factors/dummy", DummyFactorViewSet)
-router.register("factors/email", EmailFactorViewSet)
-router.register("factors/otp", OTPFactorViewSet)
-router.register("factors/password", PasswordFactorViewSet)
+router.register("stages/all", StageViewSet)
+router.register("stages/captcha", CaptchaStageViewSet)
+router.register("stages/dummy", DummyStageViewSet)
+router.register("stages/email", EmailStageViewSet)
+router.register("stages/otp", OTPStageViewSet)
+router.register("stages/password", PasswordStageViewSet)
 router.register("flows", FlowViewSet)
-router.register("flows/bindings", FlowFactorBindingViewSet)
+router.register("flows/bindings", FlowStageBindingViewSet)
 
 info = openapi.Info(
     title="passbook API",
diff --git a/passbook/core/api/factors.py b/passbook/core/api/factors.py
deleted file mode 100644
index ec812fa8b..000000000
--- a/passbook/core/api/factors.py
+++ /dev/null
@@ -1,30 +0,0 @@
-"""Factor API Views"""
-from rest_framework.serializers import ModelSerializer, SerializerMethodField
-from rest_framework.viewsets import ReadOnlyModelViewSet
-
-from passbook.core.models import Factor
-
-
-class FactorSerializer(ModelSerializer):
-    """Factor Serializer"""
-
-    __type__ = SerializerMethodField(method_name="get_type")
-
-    def get_type(self, obj):
-        """Get object type so that we know which API Endpoint to use to get the full object"""
-        return obj._meta.object_name.lower().replace("factor", "")
-
-    class Meta:
-
-        model = Factor
-        fields = ["pk", "name", "slug", "order", "enabled", "__type__"]
-
-
-class FactorViewSet(ReadOnlyModelViewSet):
-    """Factor Viewset"""
-
-    queryset = Factor.objects.all()
-    serializer_class = FactorSerializer
-
-    def get_queryset(self):
-        return Factor.objects.select_subclasses()
diff --git a/passbook/core/migrations/0012_delete_factor.py b/passbook/core/migrations/0012_delete_factor.py
new file mode 100644
index 000000000..f8f9c3128
--- /dev/null
+++ b/passbook/core/migrations/0012_delete_factor.py
@@ -0,0 +1,14 @@
+# Generated by Django 3.0.3 on 2020-05-08 17:58
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_core", "0011_auto_20200222_1822"),
+    ]
+
+    operations = [
+        migrations.DeleteModel(name="Factor",),
+    ]
diff --git a/passbook/core/models.py b/passbook/core/models.py
index 25d33db16..29f489f2a 100644
--- a/passbook/core/models.py
+++ b/passbook/core/models.py
@@ -103,30 +103,6 @@ class PolicyModel(UUIDModel, CreatedUpdatedModel):
     policies = models.ManyToManyField("Policy", blank=True)
 
 
-class Factor(ExportModelOperationsMixin("factor"), PolicyModel):
-    """Authentication factor, multiple instances of the same Factor can be used"""
-
-    name = models.TextField(help_text=_("Factor's display Name."))
-    slug = models.SlugField(
-        unique=True, help_text=_("Internal factor name, used in URLs.")
-    )
-    order = models.IntegerField()
-    enabled = models.BooleanField(default=True)
-
-    objects = InheritanceManager()
-    type = ""
-    form = ""
-
-    @property
-    def ui_user_settings(self) -> Optional[UIUserSettings]:
-        """Entrypoint to integrate with User settings. Can either return None if no
-        user settings are available, or an instanace of UIUserSettings."""
-        return None
-
-    def __str__(self):
-        return f"Factor {self.slug}"
-
-
 class Application(ExportModelOperationsMixin("application"), PolicyModel):
     """Every Application which uses passbook for authentication/identification/authorization
     needs an Application record. Other authentication types can subclass this Model to
diff --git a/passbook/core/templates/user/base.html b/passbook/core/templates/user/base.html
index 6e9d0e650..274d08346 100644
--- a/passbook/core/templates/user/base.html
+++ b/passbook/core/templates/user/base.html
@@ -18,16 +18,16 @@
                     </li>
                 </ul>
             </section>
-            {% user_factors as user_factors_loc %}
-            {% if user_factors_loc %}
+            {% user_stages as user_stages_loc %}
+            {% if user_stages_loc %}
             <section class="pf-c-nav__section">
                 <h2 class="pf-c-nav__section-title">{% trans 'Factors' %}</h2>
                 <ul class="pf-c-nav__list">
-                    {% for factor in user_factors_loc %}
+                    {% for stage in user_stages_loc %}
                     <li class="pf-c-nav__item">
-                        <a href="{% url factor.view_name %}" class="pf-c-nav__link {% is_active factor.view_name %}">
-                            <i class="{{ factor.icon }}"></i>
-                            {{ factor.name }}
+                        <a href="{% url stage.view_name %}" class="pf-c-nav__link {% is_active stage.view_name %}">
+                            <i class="{{ stage.icon }}"></i>
+                            {{ stage.name }}
                         </a>
                     </li>
                     {% endfor %}
diff --git a/passbook/core/templatetags/passbook_user_settings.py b/passbook/core/templatetags/passbook_user_settings.py
index 478903b1c..57cb25711 100644
--- a/passbook/core/templatetags/passbook_user_settings.py
+++ b/passbook/core/templatetags/passbook_user_settings.py
@@ -4,7 +4,7 @@ from typing import Iterable, List
 from django import template
 from django.template.context import RequestContext
 
-from passbook.core.models import Factor, Source
+from passbook.core.models import Source
 from passbook.core.types import UIUserSettings
 from passbook.policies.engine import PolicyEngine
 
@@ -12,24 +12,24 @@ register = template.Library()
 
 
 @register.simple_tag(takes_context=True)
-def user_factors(context: RequestContext) -> List[UIUserSettings]:
-    """Return list of all factors which apply to user"""
-    user = context.get("request").user
-    _all_factors: Iterable[Factor] = (
-        Factor.objects.filter(enabled=True).order_by("order").select_subclasses()
-    )
-    matching_factors: List[UIUserSettings] = []
-    for factor in _all_factors:
-        user_settings = factor.ui_user_settings
-        if not user_settings:
-            continue
-        policy_engine = PolicyEngine(
-            factor.policies.all(), user, context.get("request")
-        )
-        policy_engine.build()
-        if policy_engine.passing:
-            matching_factors.append(user_settings)
-    return matching_factors
+# pylint: disable=unused-argument
+def user_stages(context: RequestContext) -> List[UIUserSettings]:
+    """Return list of all stages which apply to user"""
+    # TODO: Rewrite this based on flows
+    # user = context.get("request").user
+    # _all_stages: Iterable[Stage] = (Stage.objects.all().select_subclasses())
+    matching_stages: List[UIUserSettings] = []
+    # for stage in _all_stages:
+    #     user_settings = stage.ui_user_settings
+    #     if not user_settings:
+    #         continue
+    #     policy_engine = PolicyEngine(
+    #         stage.policies.all(), user, context.get("request")
+    #     )
+    #     policy_engine.build()
+    #     if policy_engine.passing:
+    #         matching_stages.append(user_settings)
+    return matching_stages
 
 
 @register.simple_tag(takes_context=True)
@@ -40,12 +40,12 @@ def user_sources(context: RequestContext) -> List[UIUserSettings]:
         Source.objects.filter(enabled=True).select_subclasses()
     )
     matching_sources: List[UIUserSettings] = []
-    for factor in _all_sources:
-        user_settings = factor.ui_user_settings
+    for source in _all_sources:
+        user_settings = source.ui_user_settings
         if not user_settings:
             continue
         policy_engine = PolicyEngine(
-            factor.policies.all(), user, context.get("request")
+            source.policies.all(), user, context.get("request")
         )
         policy_engine.build()
         if policy_engine.passing:
diff --git a/passbook/core/types.py b/passbook/core/types.py
index 0e03a91af..86d6eeea6 100644
--- a/passbook/core/types.py
+++ b/passbook/core/types.py
@@ -5,7 +5,7 @@ from typing import Optional
 
 @dataclass
 class UIUserSettings:
-    """Dataclass for Factor and Source's user_settings"""
+    """Dataclass for Stage and Source's user_settings"""
 
     name: str
     icon: str
diff --git a/passbook/core/views/authentication.py b/passbook/core/views/authentication.py
index 2951b2b7f..86739871d 100644
--- a/passbook/core/views/authentication.py
+++ b/passbook/core/views/authentication.py
@@ -15,12 +15,12 @@ from structlog import get_logger
 from passbook.core.forms.authentication import LoginForm, SignUpForm
 from passbook.core.models import Invitation, Nonce, Source, User
 from passbook.core.signals import invitation_used, user_signed_up
-from passbook.factors.password.exceptions import PasswordPolicyInvalid
 from passbook.flows.models import Flow, FlowDesignation
 from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner
 from passbook.flows.views import SESSION_KEY_PLAN
 from passbook.lib.config import CONFIG
 from passbook.lib.utils.urls import redirect_with_qs
+from passbook.stages.password.exceptions import PasswordPolicyInvalid
 
 LOGGER = get_logger()
 
diff --git a/passbook/core/views/user.py b/passbook/core/views/user.py
index 6c4bdcfc6..0127266a9 100644
--- a/passbook/core/views/user.py
+++ b/passbook/core/views/user.py
@@ -10,8 +10,8 @@ from django.utils.translation import gettext as _
 from django.views.generic import DeleteView, FormView, UpdateView
 
 from passbook.core.forms.users import PasswordChangeForm, UserDetailForm
-from passbook.factors.password.exceptions import PasswordPolicyInvalid
 from passbook.lib.config import CONFIG
+from passbook.stages.password.exceptions import PasswordPolicyInvalid
 
 
 class UserSettingsView(SuccessMessageMixin, LoginRequiredMixin, UpdateView):
diff --git a/passbook/factors/captcha/api.py b/passbook/factors/captcha/api.py
deleted file mode 100644
index 0786321b4..000000000
--- a/passbook/factors/captcha/api.py
+++ /dev/null
@@ -1,21 +0,0 @@
-"""CaptchaFactor API Views"""
-from rest_framework.serializers import ModelSerializer
-from rest_framework.viewsets import ModelViewSet
-
-from passbook.factors.captcha.models import CaptchaFactor
-
-
-class CaptchaFactorSerializer(ModelSerializer):
-    """CaptchaFactor Serializer"""
-
-    class Meta:
-
-        model = CaptchaFactor
-        fields = ["pk", "name", "slug", "order", "enabled", "public_key", "private_key"]
-
-
-class CaptchaFactorViewSet(ModelViewSet):
-    """CaptchaFactor Viewset"""
-
-    queryset = CaptchaFactor.objects.all()
-    serializer_class = CaptchaFactorSerializer
diff --git a/passbook/factors/captcha/apps.py b/passbook/factors/captcha/apps.py
deleted file mode 100644
index d054894ae..000000000
--- a/passbook/factors/captcha/apps.py
+++ /dev/null
@@ -1,10 +0,0 @@
-"""passbook captcha app"""
-from django.apps import AppConfig
-
-
-class PassbookFactorCaptchaConfig(AppConfig):
-    """passbook captcha app"""
-
-    name = "passbook.factors.captcha"
-    label = "passbook_factors_captcha"
-    verbose_name = "passbook Factors.Captcha"
diff --git a/passbook/factors/captcha/forms.py b/passbook/factors/captcha/forms.py
deleted file mode 100644
index c19a3eeb4..000000000
--- a/passbook/factors/captcha/forms.py
+++ /dev/null
@@ -1,35 +0,0 @@
-"""passbook captcha factor forms"""
-from captcha.fields import ReCaptchaField
-from django import forms
-from django.contrib.admin.widgets import FilteredSelectMultiple
-from django.utils.translation import gettext_lazy as _
-
-from passbook.factors.captcha.models import CaptchaFactor
-from passbook.flows.forms import GENERAL_FIELDS
-
-
-class CaptchaForm(forms.Form):
-    """passbook captcha factor form"""
-
-    captcha = ReCaptchaField()
-
-
-class CaptchaFactorForm(forms.ModelForm):
-    """Form to edit CaptchaFactor Instance"""
-
-    class Meta:
-
-        model = CaptchaFactor
-        fields = GENERAL_FIELDS + ["public_key", "private_key"]
-        widgets = {
-            "name": forms.TextInput(),
-            "order": forms.NumberInput(),
-            "policies": FilteredSelectMultiple(_("policies"), False),
-            "public_key": forms.TextInput(),
-            "private_key": forms.TextInput(),
-        }
-        help_texts = {
-            "policies": _(
-                "Policies which determine if this factor applies to the current user."
-            )
-        }
diff --git a/passbook/factors/captcha/migrations/0001_initial.py b/passbook/factors/captcha/migrations/0001_initial.py
deleted file mode 100644
index 0f44952d8..000000000
--- a/passbook/factors/captcha/migrations/0001_initial.py
+++ /dev/null
@@ -1,39 +0,0 @@
-# Generated by Django 2.2.6 on 2019-10-07 14:07
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    initial = True
-
-    dependencies = [
-        ("passbook_core", "0001_initial"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="CaptchaFactor",
-            fields=[
-                (
-                    "factor_ptr",
-                    models.OneToOneField(
-                        auto_created=True,
-                        on_delete=django.db.models.deletion.CASCADE,
-                        parent_link=True,
-                        primary_key=True,
-                        serialize=False,
-                        to="passbook_core.Factor",
-                    ),
-                ),
-                ("public_key", models.TextField()),
-                ("private_key", models.TextField()),
-            ],
-            options={
-                "verbose_name": "Captcha Factor",
-                "verbose_name_plural": "Captcha Factors",
-            },
-            bases=("passbook_core.factor",),
-        ),
-    ]
diff --git a/passbook/factors/captcha/migrations/0002_auto_20200221_1410.py b/passbook/factors/captcha/migrations/0002_auto_20200221_1410.py
deleted file mode 100644
index 0960ee54d..000000000
--- a/passbook/factors/captcha/migrations/0002_auto_20200221_1410.py
+++ /dev/null
@@ -1,27 +0,0 @@
-# Generated by Django 3.0.3 on 2020-02-21 14:10
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("passbook_factors_captcha", "0001_initial"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="captchafactor",
-            name="private_key",
-            field=models.TextField(
-                help_text="Private key, acquired from https://www.google.com/recaptcha/intro/v3.html"
-            ),
-        ),
-        migrations.AlterField(
-            model_name="captchafactor",
-            name="public_key",
-            field=models.TextField(
-                help_text="Public key, acquired from https://www.google.com/recaptcha/intro/v3.html"
-            ),
-        ),
-    ]
diff --git a/passbook/factors/dummy/api.py b/passbook/factors/dummy/api.py
deleted file mode 100644
index 108698aaa..000000000
--- a/passbook/factors/dummy/api.py
+++ /dev/null
@@ -1,21 +0,0 @@
-"""DummyFactor API Views"""
-from rest_framework.serializers import ModelSerializer
-from rest_framework.viewsets import ModelViewSet
-
-from passbook.factors.dummy.models import DummyFactor
-
-
-class DummyFactorSerializer(ModelSerializer):
-    """DummyFactor Serializer"""
-
-    class Meta:
-
-        model = DummyFactor
-        fields = ["pk", "name", "slug", "order", "enabled"]
-
-
-class DummyFactorViewSet(ModelViewSet):
-    """DummyFactor Viewset"""
-
-    queryset = DummyFactor.objects.all()
-    serializer_class = DummyFactorSerializer
diff --git a/passbook/factors/dummy/apps.py b/passbook/factors/dummy/apps.py
deleted file mode 100644
index 4cb858b88..000000000
--- a/passbook/factors/dummy/apps.py
+++ /dev/null
@@ -1,11 +0,0 @@
-"""passbook dummy factor config"""
-
-from django.apps import AppConfig
-
-
-class PassbookFactorDummyConfig(AppConfig):
-    """passbook dummy factor config"""
-
-    name = "passbook.factors.dummy"
-    label = "passbook_factors_dummy"
-    verbose_name = "passbook Factors.Dummy"
diff --git a/passbook/factors/dummy/factor.py b/passbook/factors/dummy/factor.py
deleted file mode 100644
index 5152c2753..000000000
--- a/passbook/factors/dummy/factor.py
+++ /dev/null
@@ -1,12 +0,0 @@
-"""passbook multi-factor authentication engine"""
-from django.http import HttpRequest
-
-from passbook.flows.factor_base import AuthenticationFactor
-
-
-class DummyFactor(AuthenticationFactor):
-    """Dummy factor for testing with multiple factors"""
-
-    def post(self, request: HttpRequest):
-        """Just redirect to next factor"""
-        return self.executor.factor_ok()
diff --git a/passbook/factors/dummy/forms.py b/passbook/factors/dummy/forms.py
deleted file mode 100644
index 72de002c9..000000000
--- a/passbook/factors/dummy/forms.py
+++ /dev/null
@@ -1,21 +0,0 @@
-"""passbook administration forms"""
-from django import forms
-from django.contrib.admin.widgets import FilteredSelectMultiple
-from django.utils.translation import gettext as _
-
-from passbook.factors.dummy.models import DummyFactor
-from passbook.flows.forms import GENERAL_FIELDS
-
-
-class DummyFactorForm(forms.ModelForm):
-    """Form to create/edit Dummy Factor"""
-
-    class Meta:
-
-        model = DummyFactor
-        fields = GENERAL_FIELDS
-        widgets = {
-            "name": forms.TextInput(),
-            "order": forms.NumberInput(),
-            "policies": FilteredSelectMultiple(_("policies"), False),
-        }
diff --git a/passbook/factors/dummy/models.py b/passbook/factors/dummy/models.py
deleted file mode 100644
index a1e24d6ab..000000000
--- a/passbook/factors/dummy/models.py
+++ /dev/null
@@ -1,19 +0,0 @@
-"""dummy factor models"""
-from django.utils.translation import gettext as _
-
-from passbook.core.models import Factor
-
-
-class DummyFactor(Factor):
-    """Dummy factor, mostly used to debug"""
-
-    type = "passbook.factors.dummy.factor.DummyFactor"
-    form = "passbook.factors.dummy.forms.DummyFactorForm"
-
-    def __str__(self):
-        return f"Dummy Factor {self.slug}"
-
-    class Meta:
-
-        verbose_name = _("Dummy Factor")
-        verbose_name_plural = _("Dummy Factors")
diff --git a/passbook/factors/email/apps.py b/passbook/factors/email/apps.py
deleted file mode 100644
index 1382cf173..000000000
--- a/passbook/factors/email/apps.py
+++ /dev/null
@@ -1,15 +0,0 @@
-"""passbook email factor config"""
-from importlib import import_module
-
-from django.apps import AppConfig
-
-
-class PassbookFactorEmailConfig(AppConfig):
-    """passbook email factor config"""
-
-    name = "passbook.factors.email"
-    label = "passbook_factors_email"
-    verbose_name = "passbook Factors.Email"
-
-    def ready(self):
-        import_module("passbook.factors.email.tasks")
diff --git a/passbook/factors/email/migrations/0002_auto_20191011_1224.py b/passbook/factors/email/migrations/0002_auto_20191011_1224.py
deleted file mode 100644
index b020e7c5a..000000000
--- a/passbook/factors/email/migrations/0002_auto_20191011_1224.py
+++ /dev/null
@@ -1,18 +0,0 @@
-# Generated by Django 2.2.6 on 2019-10-11 12:24
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("passbook_factors_email", "0001_initial"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="emailfactor",
-            name="timeout",
-            field=models.IntegerField(default=10),
-        ),
-    ]
diff --git a/passbook/factors/otp/api.py b/passbook/factors/otp/api.py
deleted file mode 100644
index 4962ddc46..000000000
--- a/passbook/factors/otp/api.py
+++ /dev/null
@@ -1,21 +0,0 @@
-"""OTPFactor API Views"""
-from rest_framework.serializers import ModelSerializer
-from rest_framework.viewsets import ModelViewSet
-
-from passbook.factors.otp.models import OTPFactor
-
-
-class OTPFactorSerializer(ModelSerializer):
-    """OTPFactor Serializer"""
-
-    class Meta:
-
-        model = OTPFactor
-        fields = ["pk", "name", "slug", "order", "enabled", "enforced"]
-
-
-class OTPFactorViewSet(ModelViewSet):
-    """OTPFactor Viewset"""
-
-    queryset = OTPFactor.objects.all()
-    serializer_class = OTPFactorSerializer
diff --git a/passbook/factors/otp/apps.py b/passbook/factors/otp/apps.py
deleted file mode 100644
index d04263248..000000000
--- a/passbook/factors/otp/apps.py
+++ /dev/null
@@ -1,12 +0,0 @@
-"""passbook OTP AppConfig"""
-
-from django.apps.config import AppConfig
-
-
-class PassbookFactorOTPConfig(AppConfig):
-    """passbook OTP AppConfig"""
-
-    name = "passbook.factors.otp"
-    label = "passbook_factors_otp"
-    verbose_name = "passbook Factors.OTP"
-    mountpoint = "user/otp/"
diff --git a/passbook/factors/otp/models.py b/passbook/factors/otp/models.py
deleted file mode 100644
index 1c87d6d69..000000000
--- a/passbook/factors/otp/models.py
+++ /dev/null
@@ -1,34 +0,0 @@
-"""OTP Factor"""
-from django.db import models
-from django.utils.translation import gettext as _
-
-from passbook.core.models import Factor
-from passbook.core.types import UIUserSettings
-
-
-class OTPFactor(Factor):
-    """OTP Factor"""
-
-    enforced = models.BooleanField(
-        default=False,
-        help_text=("Enforce enabled OTP for Users " "this factor applies to."),
-    )
-
-    type = "passbook.factors.otp.factors.OTPFactor"
-    form = "passbook.factors.otp.forms.OTPFactorForm"
-
-    @property
-    def ui_user_settings(self) -> UIUserSettings:
-        return UIUserSettings(
-            name="OTP",
-            icon="pficon-locked",
-            view_name="passbook_factors_otp:otp-user-settings",
-        )
-
-    def __str__(self):
-        return f"OTP Factor {self.slug}"
-
-    class Meta:
-
-        verbose_name = _("OTP Factor")
-        verbose_name_plural = _("OTP Factors")
diff --git a/passbook/factors/password/api.py b/passbook/factors/password/api.py
deleted file mode 100644
index 1c8b3e407..000000000
--- a/passbook/factors/password/api.py
+++ /dev/null
@@ -1,30 +0,0 @@
-"""PasswordFactor API Views"""
-from rest_framework.serializers import ModelSerializer
-from rest_framework.viewsets import ModelViewSet
-
-from passbook.factors.password.models import PasswordFactor
-
-
-class PasswordFactorSerializer(ModelSerializer):
-    """PasswordFactor Serializer"""
-
-    class Meta:
-
-        model = PasswordFactor
-        fields = [
-            "pk",
-            "name",
-            "slug",
-            "order",
-            "enabled",
-            "backends",
-            "password_policies",
-            "reset_factors",
-        ]
-
-
-class PasswordFactorViewSet(ModelViewSet):
-    """PasswordFactor Viewset"""
-
-    queryset = PasswordFactor.objects.all()
-    serializer_class = PasswordFactorSerializer
diff --git a/passbook/factors/password/apps.py b/passbook/factors/password/apps.py
deleted file mode 100644
index 207d91f9a..000000000
--- a/passbook/factors/password/apps.py
+++ /dev/null
@@ -1,15 +0,0 @@
-"""passbook core app config"""
-from importlib import import_module
-
-from django.apps import AppConfig
-
-
-class PassbookFactorPasswordConfig(AppConfig):
-    """passbook password factor config"""
-
-    name = "passbook.factors.password"
-    label = "passbook_factors_password"
-    verbose_name = "passbook Factors.Password"
-
-    def ready(self):
-        import_module("passbook.factors.password.signals")
diff --git a/passbook/factors/password/migrations/0002_auto_20191007_1411.py b/passbook/factors/password/migrations/0002_auto_20191007_1411.py
deleted file mode 100644
index 3cafedf26..000000000
--- a/passbook/factors/password/migrations/0002_auto_20191007_1411.py
+++ /dev/null
@@ -1,24 +0,0 @@
-# Generated by Django 2.2.6 on 2019-10-07 14:11
-
-from django.db import migrations
-
-
-def create_initial_factor(apps, schema_editor):
-    """Create initial PasswordFactor if none exists"""
-    PasswordFactor = apps.get_model("passbook_factors_password", "PasswordFactor")
-    if not PasswordFactor.objects.exists():
-        PasswordFactor.objects.create(
-            name="password",
-            slug="password",
-            order=0,
-            backends=["django.contrib.auth.backends.ModelBackend"],
-        )
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("passbook_factors_password", "0001_initial"),
-    ]
-
-    operations = [migrations.RunPython(create_initial_factor)]
diff --git a/passbook/factors/password/migrations/0003_passwordfactor_reset_factors.py b/passbook/factors/password/migrations/0003_passwordfactor_reset_factors.py
deleted file mode 100644
index b64e40df8..000000000
--- a/passbook/factors/password/migrations/0003_passwordfactor_reset_factors.py
+++ /dev/null
@@ -1,21 +0,0 @@
-# Generated by Django 2.2.6 on 2019-10-08 09:39
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("passbook_core", "0001_initial"),
-        ("passbook_factors_password", "0002_auto_20191007_1411"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="passwordfactor",
-            name="reset_factors",
-            field=models.ManyToManyField(
-                blank=True, related_name="reset_factors", to="passbook_core.Factor"
-            ),
-        ),
-    ]
diff --git a/passbook/factors/password/migrations/0004_auto_20200221_1410.py b/passbook/factors/password/migrations/0004_auto_20200221_1410.py
deleted file mode 100644
index a34fdb1b9..000000000
--- a/passbook/factors/password/migrations/0004_auto_20200221_1410.py
+++ /dev/null
@@ -1,23 +0,0 @@
-# Generated by Django 3.0.3 on 2020-02-21 14:10
-
-import django.contrib.postgres.fields
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("passbook_factors_password", "0003_passwordfactor_reset_factors"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="passwordfactor",
-            name="backends",
-            field=django.contrib.postgres.fields.ArrayField(
-                base_field=models.TextField(),
-                help_text="Selection of backends to test the password against.",
-                size=None,
-            ),
-        ),
-    ]
diff --git a/passbook/factors/password/signals.py b/passbook/factors/password/signals.py
deleted file mode 100644
index ffdacda86..000000000
--- a/passbook/factors/password/signals.py
+++ /dev/null
@@ -1,23 +0,0 @@
-"""passbook password factor signals"""
-from django.dispatch import receiver
-
-from passbook.core.signals import password_changed
-from passbook.factors.password.exceptions import PasswordPolicyInvalid
-
-
-@receiver(password_changed)
-def password_policy_checker(sender, password, **_):
-    """Run password through all password policies which are applied to the user"""
-    from passbook.factors.password.models import PasswordFactor
-    from passbook.policies.engine import PolicyEngine
-
-    setattr(sender, "__password__", password)
-    _all_factors = PasswordFactor.objects.filter(enabled=True).order_by("order")
-    for factor in _all_factors:
-        policy_engine = PolicyEngine(
-            factor.password_policies.all().select_subclasses(), sender
-        )
-        policy_engine.build()
-        passing, messages = policy_engine.result
-        if not passing:
-            raise PasswordPolicyInvalid(*messages)
diff --git a/passbook/flows/api.py b/passbook/flows/api.py
index 9edc3d9e5..bfb4bbde2 100644
--- a/passbook/flows/api.py
+++ b/passbook/flows/api.py
@@ -1,8 +1,8 @@
 """Flow API Views"""
-from rest_framework.serializers import ModelSerializer
-from rest_framework.viewsets import ModelViewSet
+from rest_framework.serializers import ModelSerializer, SerializerMethodField
+from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet
 
-from passbook.flows.models import Flow, FlowFactorBinding
+from passbook.flows.models import Flow, FlowStageBinding, Stage
 
 
 class FlowSerializer(ModelSerializer):
@@ -11,7 +11,7 @@ class FlowSerializer(ModelSerializer):
     class Meta:
 
         model = Flow
-        fields = ["pk", "name", "slug", "designation", "factors", "policies"]
+        fields = ["pk", "name", "slug", "designation", "stages", "policies"]
 
 
 class FlowViewSet(ModelViewSet):
@@ -21,17 +21,42 @@ class FlowViewSet(ModelViewSet):
     serializer_class = FlowSerializer
 
 
-class FlowFactorBindingSerializer(ModelSerializer):
-    """FlowFactorBinding Serializer"""
+class FlowStageBindingSerializer(ModelSerializer):
+    """FlowStageBinding Serializer"""
 
     class Meta:
 
-        model = FlowFactorBinding
-        fields = ["pk", "flow", "factor", "re_evaluate_policies", "order", "policies"]
+        model = FlowStageBinding
+        fields = ["pk", "flow", "stage", "re_evaluate_policies", "order", "policies"]
 
 
-class FlowFactorBindingViewSet(ModelViewSet):
-    """FlowFactorBinding Viewset"""
+class FlowStageBindingViewSet(ModelViewSet):
+    """FlowStageBinding Viewset"""
 
-    queryset = FlowFactorBinding.objects.all()
-    serializer_class = FlowFactorBindingSerializer
+    queryset = FlowStageBinding.objects.all()
+    serializer_class = FlowStageBindingSerializer
+
+
+class StageSerializer(ModelSerializer):
+    """Stage Serializer"""
+
+    __type__ = SerializerMethodField(method_name="get_type")
+
+    def get_type(self, obj):
+        """Get object type so that we know which API Endpoint to use to get the full object"""
+        return obj._meta.object_name.lower().replace("stage", "")
+
+    class Meta:
+
+        model = Stage
+        fields = ["pk", "name", "__type__"]
+
+
+class StageViewSet(ReadOnlyModelViewSet):
+    """Stage Viewset"""
+
+    queryset = Stage.objects.all()
+    serializer_class = StageSerializer
+
+    def get_queryset(self):
+        return Stage.objects.select_subclasses()
diff --git a/passbook/flows/forms.py b/passbook/flows/forms.py
index b7936891e..227679a10 100644
--- a/passbook/flows/forms.py
+++ b/passbook/flows/forms.py
@@ -1,12 +1,10 @@
-"""factor forms"""
+"""Flow and Stage forms"""
 
 from django import forms
 from django.contrib.admin.widgets import FilteredSelectMultiple
 from django.utils.translation import gettext_lazy as _
 
-from passbook.flows.models import Flow, FlowFactorBinding
-
-GENERAL_FIELDS = ["name", "slug", "order", "policies", "enabled"]
+from passbook.flows.models import Flow, FlowStageBinding
 
 
 class FlowForm(forms.ModelForm):
@@ -19,29 +17,30 @@ class FlowForm(forms.ModelForm):
             "name",
             "slug",
             "designation",
-            "factors",
+            "stages",
             "policies",
         ]
         widgets = {
             "name": forms.TextInput(),
-            "factors": FilteredSelectMultiple(_("policies"), False),
+            "stages": FilteredSelectMultiple(_("stages"), False),
+            "policies": FilteredSelectMultiple(_("policies"), False),
         }
 
 
-class FlowFactorBindingForm(forms.ModelForm):
-    """FlowFactorBinding Form"""
+class FlowStageBindingForm(forms.ModelForm):
+    """FlowStageBinding Form"""
 
     class Meta:
 
-        model = FlowFactorBinding
+        model = FlowStageBinding
         fields = [
             "flow",
-            "factor",
+            "stage",
             "re_evaluate_policies",
             "order",
             "policies",
         ]
         widgets = {
             "name": forms.TextInput(),
-            "factors": FilteredSelectMultiple(_("policies"), False),
+            "policies": FilteredSelectMultiple(_("policies"), False),
         }
diff --git a/passbook/flows/migrations/0001_initial.py b/passbook/flows/migrations/0001_initial.py
index e07d2ce27..df7121778 100644
--- a/passbook/flows/migrations/0001_initial.py
+++ b/passbook/flows/migrations/0001_initial.py
@@ -1,4 +1,4 @@
-# Generated by Django 3.0.3 on 2020-05-07 18:35
+# Generated by Django 3.0.3 on 2020-05-08 18:27
 
 import uuid
 
@@ -11,8 +11,7 @@ class Migration(migrations.Migration):
     initial = True
 
     dependencies = [
-        ("passbook_policies", "0001_initial"),
-        ("passbook_core", "0011_auto_20200222_1822"),
+        ("passbook_policies", "0003_auto_20200508_1642"),
     ]
 
     operations = [
@@ -37,6 +36,7 @@ class Migration(migrations.Migration):
                             ("AUTHENTICATION", "authentication"),
                             ("ENROLLMENT", "enrollment"),
                             ("RECOVERY", "recovery"),
+                            ("PASSWORD_CHANGE", "password_change"),
                         ],
                         max_length=100,
                     ),
@@ -55,7 +55,23 @@ class Migration(migrations.Migration):
             bases=("passbook_policies.policybindingmodel", models.Model),
         ),
         migrations.CreateModel(
-            name="FlowFactorBinding",
+            name="Stage",
+            fields=[
+                (
+                    "uuid",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("name", models.TextField()),
+            ],
+            options={"abstract": False,},
+        ),
+        migrations.CreateModel(
+            name="FlowStageBinding",
             fields=[
                 (
                     "policybindingmodel_ptr",
@@ -75,14 +91,14 @@ class Migration(migrations.Migration):
                         serialize=False,
                     ),
                 ),
-                ("order", models.IntegerField()),
                 (
-                    "factor",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        to="passbook_core.Factor",
+                    "re_evaluate_policies",
+                    models.BooleanField(
+                        default=False,
+                        help_text="When this option is enabled, the planner will re-evaluate policies bound to this.",
                     ),
                 ),
+                ("order", models.IntegerField()),
                 (
                     "flow",
                     models.ForeignKey(
@@ -90,19 +106,29 @@ class Migration(migrations.Migration):
                         to="passbook_flows.Flow",
                     ),
                 ),
+                (
+                    "stage",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="passbook_flows.Stage",
+                    ),
+                ),
             ],
             options={
-                "verbose_name": "Flow Factor Binding",
-                "verbose_name_plural": "Flow Factor Bindings",
-                "unique_together": {("flow", "factor", "order")},
+                "verbose_name": "Flow Stage Binding",
+                "verbose_name_plural": "Flow Stage Bindings",
+                "ordering": ["order", "flow"],
+                "unique_together": {("flow", "stage", "order")},
             },
             bases=("passbook_policies.policybindingmodel", models.Model),
         ),
         migrations.AddField(
             model_name="flow",
-            name="factors",
+            name="stages",
             field=models.ManyToManyField(
-                through="passbook_flows.FlowFactorBinding", to="passbook_core.Factor"
+                blank=True,
+                through="passbook_flows.FlowStageBinding",
+                to="passbook_flows.Stage",
             ),
         ),
     ]
diff --git a/passbook/flows/migrations/0004_default_flows.py b/passbook/flows/migrations/0002_default_flows.py
similarity index 58%
rename from passbook/flows/migrations/0004_default_flows.py
rename to passbook/flows/migrations/0002_default_flows.py
index c04d55df1..d2c326b7b 100644
--- a/passbook/flows/migrations/0004_default_flows.py
+++ b/passbook/flows/migrations/0002_default_flows.py
@@ -9,29 +9,35 @@ from passbook.flows.models import FlowDesignation
 
 def create_default_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
     Flow = apps.get_model("passbook_flows", "Flow")
-    FlowFactorBinding = apps.get_model("passbook_flows", "FlowFactorBinding")
-    PasswordFactor = apps.get_model("passbook_factors_password", "PasswordFactor")
+    FlowStageBinding = apps.get_model("passbook_flows", "FlowStageBinding")
+    PasswordStage = apps.get_model("passbook_stages_password", "PasswordStage")
     db_alias = schema_editor.connection.alias
 
     if Flow.objects.using(db_alias).all().exists():
         # Only create default flow when none exist
         return
 
-    pw_factor = PasswordFactor.objects.using(db_alias).first()
+    if not PasswordStage.objects.using(db_alias).exists():
+        PasswordStage.objects.using(db_alias).create(
+            name="password", backends=["django.contrib.auth.backends.ModelBackend"],
+        )
+
+    pw_stage = PasswordStage.objects.using(db_alias).first()
     flow = Flow.objects.using(db_alias).create(
         name="default-authentication-flow",
         slug="default-authentication-flow",
         designation=FlowDesignation.AUTHENTICATION,
     )
-    FlowFactorBinding.objects.using(db_alias).create(
-        flow=flow, factor=pw_factor, order=0,
+    FlowStageBinding.objects.using(db_alias).create(
+        flow=flow, stage=pw_stage, order=0,
     )
 
 
 class Migration(migrations.Migration):
 
     dependencies = [
-        ("passbook_flows", "0003_auto_20200508_1230"),
+        ("passbook_flows", "0001_initial"),
+        ("passbook_stages_password", "0001_initial"),
     ]
 
     operations = [migrations.RunPython(create_default_flow)]
diff --git a/passbook/flows/migrations/0002_flowfactorbinding_re_evaluate_policies.py b/passbook/flows/migrations/0002_flowfactorbinding_re_evaluate_policies.py
deleted file mode 100644
index bbd5bf15c..000000000
--- a/passbook/flows/migrations/0002_flowfactorbinding_re_evaluate_policies.py
+++ /dev/null
@@ -1,21 +0,0 @@
-# Generated by Django 3.0.3 on 2020-05-07 19:18
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("passbook_flows", "0001_initial"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="flowfactorbinding",
-            name="re_evaluate_policies",
-            field=models.BooleanField(
-                default=False,
-                help_text="When this option is enabled, the planner will re-evaluate policies bound to this.",
-            ),
-        ),
-    ]
diff --git a/passbook/flows/migrations/0003_auto_20200508_1230.py b/passbook/flows/migrations/0003_auto_20200508_1230.py
deleted file mode 100644
index 645c7a53d..000000000
--- a/passbook/flows/migrations/0003_auto_20200508_1230.py
+++ /dev/null
@@ -1,21 +0,0 @@
-# Generated by Django 3.0.3 on 2020-05-08 12:30
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("passbook_flows", "0002_flowfactorbinding_re_evaluate_policies"),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name="flowfactorbinding",
-            options={
-                "ordering": ["order", "flow"],
-                "verbose_name": "Flow Factor Binding",
-                "verbose_name_plural": "Flow Factor Bindings",
-            },
-        ),
-    ]
diff --git a/passbook/flows/migrations/0005_auto_20200508_1642.py b/passbook/flows/migrations/0005_auto_20200508_1642.py
deleted file mode 100644
index 3bf11a86e..000000000
--- a/passbook/flows/migrations/0005_auto_20200508_1642.py
+++ /dev/null
@@ -1,23 +0,0 @@
-# Generated by Django 3.0.3 on 2020-05-08 16:42
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("passbook_core", "0011_auto_20200222_1822"),
-        ("passbook_flows", "0004_default_flows"),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name="flow",
-            name="factors",
-            field=models.ManyToManyField(
-                blank=True,
-                through="passbook_flows.FlowFactorBinding",
-                to="passbook_core.Factor",
-            ),
-        ),
-    ]
diff --git a/passbook/flows/models.py b/passbook/flows/models.py
index 5169fc1d8..164c14878 100644
--- a/passbook/flows/models.py
+++ b/passbook/flows/models.py
@@ -1,11 +1,12 @@
 """Flow models"""
 from enum import Enum
-from typing import Tuple
+from typing import Optional, Tuple
 
 from django.db import models
 from django.utils.translation import gettext_lazy as _
+from model_utils.managers import InheritanceManager
 
-from passbook.core.models import Factor
+from passbook.core.types import UIUserSettings
 from passbook.lib.models import UUIDModel
 from passbook.policies.models import PolicyBindingModel
 
@@ -17,6 +18,7 @@ class FlowDesignation(Enum):
     AUTHENTICATION = "authentication"
     ENROLLMENT = "enrollment"
     RECOVERY = "recovery"
+    PASSWORD_CHANGE = "password_change"  # nosec # noqa
 
     @staticmethod
     def as_choices() -> Tuple[Tuple[str, str]]:
@@ -26,8 +28,28 @@ class FlowDesignation(Enum):
         )
 
 
+class Stage(UUIDModel):
+    """Stage is an instance of a component used in a flow. This can verify the user,
+    enroll the user or offer a way of recovery"""
+
+    name = models.TextField()
+
+    objects = InheritanceManager()
+    type = ""
+    form = ""
+
+    @property
+    def ui_user_settings(self) -> Optional[UIUserSettings]:
+        """Entrypoint to integrate with User settings. Can either return None if no
+        user settings are available, or an instanace of UIUserSettings."""
+        return None
+
+    def __str__(self):
+        return f"Stage {self.name}"
+
+
 class Flow(PolicyBindingModel, UUIDModel):
-    """Flow describes how a series of Factors should be executed to authenticate/enroll/recover
+    """Flow describes how a series of Stages should be executed to authenticate/enroll/recover
     a user. Additionally, policies can be applied, to specify which users
     have access to this flow."""
 
@@ -36,7 +58,7 @@ class Flow(PolicyBindingModel, UUIDModel):
 
     designation = models.CharField(max_length=100, choices=FlowDesignation.as_choices())
 
-    factors = models.ManyToManyField(Factor, through="FlowFactorBinding", blank=True)
+    stages = models.ManyToManyField(Stage, through="FlowStageBinding", blank=True)
 
     pbm = models.OneToOneField(
         PolicyBindingModel, parent_link=True, on_delete=models.CASCADE, related_name="+"
@@ -51,13 +73,13 @@ class Flow(PolicyBindingModel, UUIDModel):
         verbose_name_plural = _("Flows")
 
 
-class FlowFactorBinding(PolicyBindingModel, UUIDModel):
-    """Relationship between Flow and Factor. Order is required and unique for
-    each flow-factor Binding. Additionally, policies can be specified, which determine if
+class FlowStageBinding(PolicyBindingModel, UUIDModel):
+    """Relationship between Flow and Stage. Order is required and unique for
+    each flow-stage Binding. Additionally, policies can be specified, which determine if
     this Binding applies to the current user"""
 
     flow = models.ForeignKey("Flow", on_delete=models.CASCADE)
-    factor = models.ForeignKey(Factor, on_delete=models.CASCADE)
+    stage = models.ForeignKey(Stage, on_delete=models.CASCADE)
 
     re_evaluate_policies = models.BooleanField(
         default=False,
@@ -69,12 +91,12 @@ class FlowFactorBinding(PolicyBindingModel, UUIDModel):
     order = models.IntegerField()
 
     def __str__(self) -> str:
-        return f"Flow Factor Binding #{self.order} {self.flow} -> {self.factor}"
+        return f"Flow Stage Binding #{self.order} {self.flow} -> {self.stage}"
 
     class Meta:
 
         ordering = ["order", "flow"]
 
-        verbose_name = _("Flow Factor Binding")
-        verbose_name_plural = _("Flow Factor Bindings")
-        unique_together = (("flow", "factor", "order"),)
+        verbose_name = _("Flow Stage Binding")
+        verbose_name_plural = _("Flow Stage Bindings")
+        unique_together = (("flow", "stage", "order"),)
diff --git a/passbook/flows/planner.py b/passbook/flows/planner.py
index 7f0efa01a..b00f4f944 100644
--- a/passbook/flows/planner.py
+++ b/passbook/flows/planner.py
@@ -7,7 +7,7 @@ from django.http import HttpRequest
 from structlog import get_logger
 
 from passbook.flows.exceptions import FlowNonApplicableError
-from passbook.flows.models import Factor, Flow
+from passbook.flows.models import Flow, Stage
 from passbook.policies.engine import PolicyEngine
 
 LOGGER = get_logger()
@@ -19,19 +19,19 @@ PLAN_CONTEXT_SSO = "is_sso"
 @dataclass
 class FlowPlan:
     """This data-class is the output of a FlowPlanner. It holds a flat list
-    of all Factors that should be run."""
+    of all Stages that should be run."""
 
-    factors: List[Factor] = field(default_factory=list)
+    stages: List[Stage] = field(default_factory=list)
     context: Dict[str, Any] = field(default_factory=dict)
 
-    def next(self) -> Factor:
-        """Return next pending factor from the bottom of the list"""
-        factor_cls = self.factors.pop(0)
-        return factor_cls
+    def next(self) -> Stage:
+        """Return next pending stage from the bottom of the list"""
+        stage_cls = self.stages.pop(0)
+        return stage_cls
 
 
 class FlowPlanner:
-    """Execute all policies to plan out a flat list of all Factors
+    """Execute all policies to plan out a flat list of all Stages
     that should be applied."""
 
     flow: Flow
@@ -45,7 +45,7 @@ class FlowPlanner:
         return engine.result
 
     def plan(self, request: HttpRequest) -> FlowPlan:
-        """Check each of the flows' policies, check policies for each factor with PolicyBinding
+        """Check each of the flows' policies, check policies for each stage with PolicyBinding
         and return ordered list"""
         LOGGER.debug("Starting planning process", flow=self.flow)
         start_time = time()
@@ -56,13 +56,18 @@ class FlowPlanner:
         if not root_passing:
             raise FlowNonApplicableError(root_passing_messages)
         # Check Flow policies
-        for factor in self.flow.factors.order_by("order").select_subclasses():
-            engine = PolicyEngine(factor.policies.all(), request.user, request)
+        for stage in (
+            self.flow.stages.order_by("flowstagebinding__order")
+            .select_subclasses()
+            .select_related()
+        ):
+            binding = stage.flowstagebinding_set.get(flow__pk=self.flow.pk)
+            engine = PolicyEngine(binding.policies.all(), request.user, request)
             engine.build()
             passing, _ = engine.result
             if passing:
-                LOGGER.debug("Factor passing", factor=factor)
-                plan.factors.append(factor)
+                LOGGER.debug("Stage passing", stage=stage)
+                plan.stages.append(stage)
         end_time = time()
         LOGGER.debug(
             "Finished planning", flow=self.flow, duration_s=end_time - start_time
diff --git a/passbook/flows/factor_base.py b/passbook/flows/stage.py
similarity index 84%
rename from passbook/flows/factor_base.py
rename to passbook/flows/stage.py
index 001b444a2..804f9b325 100644
--- a/passbook/flows/factor_base.py
+++ b/passbook/flows/stage.py
@@ -1,4 +1,4 @@
-"""passbook multi-factor authentication engine"""
+"""passbook stage Base view"""
 from typing import Any, Dict
 
 from django.forms import ModelForm
@@ -11,8 +11,8 @@ from passbook.flows.views import FlowExecutorView
 from passbook.lib.config import CONFIG
 
 
-class AuthenticationFactor(TemplateView):
-    """Abstract Authentication factor, inherits TemplateView but can be combined with FormView"""
+class AuthenticationStage(TemplateView):
+    """Abstract Authentication stage, inherits TemplateView but can be combined with FormView"""
 
     form: ModelForm = None
 
diff --git a/passbook/flows/views.py b/passbook/flows/views.py
index 1cf812d05..69de2c645 100644
--- a/passbook/flows/views.py
+++ b/passbook/flows/views.py
@@ -1,4 +1,4 @@
-"""passbook multi-factor authentication engine"""
+"""passbook multi-stage authentication engine"""
 from typing import Optional
 
 from django.contrib.auth import login
@@ -7,10 +7,9 @@ from django.shortcuts import get_object_or_404, redirect
 from django.views.generic import View
 from structlog import get_logger
 
-from passbook.core.models import Factor
 from passbook.core.views.utils import PermissionDeniedView
 from passbook.flows.exceptions import FlowNonApplicableError
-from passbook.flows.models import Flow
+from passbook.flows.models import Flow, Stage
 from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan, FlowPlanner
 from passbook.lib.config import CONFIG
 from passbook.lib.utils.reflection import class_to_path, path_to_class
@@ -24,13 +23,13 @@ SESSION_KEY_PLAN = "passbook_flows_plan"
 
 
 class FlowExecutorView(View):
-    """Stage 1 Flow executor, passing requests to Factor Views"""
+    """Stage 1 Flow executor, passing requests to Stage Views"""
 
     flow: Flow
 
     plan: FlowPlan
-    current_factor: Factor
-    current_factor_view: View
+    current_stage: Stage
+    current_stage_view: View
 
     def setup(self, request: HttpRequest, flow_slug: str):
         super().setup(request, flow_slug=flow_slug)
@@ -77,36 +76,34 @@ class FlowExecutorView(View):
         else:
             LOGGER.debug("Continuing existing plan", flow_slug=flow_slug)
             self.plan = self.request.session[SESSION_KEY_PLAN]
-        # We don't save the Plan after getting the next factor
+        # We don't save the Plan after getting the next stage
         # as it hasn't been successfully passed yet
-        self.current_factor = self.plan.next()
+        self.current_stage = self.plan.next()
         LOGGER.debug(
-            "Current factor",
-            current_factor=self.current_factor,
-            flow_slug=self.flow.slug,
+            "Current stage", current_stage=self.current_stage, flow_slug=self.flow.slug,
         )
-        factor_cls = path_to_class(self.current_factor.type)
-        self.current_factor_view = factor_cls(self)
-        self.current_factor_view.request = request
+        stage_cls = path_to_class(self.current_stage.type)
+        self.current_stage_view = stage_cls(self)
+        self.current_stage_view.request = request
         return super().dispatch(request)
 
     def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
-        """pass get request to current factor"""
+        """pass get request to current stage"""
         LOGGER.debug(
             "Passing GET",
-            view_class=class_to_path(self.current_factor_view.__class__),
+            view_class=class_to_path(self.current_stage_view.__class__),
             flow_slug=self.flow.slug,
         )
-        return self.current_factor_view.get(request, *args, **kwargs)
+        return self.current_stage_view.get(request, *args, **kwargs)
 
     def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
-        """pass post request to current factor"""
+        """pass post request to current stage"""
         LOGGER.debug(
             "Passing POST",
-            view_class=class_to_path(self.current_factor_view.__class__),
+            view_class=class_to_path(self.current_stage_view.__class__),
             flow_slug=self.flow.slug,
         )
-        return self.current_factor_view.post(request, *args, **kwargs)
+        return self.current_stage_view.post(request, *args, **kwargs)
 
     def _initiate_plan(self) -> FlowPlan:
         planner = FlowPlanner(self.flow)
@@ -115,7 +112,7 @@ class FlowExecutorView(View):
         return plan
 
     def _flow_done(self) -> HttpResponse:
-        """User Successfully passed all factors"""
+        """User Successfully passed all stages"""
         backend = self.plan.context[PLAN_CONTEXT_PENDING_USER].backend
         login(
             self.request, self.plan.context[PLAN_CONTEXT_PENDING_USER], backend=backend
@@ -131,34 +128,34 @@ class FlowExecutorView(View):
             return redirect(next_param)
         return redirect_with_qs("passbook_core:overview")
 
-    def factor_ok(self) -> HttpResponse:
-        """Callback called by factors upon successful completion.
+    def stage_ok(self) -> HttpResponse:
+        """Callback called by stages upon successful completion.
         Persists updated plan and context to session."""
         LOGGER.debug(
-            "Factor ok",
-            factor_class=class_to_path(self.current_factor_view.__class__),
+            "Stage ok",
+            stage_class=class_to_path(self.current_stage_view.__class__),
             flow_slug=self.flow.slug,
         )
         self.request.session[SESSION_KEY_PLAN] = self.plan
-        if self.plan.factors:
+        if self.plan.stages:
             LOGGER.debug(
-                "Continuing with next factor",
-                reamining=len(self.plan.factors),
+                "Continuing with next stage",
+                reamining=len(self.plan.stages),
                 flow_slug=self.flow.slug,
             )
             return redirect_with_qs(
                 "passbook_flows:flow-executor", self.request.GET, **self.kwargs
             )
-        # User passed all factors
+        # User passed all stages
         LOGGER.debug(
-            "User passed all factors",
+            "User passed all stages",
             user=self.plan.context[PLAN_CONTEXT_PENDING_USER],
             flow_slug=self.flow.slug,
         )
         return self._flow_done()
 
-    def factor_invalid(self) -> HttpResponse:
-        """Callback used factor when data is correct but a policy denies access
+    def stage_invalid(self) -> HttpResponse:
+        """Callback used stage when data is correct but a policy denies access
         or the user account is disabled."""
         LOGGER.debug("User invalid", flow_slug=self.flow.slug)
         self.cancel()
diff --git a/passbook/root/settings.py b/passbook/root/settings.py
index 9b22a0174..9e8c910e9 100644
--- a/passbook/root/settings.py
+++ b/passbook/root/settings.py
@@ -96,11 +96,11 @@ INSTALLED_APPS = [
     "passbook.providers.oidc.apps.PassbookProviderOIDCConfig",
     "passbook.providers.saml.apps.PassbookProviderSAMLConfig",
     "passbook.providers.samlv2.apps.PassbookProviderSAMLv2Config",
-    "passbook.factors.otp.apps.PassbookFactorOTPConfig",
-    "passbook.factors.captcha.apps.PassbookFactorCaptchaConfig",
-    "passbook.factors.password.apps.PassbookFactorPasswordConfig",
-    "passbook.factors.dummy.apps.PassbookFactorDummyConfig",
-    "passbook.factors.email.apps.PassbookFactorEmailConfig",
+    "passbook.stages.otp.apps.PassbookStageOTPConfig",
+    "passbook.stages.captcha.apps.PassbookStageCaptchaConfig",
+    "passbook.stages.password.apps.PassbookStagePasswordConfig",
+    "passbook.stages.dummy.apps.PassbookStageDummyConfig",
+    "passbook.stages.email.apps.PassbookStageEmailConfig",
     "passbook.policies.expiry.apps.PassbookPolicyExpiryConfig",
     "passbook.policies.reputation.apps.PassbookPolicyReputationConfig",
     "passbook.policies.hibp.apps.PassbookPolicyHIBPConfig",
diff --git a/passbook/sources/oauth/views/core.py b/passbook/sources/oauth/views/core.py
index e794fff0e..36e84d869 100644
--- a/passbook/sources/oauth/views/core.py
+++ b/passbook/sources/oauth/views/core.py
@@ -13,7 +13,6 @@ from django.views.generic import RedirectView, View
 from structlog import get_logger
 
 from passbook.audit.models import Event, EventAction
-from passbook.factors.password.factor import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 from passbook.flows.models import Flow, FlowDesignation
 from passbook.flows.planner import (
     PLAN_CONTEXT_PENDING_USER,
@@ -24,6 +23,7 @@ from passbook.flows.views import SESSION_KEY_PLAN
 from passbook.lib.utils.urls import redirect_with_qs
 from passbook.sources.oauth.clients import get_client
 from passbook.sources.oauth.models import OAuthSource, UserOAuthSourceConnection
+from passbook.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 
 LOGGER = get_logger()
 
@@ -169,7 +169,7 @@ class OAuthCallback(OAuthClientMixin, View):
             return None
 
     def handle_login(self, user, source, access):
-        """Prepare AuthenticationView, redirect users to remaining Factors"""
+        """Prepare Authentication Plan, redirect user FlowExecutor"""
         user = authenticate(
             source=access.source, identifier=access.identifier, request=self.request
         )
diff --git a/passbook/factors/__init__.py b/passbook/stages/__init__.py
similarity index 100%
rename from passbook/factors/__init__.py
rename to passbook/stages/__init__.py
diff --git a/passbook/factors/captcha/__init__.py b/passbook/stages/captcha/__init__.py
similarity index 100%
rename from passbook/factors/captcha/__init__.py
rename to passbook/stages/captcha/__init__.py
diff --git a/passbook/stages/captcha/api.py b/passbook/stages/captcha/api.py
new file mode 100644
index 000000000..6357fc96a
--- /dev/null
+++ b/passbook/stages/captcha/api.py
@@ -0,0 +1,21 @@
+"""CaptchaStage API Views"""
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import ModelViewSet
+
+from passbook.stages.captcha.models import CaptchaStage
+
+
+class CaptchaStageSerializer(ModelSerializer):
+    """CaptchaStage Serializer"""
+
+    class Meta:
+
+        model = CaptchaStage
+        fields = ["pk", "name", "public_key", "private_key"]
+
+
+class CaptchaStageViewSet(ModelViewSet):
+    """CaptchaStage Viewset"""
+
+    queryset = CaptchaStage.objects.all()
+    serializer_class = CaptchaStageSerializer
diff --git a/passbook/stages/captcha/apps.py b/passbook/stages/captcha/apps.py
new file mode 100644
index 000000000..ba5c4ba7d
--- /dev/null
+++ b/passbook/stages/captcha/apps.py
@@ -0,0 +1,10 @@
+"""passbook captcha app"""
+from django.apps import AppConfig
+
+
+class PassbookStageCaptchaConfig(AppConfig):
+    """passbook captcha app"""
+
+    name = "passbook.stages.captcha"
+    label = "passbook_stages_captcha"
+    verbose_name = "passbook Stages.Captcha"
diff --git a/passbook/stages/captcha/forms.py b/passbook/stages/captcha/forms.py
new file mode 100644
index 000000000..892942a4a
--- /dev/null
+++ b/passbook/stages/captcha/forms.py
@@ -0,0 +1,25 @@
+"""passbook captcha stage forms"""
+from captcha.fields import ReCaptchaField
+from django import forms
+
+from passbook.stages.captcha.models import CaptchaStage
+
+
+class CaptchaForm(forms.Form):
+    """passbook captcha stage form"""
+
+    captcha = ReCaptchaField()
+
+
+class CaptchaStageForm(forms.ModelForm):
+    """Form to edit CaptchaStage Instance"""
+
+    class Meta:
+
+        model = CaptchaStage
+        fields = ["name", "public_key", "private_key"]
+        widgets = {
+            "name": forms.TextInput(),
+            "public_key": forms.TextInput(),
+            "private_key": forms.TextInput(),
+        }
diff --git a/passbook/stages/captcha/migrations/0001_initial.py b/passbook/stages/captcha/migrations/0001_initial.py
new file mode 100644
index 000000000..7a3fbb2ba
--- /dev/null
+++ b/passbook/stages/captcha/migrations/0001_initial.py
@@ -0,0 +1,49 @@
+# Generated by Django 3.0.3 on 2020-05-08 17:58
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("passbook_flows", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="CaptchaStage",
+            fields=[
+                (
+                    "stage_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="passbook_flows.Stage",
+                    ),
+                ),
+                (
+                    "public_key",
+                    models.TextField(
+                        help_text="Public key, acquired from https://www.google.com/recaptcha/intro/v3.html"
+                    ),
+                ),
+                (
+                    "private_key",
+                    models.TextField(
+                        help_text="Private key, acquired from https://www.google.com/recaptcha/intro/v3.html"
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Captcha Stage",
+                "verbose_name_plural": "Captcha Stages",
+            },
+            bases=("passbook_flows.stage",),
+        ),
+    ]
diff --git a/passbook/factors/captcha/migrations/__init__.py b/passbook/stages/captcha/migrations/__init__.py
similarity index 100%
rename from passbook/factors/captcha/migrations/__init__.py
rename to passbook/stages/captcha/migrations/__init__.py
diff --git a/passbook/factors/captcha/models.py b/passbook/stages/captcha/models.py
similarity index 53%
rename from passbook/factors/captcha/models.py
rename to passbook/stages/captcha/models.py
index 3619bb6e5..492ac2f35 100644
--- a/passbook/factors/captcha/models.py
+++ b/passbook/stages/captcha/models.py
@@ -1,12 +1,12 @@
-"""passbook captcha factor"""
+"""passbook captcha stage"""
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 
-from passbook.core.models import Factor
+from passbook.flows.models import Stage
 
 
-class CaptchaFactor(Factor):
-    """Captcha Factor instance"""
+class CaptchaStage(Stage):
+    """Captcha Stage instance"""
 
     public_key = models.TextField(
         help_text=_(
@@ -19,13 +19,13 @@ class CaptchaFactor(Factor):
         )
     )
 
-    type = "passbook.factors.captcha.factor.CaptchaFactor"
-    form = "passbook.factors.captcha.forms.CaptchaFactorForm"
+    type = "passbook.stages.captcha.stage.CaptchaStage"
+    form = "passbook.stages.captcha.forms.CaptchaStageForm"
 
     def __str__(self):
-        return f"Captcha Factor {self.slug}"
+        return f"Captcha Stage {self.name}"
 
     class Meta:
 
-        verbose_name = _("Captcha Factor")
-        verbose_name_plural = _("Captcha Factors")
+        verbose_name = _("Captcha Stage")
+        verbose_name_plural = _("Captcha Stages")
diff --git a/passbook/factors/captcha/settings.py b/passbook/stages/captcha/settings.py
similarity index 90%
rename from passbook/factors/captcha/settings.py
rename to passbook/stages/captcha/settings.py
index 7466ad4f8..17b1b3829 100644
--- a/passbook/factors/captcha/settings.py
+++ b/passbook/stages/captcha/settings.py
@@ -1,4 +1,4 @@
-"""passbook captcha_factor settings"""
+"""passbook captcha stage settings"""
 # https://developers.google.com/recaptcha/docs/faq#id-like-to-run-automated-tests-with-recaptcha.-what-should-i-do
 RECAPTCHA_PUBLIC_KEY = "6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI"
 RECAPTCHA_PRIVATE_KEY = "6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe"
diff --git a/passbook/factors/captcha/factor.py b/passbook/stages/captcha/stage.py
similarity index 66%
rename from passbook/factors/captcha/factor.py
rename to passbook/stages/captcha/stage.py
index 130d6916b..2d95b8232 100644
--- a/passbook/factors/captcha/factor.py
+++ b/passbook/stages/captcha/stage.py
@@ -1,23 +1,23 @@
-"""passbook captcha factor"""
+"""passbook captcha stage"""
 
 from django.views.generic import FormView
 
-from passbook.factors.captcha.forms import CaptchaForm
-from passbook.flows.factor_base import AuthenticationFactor
+from passbook.flows.stage import AuthenticationStage
+from passbook.stages.captcha.forms import CaptchaForm
 
 
-class CaptchaFactor(FormView, AuthenticationFactor):
+class CaptchaStage(FormView, AuthenticationStage):
     """Simple captcha checker, logic is handeled in django-captcha module"""
 
     form_class = CaptchaForm
 
     def form_valid(self, form):
-        return self.executor.factor_ok()
+        return self.executor.stage_ok()
 
     def get_form(self, form_class=None):
         form = CaptchaForm(**self.get_form_kwargs())
-        form.fields["captcha"].public_key = self.executor.current_factor.public_key
-        form.fields["captcha"].private_key = self.executor.current_factor.private_key
+        form.fields["captcha"].public_key = self.executor.current_stage.public_key
+        form.fields["captcha"].private_key = self.executor.current_stage.private_key
         form.fields["captcha"].widget.attrs["data-sitekey"] = form.fields[
             "captcha"
         ].public_key
diff --git a/passbook/factors/dummy/__init__.py b/passbook/stages/dummy/__init__.py
similarity index 100%
rename from passbook/factors/dummy/__init__.py
rename to passbook/stages/dummy/__init__.py
diff --git a/passbook/stages/dummy/api.py b/passbook/stages/dummy/api.py
new file mode 100644
index 000000000..53235a3b9
--- /dev/null
+++ b/passbook/stages/dummy/api.py
@@ -0,0 +1,21 @@
+"""DummyStage API Views"""
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import ModelViewSet
+
+from passbook.stages.dummy.models import DummyStage
+
+
+class DummyStageSerializer(ModelSerializer):
+    """DummyStage Serializer"""
+
+    class Meta:
+
+        model = DummyStage
+        fields = ["pk", "name"]
+
+
+class DummyStageViewSet(ModelViewSet):
+    """DummyStage Viewset"""
+
+    queryset = DummyStage.objects.all()
+    serializer_class = DummyStageSerializer
diff --git a/passbook/stages/dummy/apps.py b/passbook/stages/dummy/apps.py
new file mode 100644
index 000000000..5b68b9459
--- /dev/null
+++ b/passbook/stages/dummy/apps.py
@@ -0,0 +1,11 @@
+"""passbook dummy stage config"""
+
+from django.apps import AppConfig
+
+
+class PassbookStageDummyConfig(AppConfig):
+    """passbook dummy stage config"""
+
+    name = "passbook.stages.dummy"
+    label = "passbook_stages_dummy"
+    verbose_name = "passbook Stages.Dummy"
diff --git a/passbook/stages/dummy/forms.py b/passbook/stages/dummy/forms.py
new file mode 100644
index 000000000..f611611f5
--- /dev/null
+++ b/passbook/stages/dummy/forms.py
@@ -0,0 +1,16 @@
+"""passbook administration forms"""
+from django import forms
+
+from passbook.stages.dummy.models import DummyStage
+
+
+class DummyStageForm(forms.ModelForm):
+    """Form to create/edit Dummy Stage"""
+
+    class Meta:
+
+        model = DummyStage
+        fields = ["name"]
+        widgets = {
+            "name": forms.TextInput(),
+        }
diff --git a/passbook/factors/dummy/migrations/0001_initial.py b/passbook/stages/dummy/migrations/0001_initial.py
similarity index 64%
rename from passbook/factors/dummy/migrations/0001_initial.py
rename to passbook/stages/dummy/migrations/0001_initial.py
index d0a905a87..83b2eea91 100644
--- a/passbook/factors/dummy/migrations/0001_initial.py
+++ b/passbook/stages/dummy/migrations/0001_initial.py
@@ -1,4 +1,4 @@
-# Generated by Django 2.2.6 on 2019-10-07 14:07
+# Generated by Django 3.0.3 on 2020-05-08 17:58
 
 import django.db.models.deletion
 from django.db import migrations, models
@@ -9,29 +9,29 @@ class Migration(migrations.Migration):
     initial = True
 
     dependencies = [
-        ("passbook_core", "0001_initial"),
+        ("passbook_flows", "0001_initial"),
     ]
 
     operations = [
         migrations.CreateModel(
-            name="DummyFactor",
+            name="DummyStage",
             fields=[
                 (
-                    "factor_ptr",
+                    "stage_ptr",
                     models.OneToOneField(
                         auto_created=True,
                         on_delete=django.db.models.deletion.CASCADE,
                         parent_link=True,
                         primary_key=True,
                         serialize=False,
-                        to="passbook_core.Factor",
+                        to="passbook_flows.Stage",
                     ),
                 ),
             ],
             options={
-                "verbose_name": "Dummy Factor",
-                "verbose_name_plural": "Dummy Factors",
+                "verbose_name": "Dummy Stage",
+                "verbose_name_plural": "Dummy Stages",
             },
-            bases=("passbook_core.factor",),
+            bases=("passbook_flows.stage",),
         ),
     ]
diff --git a/passbook/factors/dummy/migrations/__init__.py b/passbook/stages/dummy/migrations/__init__.py
similarity index 100%
rename from passbook/factors/dummy/migrations/__init__.py
rename to passbook/stages/dummy/migrations/__init__.py
diff --git a/passbook/stages/dummy/models.py b/passbook/stages/dummy/models.py
new file mode 100644
index 000000000..70457e217
--- /dev/null
+++ b/passbook/stages/dummy/models.py
@@ -0,0 +1,19 @@
+"""dummy stage models"""
+from django.utils.translation import gettext as _
+
+from passbook.flows.models import Stage
+
+
+class DummyStage(Stage):
+    """Dummy stage, mostly used to debug"""
+
+    type = "passbook.stages.dummy.stage.DummyStage"
+    form = "passbook.stages.dummy.forms.DummyStageForm"
+
+    def __str__(self):
+        return f"Dummy Stage {self.name}"
+
+    class Meta:
+
+        verbose_name = _("Dummy Stage")
+        verbose_name_plural = _("Dummy Stages")
diff --git a/passbook/stages/dummy/stage.py b/passbook/stages/dummy/stage.py
new file mode 100644
index 000000000..94a2a4cb6
--- /dev/null
+++ b/passbook/stages/dummy/stage.py
@@ -0,0 +1,12 @@
+"""passbook multi-stage authentication engine"""
+from django.http import HttpRequest
+
+from passbook.flows.stage import AuthenticationStage
+
+
+class DummyStage(AuthenticationStage):
+    """Dummy stage for testing with multiple stages"""
+
+    def post(self, request: HttpRequest):
+        """Just redirect to next stage"""
+        return self.executor.stage_ok()
diff --git a/passbook/factors/email/__init__.py b/passbook/stages/email/__init__.py
similarity index 100%
rename from passbook/factors/email/__init__.py
rename to passbook/stages/email/__init__.py
diff --git a/passbook/factors/email/api.py b/passbook/stages/email/api.py
similarity index 54%
rename from passbook/factors/email/api.py
rename to passbook/stages/email/api.py
index 165ce9064..14e6c9a3c 100644
--- a/passbook/factors/email/api.py
+++ b/passbook/stages/email/api.py
@@ -1,22 +1,19 @@
-"""EmailFactor API Views"""
+"""EmailStage API Views"""
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
-from passbook.factors.email.models import EmailFactor
+from passbook.stages.email.models import EmailStage
 
 
-class EmailFactorSerializer(ModelSerializer):
-    """EmailFactor Serializer"""
+class EmailStageSerializer(ModelSerializer):
+    """EmailStage Serializer"""
 
     class Meta:
 
-        model = EmailFactor
+        model = EmailStage
         fields = [
             "pk",
             "name",
-            "slug",
-            "order",
-            "enabled",
             "host",
             "port",
             "username",
@@ -31,8 +28,8 @@ class EmailFactorSerializer(ModelSerializer):
         extra_kwargs = {"password": {"write_only": True}}
 
 
-class EmailFactorViewSet(ModelViewSet):
-    """EmailFactor Viewset"""
+class EmailStageViewSet(ModelViewSet):
+    """EmailStage Viewset"""
 
-    queryset = EmailFactor.objects.all()
-    serializer_class = EmailFactorSerializer
+    queryset = EmailStage.objects.all()
+    serializer_class = EmailStageSerializer
diff --git a/passbook/stages/email/apps.py b/passbook/stages/email/apps.py
new file mode 100644
index 000000000..241904ee5
--- /dev/null
+++ b/passbook/stages/email/apps.py
@@ -0,0 +1,15 @@
+"""passbook email stage config"""
+from importlib import import_module
+
+from django.apps import AppConfig
+
+
+class PassbookStageEmailConfig(AppConfig):
+    """passbook email stage config"""
+
+    name = "passbook.stages.email"
+    label = "passbook_stages_email"
+    verbose_name = "passbook Stages.Email"
+
+    def ready(self):
+        import_module("passbook.stages.email.tasks")
diff --git a/passbook/factors/email/forms.py b/passbook/stages/email/forms.py
similarity index 60%
rename from passbook/factors/email/forms.py
rename to passbook/stages/email/forms.py
index 8429a0870..ae93d428e 100644
--- a/passbook/factors/email/forms.py
+++ b/passbook/stages/email/forms.py
@@ -1,19 +1,18 @@
 """passbook administration forms"""
 from django import forms
-from django.contrib.admin.widgets import FilteredSelectMultiple
 from django.utils.translation import gettext_lazy as _
 
-from passbook.factors.email.models import EmailFactor
-from passbook.flows.forms import GENERAL_FIELDS
+from passbook.stages.email.models import EmailStage
 
 
-class EmailFactorForm(forms.ModelForm):
-    """Form to create/edit Dummy Factor"""
+class EmailStageForm(forms.ModelForm):
+    """Form to create/edit Dummy Stage"""
 
     class Meta:
 
-        model = EmailFactor
-        fields = GENERAL_FIELDS + [
+        model = EmailStage
+        fields = [
+            "name",
             "host",
             "port",
             "username",
@@ -27,8 +26,6 @@ class EmailFactorForm(forms.ModelForm):
         ]
         widgets = {
             "name": forms.TextInput(),
-            "order": forms.NumberInput(),
-            "policies": FilteredSelectMultiple(_("policies"), False),
             "host": forms.TextInput(),
             "username": forms.TextInput(),
             "password": forms.TextInput(),
@@ -41,8 +38,3 @@ class EmailFactorForm(forms.ModelForm):
             "ssl_keyfile": _("SSL Keyfile (optional)"),
             "ssl_certfile": _("SSL Certfile (optional)"),
         }
-        help_texts = {
-            "policies": _(
-                "Policies which determine if this factor applies to the current user."
-            )
-        }
diff --git a/passbook/factors/email/migrations/0001_initial.py b/passbook/stages/email/migrations/0001_initial.py
similarity index 76%
rename from passbook/factors/email/migrations/0001_initial.py
rename to passbook/stages/email/migrations/0001_initial.py
index e9b8519b2..940c614af 100644
--- a/passbook/factors/email/migrations/0001_initial.py
+++ b/passbook/stages/email/migrations/0001_initial.py
@@ -1,4 +1,4 @@
-# Generated by Django 2.2.6 on 2019-10-08 12:23
+# Generated by Django 3.0.3 on 2020-05-08 17:59
 
 import django.db.models.deletion
 from django.db import migrations, models
@@ -9,22 +9,22 @@ class Migration(migrations.Migration):
     initial = True
 
     dependencies = [
-        ("passbook_core", "0001_initial"),
+        ("passbook_flows", "0001_initial"),
     ]
 
     operations = [
         migrations.CreateModel(
-            name="EmailFactor",
+            name="EmailStage",
             fields=[
                 (
-                    "factor_ptr",
+                    "stage_ptr",
                     models.OneToOneField(
                         auto_created=True,
                         on_delete=django.db.models.deletion.CASCADE,
                         parent_link=True,
                         primary_key=True,
                         serialize=False,
-                        to="passbook_core.Factor",
+                        to="passbook_flows.Stage",
                     ),
                 ),
                 ("host", models.TextField(default="localhost")),
@@ -33,7 +33,7 @@ class Migration(migrations.Migration):
                 ("password", models.TextField(blank=True, default="")),
                 ("use_tls", models.BooleanField(default=False)),
                 ("use_ssl", models.BooleanField(default=False)),
-                ("timeout", models.IntegerField(default=0)),
+                ("timeout", models.IntegerField(default=10)),
                 ("ssl_keyfile", models.TextField(blank=True, default=None, null=True)),
                 ("ssl_certfile", models.TextField(blank=True, default=None, null=True)),
                 (
@@ -42,9 +42,9 @@ class Migration(migrations.Migration):
                 ),
             ],
             options={
-                "verbose_name": "Email Factor",
-                "verbose_name_plural": "Email Factors",
+                "verbose_name": "Email Stage",
+                "verbose_name_plural": "Email Stages",
             },
-            bases=("passbook_core.factor",),
+            bases=("passbook_flows.stage",),
         ),
     ]
diff --git a/passbook/factors/email/migrations/__init__.py b/passbook/stages/email/migrations/__init__.py
similarity index 100%
rename from passbook/factors/email/migrations/__init__.py
rename to passbook/stages/email/migrations/__init__.py
diff --git a/passbook/factors/email/models.py b/passbook/stages/email/models.py
similarity index 76%
rename from passbook/factors/email/models.py
rename to passbook/stages/email/models.py
index f2027c1d9..57a104ed8 100644
--- a/passbook/factors/email/models.py
+++ b/passbook/stages/email/models.py
@@ -1,13 +1,13 @@
-"""email factor models"""
+"""email stage models"""
 from django.core.mail.backends.smtp import EmailBackend
 from django.db import models
 from django.utils.translation import gettext as _
 
-from passbook.core.models import Factor
+from passbook.flows.models import Stage
 
 
-class EmailFactor(Factor):
-    """email factor"""
+class EmailStage(Stage):
+    """email stage"""
 
     host = models.TextField(default="localhost")
     port = models.IntegerField(default=25)
@@ -22,8 +22,8 @@ class EmailFactor(Factor):
 
     from_address = models.EmailField(default="system@passbook.local")
 
-    type = "passbook.factors.email.factor.EmailFactorView"
-    form = "passbook.factors.email.forms.EmailFactorForm"
+    type = "passbook.stages.email.stage.EmailStageView"
+    form = "passbook.stages.email.forms.EmailStageForm"
 
     @property
     def backend(self) -> EmailBackend:
@@ -41,9 +41,9 @@ class EmailFactor(Factor):
         )
 
     def __str__(self):
-        return f"Email Factor {self.slug}"
+        return f"Email Stage {self.name}"
 
     class Meta:
 
-        verbose_name = _("Email Factor")
-        verbose_name_plural = _("Email Factors")
+        verbose_name = _("Email Stage")
+        verbose_name_plural = _("Email Stages")
diff --git a/passbook/factors/email/factor.py b/passbook/stages/email/stage.py
similarity index 75%
rename from passbook/factors/email/factor.py
rename to passbook/stages/email/stage.py
index 8c7d0527a..129e57d4f 100644
--- a/passbook/factors/email/factor.py
+++ b/passbook/stages/email/stage.py
@@ -1,4 +1,4 @@
-"""passbook multi-factor authentication engine"""
+"""passbook multi-stage authentication engine"""
 from django.contrib import messages
 from django.http import HttpRequest
 from django.shortcuts import reverse
@@ -6,17 +6,17 @@ from django.utils.translation import gettext as _
 from structlog import get_logger
 
 from passbook.core.models import Nonce
-from passbook.factors.email.tasks import send_mails
-from passbook.factors.email.utils import TemplateEmailMessage
-from passbook.flows.factor_base import AuthenticationFactor
 from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER
+from passbook.flows.stage import AuthenticationStage
 from passbook.lib.config import CONFIG
+from passbook.stages.email.tasks import send_mails
+from passbook.stages.email.utils import TemplateEmailMessage
 
 LOGGER = get_logger()
 
 
-class EmailFactorView(AuthenticationFactor):
-    """Dummy factor for testing with multiple factors"""
+class EmailStageView(AuthenticationStage):
+    """E-Mail stage which sends E-Mail for verification"""
 
     def get_context_data(self, **kwargs):
         kwargs["show_password_forget_notice"] = CONFIG.y(
@@ -41,10 +41,10 @@ class EmailFactorView(AuthenticationFactor):
                 )
             },
         )
-        send_mails(self.executor.current_factor, message)
+        send_mails(self.executor.current_stage, message)
         messages.success(request, _("Check your E-Mails for a password reset link."))
         return self.executor.cancel()
 
     def post(self, request: HttpRequest):
-        """Just redirect to next factor"""
-        return self.executor.factor_ok()
+        """Just redirect to next stage"""
+        return self.executor.stage_ok()
diff --git a/passbook/factors/email/tasks.py b/passbook/stages/email/tasks.py
similarity index 62%
rename from passbook/factors/email/tasks.py
rename to passbook/stages/email/tasks.py
index b3e752b04..265f69cb2 100644
--- a/passbook/factors/email/tasks.py
+++ b/passbook/stages/email/tasks.py
@@ -1,4 +1,4 @@
-"""email factor tasks"""
+"""email stage tasks"""
 from smtplib import SMTPException
 from typing import Any, Dict, List
 
@@ -6,38 +6,38 @@ from celery import group
 from django.core.mail import EmailMessage
 from structlog import get_logger
 
-from passbook.factors.email.models import EmailFactor
 from passbook.root.celery import CELERY_APP
+from passbook.stages.email.models import EmailStage
 
 LOGGER = get_logger()
 
 
-def send_mails(factor: EmailFactor, *messages: List[EmailMessage]):
+def send_mails(stage: EmailStage, *messages: List[EmailMessage]):
     """Wrapper to convert EmailMessage to dict and send it from worker"""
     tasks = []
     for message in messages:
-        tasks.append(_send_mail_task.s(factor.pk, message.__dict__))
+        tasks.append(_send_mail_task.s(stage.pk, message.__dict__))
     lazy_group = group(*tasks)
     promise = lazy_group()
     return promise
 
 
 @CELERY_APP.task(bind=True)
-def _send_mail_task(self, email_factor_pk: int, message: Dict[Any, Any]):
-    """Send E-Mail according to EmailFactor parameters from background worker.
+def _send_mail_task(self, email_stage_pk: int, message: Dict[Any, Any]):
+    """Send E-Mail according to EmailStage parameters from background worker.
     Automatically retries if message couldn't be sent."""
-    factor: EmailFactor = EmailFactor.objects.get(pk=email_factor_pk)
-    backend = factor.backend
+    stage: EmailStage = EmailStage.objects.get(pk=email_stage_pk)
+    backend = stage.backend
     backend.open()
     # Since django's EmailMessage objects are not JSON serialisable,
     # we need to rebuild them from a dict
     message_object = EmailMessage()
     for key, value in message.items():
         setattr(message_object, key, value)
-    message_object.from_email = factor.from_address
+    message_object.from_email = stage.from_address
     LOGGER.debug("Sending mail", to=message_object.to)
     try:
-        num_sent = factor.backend.send_messages([message_object])
+        num_sent = stage.backend.send_messages([message_object])
     except SMTPException as exc:
         raise self.retry(exc=exc)
     if num_sent != 1:
diff --git a/passbook/factors/email/utils.py b/passbook/stages/email/utils.py
similarity index 100%
rename from passbook/factors/email/utils.py
rename to passbook/stages/email/utils.py
diff --git a/passbook/factors/otp/__init__.py b/passbook/stages/otp/__init__.py
similarity index 100%
rename from passbook/factors/otp/__init__.py
rename to passbook/stages/otp/__init__.py
diff --git a/passbook/stages/otp/api.py b/passbook/stages/otp/api.py
new file mode 100644
index 000000000..9378a4cb0
--- /dev/null
+++ b/passbook/stages/otp/api.py
@@ -0,0 +1,21 @@
+"""OTPStage API Views"""
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import ModelViewSet
+
+from passbook.stages.otp.models import OTPStage
+
+
+class OTPStageSerializer(ModelSerializer):
+    """OTPStage Serializer"""
+
+    class Meta:
+
+        model = OTPStage
+        fields = ["pk", "name", "enforced"]
+
+
+class OTPStageViewSet(ModelViewSet):
+    """OTPStage Viewset"""
+
+    queryset = OTPStage.objects.all()
+    serializer_class = OTPStageSerializer
diff --git a/passbook/stages/otp/apps.py b/passbook/stages/otp/apps.py
new file mode 100644
index 000000000..88b5ce441
--- /dev/null
+++ b/passbook/stages/otp/apps.py
@@ -0,0 +1,12 @@
+"""passbook OTP AppConfig"""
+
+from django.apps.config import AppConfig
+
+
+class PassbookStageOTPConfig(AppConfig):
+    """passbook OTP AppConfig"""
+
+    name = "passbook.stages.otp"
+    label = "passbook_stages_otp"
+    verbose_name = "passbook Stages.OTP"
+    mountpoint = "user/otp/"
diff --git a/passbook/factors/otp/forms.py b/passbook/stages/otp/forms.py
similarity index 77%
rename from passbook/factors/otp/forms.py
rename to passbook/stages/otp/forms.py
index c6c6816a5..0033667cf 100644
--- a/passbook/factors/otp/forms.py
+++ b/passbook/stages/otp/forms.py
@@ -1,14 +1,12 @@
 """passbook OTP Forms"""
 
 from django import forms
-from django.contrib.admin.widgets import FilteredSelectMultiple
 from django.core.validators import RegexValidator
 from django.utils.safestring import mark_safe
 from django.utils.translation import gettext_lazy as _
 from django_otp.models import Device
 
-from passbook.factors.otp.models import OTPFactor
-from passbook.flows.forms import GENERAL_FIELDS
+from passbook.stages.otp.models import OTPStage
 
 OTP_CODE_VALIDATOR = RegexValidator(
     r"^[0-9a-z]{6,8}$", _("Only alpha-numeric characters are allowed.")
@@ -68,20 +66,13 @@ class OTPSetupForm(forms.Form):
         return self.cleaned_data.get("code")
 
 
-class OTPFactorForm(forms.ModelForm):
-    """Form to edit OTPFactor instances"""
+class OTPStageForm(forms.ModelForm):
+    """Form to edit OTPStage instances"""
 
     class Meta:
 
-        model = OTPFactor
-        fields = GENERAL_FIELDS + ["enforced"]
+        model = OTPStage
+        fields = ["name", "enforced"]
         widgets = {
             "name": forms.TextInput(),
-            "order": forms.NumberInput(),
-            "policies": FilteredSelectMultiple(_("policies"), False),
-        }
-        help_texts = {
-            "policies": _(
-                "Policies which determine if this factor applies to the current user."
-            )
         }
diff --git a/passbook/factors/otp/migrations/0001_initial.py b/passbook/stages/otp/migrations/0001_initial.py
similarity index 67%
rename from passbook/factors/otp/migrations/0001_initial.py
rename to passbook/stages/otp/migrations/0001_initial.py
index fe06e9300..205c8c98b 100644
--- a/passbook/factors/otp/migrations/0001_initial.py
+++ b/passbook/stages/otp/migrations/0001_initial.py
@@ -1,4 +1,4 @@
-# Generated by Django 2.2.6 on 2019-10-07 14:07
+# Generated by Django 3.0.3 on 2020-05-08 17:59
 
 import django.db.models.deletion
 from django.db import migrations, models
@@ -9,36 +9,33 @@ class Migration(migrations.Migration):
     initial = True
 
     dependencies = [
-        ("passbook_core", "0001_initial"),
+        ("passbook_flows", "0001_initial"),
     ]
 
     operations = [
         migrations.CreateModel(
-            name="OTPFactor",
+            name="OTPStage",
             fields=[
                 (
-                    "factor_ptr",
+                    "stage_ptr",
                     models.OneToOneField(
                         auto_created=True,
                         on_delete=django.db.models.deletion.CASCADE,
                         parent_link=True,
                         primary_key=True,
                         serialize=False,
-                        to="passbook_core.Factor",
+                        to="passbook_flows.Stage",
                     ),
                 ),
                 (
                     "enforced",
                     models.BooleanField(
                         default=False,
-                        help_text="Enforce enabled OTP for Users this factor applies to.",
+                        help_text="Enforce enabled OTP for Users this stage applies to.",
                     ),
                 ),
             ],
-            options={
-                "verbose_name": "OTP Factor",
-                "verbose_name_plural": "OTP Factors",
-            },
-            bases=("passbook_core.factor",),
+            options={"verbose_name": "OTP Stage", "verbose_name_plural": "OTP Stages",},
+            bases=("passbook_flows.stage",),
         ),
     ]
diff --git a/passbook/factors/otp/migrations/__init__.py b/passbook/stages/otp/migrations/__init__.py
similarity index 100%
rename from passbook/factors/otp/migrations/__init__.py
rename to passbook/stages/otp/migrations/__init__.py
diff --git a/passbook/stages/otp/models.py b/passbook/stages/otp/models.py
new file mode 100644
index 000000000..f0a6e1c88
--- /dev/null
+++ b/passbook/stages/otp/models.py
@@ -0,0 +1,34 @@
+"""OTP Stage"""
+from django.db import models
+from django.utils.translation import gettext as _
+
+from passbook.core.types import UIUserSettings
+from passbook.flows.models import Stage
+
+
+class OTPStage(Stage):
+    """OTP Stage"""
+
+    enforced = models.BooleanField(
+        default=False,
+        help_text=("Enforce enabled OTP for Users " "this stage applies to."),
+    )
+
+    type = "passbook.stages.otp.stages.OTPStage"
+    form = "passbook.stages.otp.forms.OTPStageForm"
+
+    @property
+    def ui_user_settings(self) -> UIUserSettings:
+        return UIUserSettings(
+            name="OTP",
+            icon="pficon-locked",
+            view_name="passbook_stages_otp:otp-user-settings",
+        )
+
+    def __str__(self):
+        return f"OTP Stage {self.name}"
+
+    class Meta:
+
+        verbose_name = _("OTP Stage")
+        verbose_name_plural = _("OTP Stages")
diff --git a/passbook/factors/otp/settings.py b/passbook/stages/otp/settings.py
similarity index 100%
rename from passbook/factors/otp/settings.py
rename to passbook/stages/otp/settings.py
diff --git a/passbook/factors/otp/factors.py b/passbook/stages/otp/stage.py
similarity index 82%
rename from passbook/factors/otp/factors.py
rename to passbook/stages/otp/stage.py
index 50ba3d21f..3d62f7519 100644
--- a/passbook/factors/otp/factors.py
+++ b/passbook/stages/otp/stage.py
@@ -1,22 +1,22 @@
-"""OTP Factor logic"""
+"""OTP Stage logic"""
 from django.contrib import messages
 from django.utils.translation import gettext as _
 from django.views.generic import FormView
 from django_otp import match_token, user_has_device
 from structlog import get_logger
 
-from passbook.factors.otp.forms import OTPVerifyForm
-from passbook.factors.otp.views import OTP_SETTING_UP_KEY, EnableView
-from passbook.flows.factor_base import AuthenticationFactor
 from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER
+from passbook.flows.stage import AuthenticationStage
+from passbook.stages.otp.forms import OTPVerifyForm
+from passbook.stages.otp.views import OTP_SETTING_UP_KEY, EnableView
 
 LOGGER = get_logger()
 
 
-class OTPFactor(FormView, AuthenticationFactor):
-    """OTP Factor View"""
+class OTPStage(FormView, AuthenticationStage):
+    """OTP Stage View"""
 
-    template_name = "otp/factor.html"
+    template_name = "stages/otp/stage.html"
     form_class = OTPVerifyForm
 
     def get_context_data(self, **kwargs):
@@ -29,7 +29,7 @@ class OTPFactor(FormView, AuthenticationFactor):
         pending_user = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
         if not user_has_device(pending_user):
             LOGGER.debug("User doesn't have OTP Setup.")
-            if self.executor.current_factor.enforced:
+            if self.executor.current_stage.enforced:
                 # Redirect to setup view
                 LOGGER.debug("OTP is enforced, redirecting to setup")
                 request.user = pending_user
@@ -54,6 +54,6 @@ class OTPFactor(FormView, AuthenticationFactor):
             form.cleaned_data.get("code"),
         )
         if device:
-            return self.executor.factor_ok()
+            return self.executor.stage_ok()
         messages.error(self.request, _("Invalid OTP."))
         return self.form_invalid(form)
diff --git a/passbook/factors/otp/templates/otp/factor.html b/passbook/stages/otp/templates/stages/otp/factor.html
similarity index 100%
rename from passbook/factors/otp/templates/otp/factor.html
rename to passbook/stages/otp/templates/stages/otp/factor.html
diff --git a/passbook/factors/otp/templates/otp/user_settings.html b/passbook/stages/otp/templates/stages/otp/user_settings.html
similarity index 91%
rename from passbook/factors/otp/templates/otp/user_settings.html
rename to passbook/stages/otp/templates/stages/otp/user_settings.html
index 4764de835..bb5ff5359 100644
--- a/passbook/factors/otp/templates/otp/user_settings.html
+++ b/passbook/stages/otp/templates/stages/otp/user_settings.html
@@ -23,10 +23,10 @@
                 </p>
                 <p>
                     {% if not state %}
-                    <a href="{% url 'passbook_factors_otp:otp-enable' %}"
+                    <a href="{% url 'passbook_stages_otp:otp-enable' %}"
                     class="btn btn-success btn-sm">{% trans "Enable OTP" %}</a>
                     {% else %}
-                    <a href="{% url 'passbook_factors_otp:otp-disable' %}"
+                    <a href="{% url 'passbook_stages_otp:otp-disable' %}"
                     class="btn btn-danger btn-sm">{% trans "Disable OTP" %}</a>
                     {% endif %}
                 </p>
diff --git a/passbook/factors/otp/urls.py b/passbook/stages/otp/urls.py
similarity index 89%
rename from passbook/factors/otp/urls.py
rename to passbook/stages/otp/urls.py
index 4efc3ca88..012ff2923 100644
--- a/passbook/factors/otp/urls.py
+++ b/passbook/stages/otp/urls.py
@@ -2,7 +2,7 @@
 
 from django.urls import path
 
-from passbook.factors.otp import views
+from passbook.stages.otp import views
 
 urlpatterns = [
     path("", views.UserSettingsView.as_view(), name="otp-user-settings"),
diff --git a/passbook/factors/otp/utils.py b/passbook/stages/otp/utils.py
similarity index 100%
rename from passbook/factors/otp/utils.py
rename to passbook/stages/otp/utils.py
diff --git a/passbook/factors/otp/views.py b/passbook/stages/otp/views.py
similarity index 91%
rename from passbook/factors/otp/views.py
rename to passbook/stages/otp/views.py
index 5561482ce..833441318 100644
--- a/passbook/factors/otp/views.py
+++ b/passbook/stages/otp/views.py
@@ -19,12 +19,12 @@ from qrcode.image.svg import SvgPathImage
 from structlog import get_logger
 
 from passbook.audit.models import Event, EventAction
-from passbook.factors.otp.forms import OTPSetupForm
-from passbook.factors.otp.utils import otpauth_url
 from passbook.lib.config import CONFIG
+from passbook.stages.otp.forms import OTPSetupForm
+from passbook.stages.otp.utils import otpauth_url
 
-OTP_SESSION_KEY = "passbook_factors_otp_key"
-OTP_SETTING_UP_KEY = "passbook_factors_otp_setup"
+OTP_SESSION_KEY = "passbook_stages_otp_key"
+OTP_SETTING_UP_KEY = "passbook_stages_otp_setup"
 LOGGER = get_logger()
 
 
@@ -33,7 +33,7 @@ class UserSettingsView(LoginRequiredMixin, TemplateView):
 
     template_name = "otp/user_settings.html"
 
-    # TODO: Check if OTP Factor exists and applies to user
+    # TODO: Check if OTP Stage exists and applies to user
     def get_context_data(self, **kwargs):
         kwargs = super().get_context_data(**kwargs)
         static = StaticDevice.objects.filter(user=self.request.user, confirmed=True)
@@ -61,7 +61,7 @@ class DisableView(LoginRequiredMixin, View):
         messages.success(request, "Successfully disabled OTP")
         # Create event with email notification
         Event.new(EventAction.CUSTOM, message="User disabled OTP.").from_http(request)
-        return redirect(reverse("passbook_factors_otp:otp-user-settings"))
+        return redirect(reverse("passbook_stages_otp:otp-user-settings"))
 
 
 class EnableView(LoginRequiredMixin, FormView):
@@ -74,7 +74,7 @@ class EnableView(LoginRequiredMixin, FormView):
     totp_device = None
     static_device = None
 
-    # TODO: Check if OTP Factor exists and applies to user
+    # TODO: Check if OTP Stage exists and applies to user
     def get_context_data(self, **kwargs):
         kwargs["config"] = CONFIG.y("passbook")
         kwargs["title"] = _("Configure OTP")
@@ -92,7 +92,7 @@ class EnableView(LoginRequiredMixin, FormView):
         if finished_totp_devices.exists() and finished_static_devices.exists():
             messages.error(request, _("You already have TOTP enabled!"))
             del request.session[OTP_SETTING_UP_KEY]
-            return redirect("passbook_factors_otp:otp-user-settings")
+            return redirect("passbook_stages_otp:otp-user-settings")
         request.session[OTP_SETTING_UP_KEY] = True
         # Check if there's an unconfirmed device left to set up
         totp_devices = TOTPDevice.objects.filter(user=request.user, confirmed=False)
@@ -127,7 +127,7 @@ class EnableView(LoginRequiredMixin, FormView):
     def get_form(self, form_class=None):
         form = super().get_form(form_class=form_class)
         form.device = self.totp_device
-        form.fields["qr_code"].initial = reverse("passbook_factors_otp:otp-qr")
+        form.fields["qr_code"].initial = reverse("passbook_stages_otp:otp-qr")
         tokens = [(x.token, x.token) for x in self.static_device.token_set.all()]
         form.fields["tokens"].choices = tokens
         return form
@@ -143,7 +143,7 @@ class EnableView(LoginRequiredMixin, FormView):
         Event.new(EventAction.CUSTOM, message="User enabled OTP.").from_http(
             self.request
         )
-        return redirect("passbook_factors_otp:otp-user-settings")
+        return redirect("passbook_stages_otp:otp-user-settings")
 
 
 @method_decorator(never_cache, name="dispatch")
diff --git a/passbook/factors/password/__init__.py b/passbook/stages/password/__init__.py
similarity index 100%
rename from passbook/factors/password/__init__.py
rename to passbook/stages/password/__init__.py
diff --git a/passbook/stages/password/api.py b/passbook/stages/password/api.py
new file mode 100644
index 000000000..48e1c5191
--- /dev/null
+++ b/passbook/stages/password/api.py
@@ -0,0 +1,26 @@
+"""PasswordStage API Views"""
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import ModelViewSet
+
+from passbook.stages.password.models import PasswordStage
+
+
+class PasswordStageSerializer(ModelSerializer):
+    """PasswordStage Serializer"""
+
+    class Meta:
+
+        model = PasswordStage
+        fields = [
+            "pk",
+            "name",
+            "backends",
+            "password_policies",
+        ]
+
+
+class PasswordStageViewSet(ModelViewSet):
+    """PasswordStage Viewset"""
+
+    queryset = PasswordStage.objects.all()
+    serializer_class = PasswordStageSerializer
diff --git a/passbook/stages/password/apps.py b/passbook/stages/password/apps.py
new file mode 100644
index 000000000..087e1f90c
--- /dev/null
+++ b/passbook/stages/password/apps.py
@@ -0,0 +1,10 @@
+"""passbook core app config"""
+from django.apps import AppConfig
+
+
+class PassbookStagePasswordConfig(AppConfig):
+    """passbook password stage config"""
+
+    name = "passbook.stages.password"
+    label = "passbook_stages_password"
+    verbose_name = "passbook Stages.Password"
diff --git a/passbook/factors/password/exceptions.py b/passbook/stages/password/exceptions.py
similarity index 100%
rename from passbook/factors/password/exceptions.py
rename to passbook/stages/password/exceptions.py
diff --git a/passbook/factors/password/forms.py b/passbook/stages/password/forms.py
similarity index 64%
rename from passbook/factors/password/forms.py
rename to passbook/stages/password/forms.py
index 50b48e5c0..f9dc91421 100644
--- a/passbook/factors/password/forms.py
+++ b/passbook/stages/password/forms.py
@@ -4,9 +4,8 @@ from django.conf import settings
 from django.contrib.admin.widgets import FilteredSelectMultiple
 from django.utils.translation import gettext_lazy as _
 
-from passbook.factors.password.models import PasswordFactor
-from passbook.flows.forms import GENERAL_FIELDS
 from passbook.lib.utils.reflection import path_to_class
+from passbook.stages.password.models import PasswordStage
 
 
 def get_authentication_backends():
@@ -32,25 +31,17 @@ class PasswordForm(forms.Form):
     )
 
 
-class PasswordFactorForm(forms.ModelForm):
-    """Form to create/edit Password Factors"""
+class PasswordStageForm(forms.ModelForm):
+    """Form to create/edit Password Stages"""
 
     class Meta:
 
-        model = PasswordFactor
-        fields = GENERAL_FIELDS + ["backends", "password_policies", "reset_factors"]
+        model = PasswordStage
+        fields = ["name", "backends"]
         widgets = {
             "name": forms.TextInput(),
-            "order": forms.NumberInput(),
-            "policies": FilteredSelectMultiple(_("policies"), False),
             "backends": FilteredSelectMultiple(
                 _("backends"), False, choices=get_authentication_backends()
             ),
             "password_policies": FilteredSelectMultiple(_("password policies"), False),
-            "reset_factors": FilteredSelectMultiple(_("reset factors"), False),
-        }
-        help_texts = {
-            "policies": _(
-                "Policies which determine if this factor applies to the current user."
-            )
         }
diff --git a/passbook/factors/password/migrations/0001_initial.py b/passbook/stages/password/migrations/0001_initial.py
similarity index 62%
rename from passbook/factors/password/migrations/0001_initial.py
rename to passbook/stages/password/migrations/0001_initial.py
index 58be06b49..b2c740c1d 100644
--- a/passbook/factors/password/migrations/0001_initial.py
+++ b/passbook/stages/password/migrations/0001_initial.py
@@ -1,4 +1,4 @@
-# Generated by Django 2.2.6 on 2019-10-07 14:07
+# Generated by Django 3.0.3 on 2020-05-08 17:58
 
 import django.contrib.postgres.fields
 import django.db.models.deletion
@@ -10,28 +10,31 @@ class Migration(migrations.Migration):
     initial = True
 
     dependencies = [
-        ("passbook_core", "0001_initial"),
+        ("passbook_flows", "0001_initial"),
+        ("passbook_core", "0012_delete_factor"),
     ]
 
     operations = [
         migrations.CreateModel(
-            name="PasswordFactor",
+            name="PasswordStage",
             fields=[
                 (
-                    "factor_ptr",
+                    "stage_ptr",
                     models.OneToOneField(
                         auto_created=True,
                         on_delete=django.db.models.deletion.CASCADE,
                         parent_link=True,
                         primary_key=True,
                         serialize=False,
-                        to="passbook_core.Factor",
+                        to="passbook_flows.Stage",
                     ),
                 ),
                 (
                     "backends",
                     django.contrib.postgres.fields.ArrayField(
-                        base_field=models.TextField(), size=None
+                        base_field=models.TextField(),
+                        help_text="Selection of backends to test the password against.",
+                        size=None,
                     ),
                 ),
                 (
@@ -40,9 +43,9 @@ class Migration(migrations.Migration):
                 ),
             ],
             options={
-                "verbose_name": "Password Factor",
-                "verbose_name_plural": "Password Factors",
+                "verbose_name": "Password Stage",
+                "verbose_name_plural": "Password Stages",
             },
-            bases=("passbook_core.factor",),
+            bases=("passbook_flows.stage",),
         ),
     ]
diff --git a/passbook/factors/password/migrations/__init__.py b/passbook/stages/password/migrations/__init__.py
similarity index 100%
rename from passbook/factors/password/migrations/__init__.py
rename to passbook/stages/password/migrations/__init__.py
diff --git a/passbook/factors/password/models.py b/passbook/stages/password/models.py
similarity index 63%
rename from passbook/factors/password/models.py
rename to passbook/stages/password/models.py
index 9247f80be..74359a876 100644
--- a/passbook/factors/password/models.py
+++ b/passbook/stages/password/models.py
@@ -1,26 +1,24 @@
-"""password factor models"""
+"""password stage models"""
 from django.contrib.postgres.fields import ArrayField
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 
-from passbook.core.models import Factor, Policy, User
+from passbook.core.models import Policy, User
 from passbook.core.types import UIUserSettings
+from passbook.flows.models import Stage
 
 
-class PasswordFactor(Factor):
-    """Password-based Django-backend Authentication Factor"""
+class PasswordStage(Stage):
+    """Password-based Django-backend Authentication Stage"""
 
     backends = ArrayField(
         models.TextField(),
         help_text=_("Selection of backends to test the password against."),
     )
     password_policies = models.ManyToManyField(Policy, blank=True)
-    reset_factors = models.ManyToManyField(
-        Factor, blank=True, related_name="reset_factors"
-    )
 
-    type = "passbook.factors.password.factor.PasswordFactor"
-    form = "passbook.factors.password.forms.PasswordFactorForm"
+    type = "passbook.stages.password.stage.PasswordStage"
+    form = "passbook.stages.password.forms.PasswordStageForm"
 
     @property
     def ui_user_settings(self) -> UIUserSettings:
@@ -38,9 +36,9 @@ class PasswordFactor(Factor):
         return True
 
     def __str__(self):
-        return "Password Factor %s" % self.slug
+        return f"Password Stage {self.name}"
 
     class Meta:
 
-        verbose_name = _("Password Factor")
-        verbose_name_plural = _("Password Factors")
+        verbose_name = _("Password Stage")
+        verbose_name_plural = _("Password Stages")
diff --git a/passbook/factors/password/factor.py b/passbook/stages/password/stage.py
similarity index 86%
rename from passbook/factors/password/factor.py
rename to passbook/stages/password/stage.py
index ce048b820..d3e691dd7 100644
--- a/passbook/factors/password/factor.py
+++ b/passbook/stages/password/stage.py
@@ -1,4 +1,4 @@
-"""passbook multi-factor authentication engine"""
+"""passbook password stage"""
 from inspect import Signature
 from typing import Optional
 
@@ -11,11 +11,11 @@ from django.views.generic import FormView
 from structlog import get_logger
 
 from passbook.core.models import User
-from passbook.factors.password.forms import PasswordForm
-from passbook.flows.factor_base import AuthenticationFactor
 from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER
+from passbook.flows.stage import AuthenticationStage
 from passbook.lib.config import CONFIG
 from passbook.lib.utils.reflection import path_to_class
+from passbook.stages.password.forms import PasswordForm
 
 LOGGER = get_logger()
 PLAN_CONTEXT_AUTHENTICATION_BACKEND = "user_backend"
@@ -53,11 +53,11 @@ def authenticate(request, backends, **credentials) -> Optional[User]:
     )
 
 
-class PasswordFactor(FormView, AuthenticationFactor):
-    """Authentication factor which authenticates against django's AuthBackend"""
+class PasswordStage(FormView, AuthenticationStage):
+    """Authentication stage which authenticates against django's AuthBackend"""
 
     form_class = PasswordForm
-    template_name = "factors/password/backend.html"
+    template_name = "stages/password/backend.html"
 
     def form_valid(self, form):
         """Authenticate against django's authentication backend"""
@@ -71,7 +71,7 @@ class PasswordFactor(FormView, AuthenticationFactor):
             )
         try:
             user = authenticate(
-                self.request, self.executor.current_factor.backends, **kwargs
+                self.request, self.executor.current_stage.backends, **kwargs
             )
             if user:
                 # User instance returned from authenticate() has .backend property set
@@ -79,7 +79,7 @@ class PasswordFactor(FormView, AuthenticationFactor):
                 self.executor.plan.context[
                     PLAN_CONTEXT_AUTHENTICATION_BACKEND
                 ] = user.backend
-                return self.executor.factor_ok()
+                return self.executor.stage_ok()
             # No user was found -> invalid credentials
             LOGGER.debug("Invalid credentials")
             # Manually inject error into form
@@ -90,4 +90,4 @@ class PasswordFactor(FormView, AuthenticationFactor):
         except PermissionDenied:
             # User was found, but permission was denied (i.e. user is not active)
             LOGGER.debug("Denied access", **kwargs)
-            return self.executor.factor_invalid()
+            return self.executor.stage_invalid()
diff --git a/passbook/factors/password/templates/factors/password/backend.html b/passbook/stages/password/templates/stages/password/backend.html
similarity index 100%
rename from passbook/factors/password/templates/factors/password/backend.html
rename to passbook/stages/password/templates/stages/password/backend.html
diff --git a/scripts/coverage.sh b/scripts/coverage.sh
index 61f10d820..c95d47574 100755
--- a/scripts/coverage.sh
+++ b/scripts/coverage.sh
@@ -1,5 +1,5 @@
 #!/bin/bash -xe
-coverage run --concurrency=multiprocessing manage.py test
+coverage run --concurrency=multiprocessing manage.py test --failfast
 coverage combine
 coverage html
 coverage report

From 5ba45d3037f2518f9ad35645444ebc35bc6140d0 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Fri, 8 May 2020 21:08:36 +0200
Subject: [PATCH 13/80] root: add fossa

---
 .fossa.yml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100755 .fossa.yml

diff --git a/.fossa.yml b/.fossa.yml
new file mode 100755
index 000000000..31196ea52
--- /dev/null
+++ b/.fossa.yml
@@ -0,0 +1,20 @@
+# Generated by FOSSA CLI (https://github.com/fossas/fossa-cli)
+# Visit https://fossa.com to learn more
+
+version: 2
+cli:
+  server: https://app.fossa.com
+  fetcher: custom
+  project: git@github.com:BeryJu/passbook.git
+analyze:
+  modules:
+  - name: static
+    type: npm
+    target: passbook/static/static
+    path: passbook/static/static
+  - name: .
+    type: pip
+    target: .
+    path: .
+    options:
+      strategy: pipenv

From f700899640c203ec6e5fcc05c43293bb7488d656 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sat, 9 May 2020 20:53:13 +0200
Subject: [PATCH 14/80] stages/password: fix possibility of password in logs

---
 passbook/stages/password/stage.py | 23 +++++++++++------------
 pyrightconfig.json                |  9 ++++++++-
 2 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/passbook/stages/password/stage.py b/passbook/stages/password/stage.py
index d3e691dd7..3d6d96b29 100644
--- a/passbook/stages/password/stage.py
+++ b/passbook/stages/password/stage.py
@@ -1,11 +1,13 @@
 """passbook password stage"""
 from inspect import Signature
-from typing import Optional
+from typing import Any, Dict, List, Optional
 
 from django.contrib.auth import _clean_credentials
+from django.contrib.auth.backends import BaseBackend
 from django.contrib.auth.signals import user_login_failed
 from django.core.exceptions import PermissionDenied
 from django.forms.utils import ErrorList
+from django.http import HttpRequest, HttpResponse
 from django.utils.translation import gettext as _
 from django.views.generic import FormView
 from structlog import get_logger
@@ -13,7 +15,6 @@ from structlog import get_logger
 from passbook.core.models import User
 from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER
 from passbook.flows.stage import AuthenticationStage
-from passbook.lib.config import CONFIG
 from passbook.lib.utils.reflection import path_to_class
 from passbook.stages.password.forms import PasswordForm
 
@@ -21,7 +22,9 @@ LOGGER = get_logger()
 PLAN_CONTEXT_AUTHENTICATION_BACKEND = "user_backend"
 
 
-def authenticate(request, backends, **credentials) -> Optional[User]:
+def authenticate(
+    request: HttpRequest, backends: List[BaseBackend], **credentials: Dict[str, Any]
+) -> Optional[User]:
     """If the given credentials are valid, return a User object.
 
     Customized version of django's authenticate, which accepts a list of backends"""
@@ -59,19 +62,14 @@ class PasswordStage(FormView, AuthenticationStage):
     form_class = PasswordForm
     template_name = "stages/password/backend.html"
 
-    def form_valid(self, form):
+    def form_valid(self, form: PasswordForm) -> HttpResponse:
         """Authenticate against django's authentication backend"""
-        uid_fields = CONFIG.y("passbook.uid_fields")
-        kwargs = {
+        auth_kwargs = {
             "password": form.cleaned_data.get("password"),
         }
-        for uid_field in uid_fields:
-            kwargs[uid_field] = getattr(
-                self.executor.plan.context[PLAN_CONTEXT_PENDING_USER], uid_field
-            )
         try:
             user = authenticate(
-                self.request, self.executor.current_stage.backends, **kwargs
+                self.request, self.executor.current_stage.backends, **auth_kwargs
             )
             if user:
                 # User instance returned from authenticate() has .backend property set
@@ -88,6 +86,7 @@ class PasswordStage(FormView, AuthenticationStage):
             errors.append(_("Invalid password"))
             return self.form_invalid(form)
         except PermissionDenied:
+            del auth_kwargs["password"]
             # User was found, but permission was denied (i.e. user is not active)
-            LOGGER.debug("Denied access", **kwargs)
+            LOGGER.debug("Denied access", **auth_kwargs)
             return self.executor.stage_invalid()
diff --git a/pyrightconfig.json b/pyrightconfig.json
index 95021473a..feba22bda 100644
--- a/pyrightconfig.json
+++ b/pyrightconfig.json
@@ -1,3 +1,10 @@
 {
-    "reportMissingTypeStubs": false
+    "reportMissingTypeStubs": false,
+    "ignore": [
+        "**/migrations/**",
+        "**/node_modules/**"
+    ],
+    "strictParameterNoneValue": true,
+    "strictDictionaryInference": true,
+    "strictListInference": true
 }

From 28b913136dc185dc63114fd20a40b364f83f5403 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sat, 9 May 2020 20:53:47 +0200
Subject: [PATCH 15/80] root: set log level based on DEBUG flag

---
 passbook/root/settings.py | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/passbook/root/settings.py b/passbook/root/settings.py
index 9e8c910e9..d7edbfb05 100644
--- a/passbook/root/settings.py
+++ b/passbook/root/settings.py
@@ -96,6 +96,7 @@ INSTALLED_APPS = [
     "passbook.providers.oidc.apps.PassbookProviderOIDCConfig",
     "passbook.providers.saml.apps.PassbookProviderSAMLConfig",
     "passbook.providers.samlv2.apps.PassbookProviderSAMLv2Config",
+    "passbook.stages.identification.apps.PassbookStageIdentificationConfig",
     "passbook.stages.otp.apps.PassbookStageOTPConfig",
     "passbook.stages.captcha.apps.PassbookStageCaptchaConfig",
     "passbook.stages.password.apps.PassbookStagePasswordConfig",
@@ -327,17 +328,19 @@ LOGGING = {
     },
     "loggers": {},
 }
+LOG_LEVEL = "DEBUG" if DEBUG else "WARNING"
 _LOGGING_HANDLER_MAP = {
-    "": "DEBUG",
-    "passbook": "DEBUG",
+    "": LOG_LEVEL,
+    "passbook": LOG_LEVEL,
     "django": "WARNING",
     "celery": "WARNING",
-    "grpc": "DEBUG",
-    "oauthlib": "DEBUG",
-    "oauth2_provider": "DEBUG",
-    "oidc_provider": "DEBUG",
+    "grpc": LOG_LEVEL,
+    "oauthlib": LOG_LEVEL,
+    "oauth2_provider": LOG_LEVEL,
+    "oidc_provider": LOG_LEVEL,
 }
 for handler_name, level in _LOGGING_HANDLER_MAP.items():
+    # pyright: reportGeneralTypeIssues=false
     LOGGING["loggers"][handler_name] = {
         "handlers": ["console"],
         "level": level,

From 3456527f10261bd39a415d3ad5e685c347a651c0 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sat, 9 May 2020 20:54:11 +0200
Subject: [PATCH 16/80] providers/saml: fix minor typing issue

---
 passbook/policies/process.py          | 3 ++-
 passbook/providers/saml/utils/time.py | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/passbook/policies/process.py b/passbook/policies/process.py
index 50cd4c1bd..64ccf4962 100644
--- a/passbook/policies/process.py
+++ b/passbook/policies/process.py
@@ -1,6 +1,7 @@
 """passbook policy task"""
 from multiprocessing import Process
 from multiprocessing.connection import Connection
+from typing import Optional
 
 from django.core.cache import cache
 from structlog import get_logger
@@ -12,7 +13,7 @@ from passbook.policies.types import PolicyRequest, PolicyResult
 LOGGER = get_logger()
 
 
-def cache_key(policy: Policy, user: User = None) -> str:
+def cache_key(policy: Policy, user: Optional[User] = None) -> str:
     """Generate Cache key for policy"""
     prefix = f"policy_{policy.pk}"
     if user:
diff --git a/passbook/providers/saml/utils/time.py b/passbook/providers/saml/utils/time.py
index 3e88e0d93..2fe490ba9 100644
--- a/passbook/providers/saml/utils/time.py
+++ b/passbook/providers/saml/utils/time.py
@@ -1,5 +1,6 @@
 """Time utilities"""
 import datetime
+from typing import Optional
 
 from django.core.exceptions import ValidationError
 from django.utils.translation import gettext_lazy as _
@@ -38,7 +39,7 @@ def timedelta_from_string(expr: str) -> datetime.timedelta:
     return datetime.timedelta(**kwargs)
 
 
-def get_time_string(delta: datetime.timedelta = None) -> str:
+def get_time_string(delta: Optional[datetime.timedelta] = None) -> str:
     """Get Data formatted in SAML format"""
     if delta is None:
         delta = datetime.timedelta()

From 8a6009c27820c51ef14f8adec3d3010e72a74afa Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sat, 9 May 2020 20:54:56 +0200
Subject: [PATCH 17/80] flows: enum to django TextChoices

---
 passbook/flows/exceptions.py                  |  6 +++-
 .../migrations/0003_auto_20200509_1258.py     | 26 ++++++++++++++++
 passbook/flows/models.py                      | 11 ++-----
 passbook/flows/planner.py                     |  9 +++---
 passbook/flows/views.py                       | 31 ++++++++++++++-----
 5 files changed, 62 insertions(+), 21 deletions(-)
 create mode 100644 passbook/flows/migrations/0003_auto_20200509_1258.py

diff --git a/passbook/flows/exceptions.py b/passbook/flows/exceptions.py
index 4f781897f..4bcf6f854 100644
--- a/passbook/flows/exceptions.py
+++ b/passbook/flows/exceptions.py
@@ -1,5 +1,9 @@
 """flow exceptions"""
 
 
-class FlowNonApplicableError(BaseException):
+class FlowNonApplicableException(BaseException):
     """Exception raised when a Flow does not apply to a user."""
+
+
+class EmptyFlowException(BaseException):
+    """Exception raised when a Flow Plan is empty"""
diff --git a/passbook/flows/migrations/0003_auto_20200509_1258.py b/passbook/flows/migrations/0003_auto_20200509_1258.py
new file mode 100644
index 000000000..574bca294
--- /dev/null
+++ b/passbook/flows/migrations/0003_auto_20200509_1258.py
@@ -0,0 +1,26 @@
+# Generated by Django 3.0.3 on 2020-05-09 12:58
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_flows", "0002_default_flows"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="flow",
+            name="designation",
+            field=models.CharField(
+                choices=[
+                    ("authentication", "Authentication"),
+                    ("enrollment", "Enrollment"),
+                    ("recovery", "Recovery"),
+                    ("password_change", "Password Change"),
+                ],
+                max_length=100,
+            ),
+        ),
+    ]
diff --git a/passbook/flows/models.py b/passbook/flows/models.py
index 164c14878..8b6ecbddb 100644
--- a/passbook/flows/models.py
+++ b/passbook/flows/models.py
@@ -11,7 +11,7 @@ from passbook.lib.models import UUIDModel
 from passbook.policies.models import PolicyBindingModel
 
 
-class FlowDesignation(Enum):
+class FlowDesignation(models.TextChoices):
     """Designation of what a Flow should be used for. At a later point, this
     should be replaced by a database entry."""
 
@@ -20,13 +20,6 @@ class FlowDesignation(Enum):
     RECOVERY = "recovery"
     PASSWORD_CHANGE = "password_change"  # nosec # noqa
 
-    @staticmethod
-    def as_choices() -> Tuple[Tuple[str, str]]:
-        """Generate choices of actions used for database"""
-        return tuple(
-            (x, y.value) for x, y in getattr(FlowDesignation, "__members__").items()
-        )
-
 
 class Stage(UUIDModel):
     """Stage is an instance of a component used in a flow. This can verify the user,
@@ -56,7 +49,7 @@ class Flow(PolicyBindingModel, UUIDModel):
     name = models.TextField()
     slug = models.SlugField(unique=True)
 
-    designation = models.CharField(max_length=100, choices=FlowDesignation.as_choices())
+    designation = models.CharField(max_length=100, choices=FlowDesignation.choices)
 
     stages = models.ManyToManyField(Stage, through="FlowStageBinding", blank=True)
 
diff --git a/passbook/flows/planner.py b/passbook/flows/planner.py
index b00f4f944..48cb380f6 100644
--- a/passbook/flows/planner.py
+++ b/passbook/flows/planner.py
@@ -6,7 +6,7 @@ from typing import Any, Dict, List, Tuple
 from django.http import HttpRequest
 from structlog import get_logger
 
-from passbook.flows.exceptions import FlowNonApplicableError
+from passbook.flows.exceptions import EmptyFlowException, FlowNonApplicableException
 from passbook.flows.models import Flow, Stage
 from passbook.policies.engine import PolicyEngine
 
@@ -26,8 +26,7 @@ class FlowPlan:
 
     def next(self) -> Stage:
         """Return next pending stage from the bottom of the list"""
-        stage_cls = self.stages.pop(0)
-        return stage_cls
+        return self.stages[0]
 
 
 class FlowPlanner:
@@ -54,7 +53,7 @@ class FlowPlanner:
         # to make sure the user even has access to the flow
         root_passing, root_passing_messages = self._check_flow_root_policies(request)
         if not root_passing:
-            raise FlowNonApplicableError(root_passing_messages)
+            raise FlowNonApplicableException(root_passing_messages)
         # Check Flow policies
         for stage in (
             self.flow.stages.order_by("flowstagebinding__order")
@@ -72,4 +71,6 @@ class FlowPlanner:
         LOGGER.debug(
             "Finished planning", flow=self.flow, duration_s=end_time - start_time
         )
+        if not plan.stages:
+            raise EmptyFlowException()
         return plan
diff --git a/passbook/flows/views.py b/passbook/flows/views.py
index 69de2c645..f4a3805db 100644
--- a/passbook/flows/views.py
+++ b/passbook/flows/views.py
@@ -8,8 +8,8 @@ from django.views.generic import View
 from structlog import get_logger
 
 from passbook.core.views.utils import PermissionDeniedView
-from passbook.flows.exceptions import FlowNonApplicableError
-from passbook.flows.models import Flow, Stage
+from passbook.flows.exceptions import EmptyFlowException, FlowNonApplicableException
+from passbook.flows.models import Flow, FlowDesignation, Stage
 from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan, FlowPlanner
 from passbook.lib.config import CONFIG
 from passbook.lib.utils.reflection import class_to_path, path_to_class
@@ -52,15 +52,15 @@ class FlowExecutorView(View):
             return bad_request_message(self.request, message)
         return None
 
-    def handle_flow_non_applicable(self) -> HttpResponse:
+    def handle_invalid_flow(self, exc: BaseException) -> HttpResponse:
         """When a flow is non-applicable check if user is on the correct domain"""
         if NEXT_ARG_NAME in self.request.GET:
+            LOGGER.debug("Redirecting to next on fail")
             return redirect(self.request.GET.get(NEXT_ARG_NAME))
         incorrect_domain_message = self._check_config_domain()
         if incorrect_domain_message:
             return incorrect_domain_message
-        # TODO: Add message
-        return redirect("passbook_core:index")
+        return bad_request_message(self.request, str(exc))
 
     def dispatch(self, request: HttpRequest, flow_slug: str) -> HttpResponse:
         # Early check if theres an active Plan for the current session
@@ -70,9 +70,12 @@ class FlowExecutorView(View):
             )
             try:
                 self.plan = self._initiate_plan()
-            except FlowNonApplicableError as exc:
+            except FlowNonApplicableException as exc:
                 LOGGER.warning("Flow not applicable to current user", exc=exc)
-                return self.handle_flow_non_applicable()
+                return self.handle_invalid_flow(exc)
+            except EmptyFlowException as exc:
+                LOGGER.warning("Flow is empty", exc=exc)
+                return self.handle_invalid_flow(exc)
         else:
             LOGGER.debug("Continuing existing plan", flow_slug=flow_slug)
             self.plan = self.request.session[SESSION_KEY_PLAN]
@@ -136,6 +139,7 @@ class FlowExecutorView(View):
             stage_class=class_to_path(self.current_stage_view.__class__),
             flow_slug=self.flow.slug,
         )
+        self.plan.stages.pop(0)
         self.request.session[SESSION_KEY_PLAN] = self.plan
         if self.plan.stages:
             LOGGER.debug(
@@ -169,3 +173,16 @@ class FlowExecutorView(View):
 
 class FlowPermissionDeniedView(PermissionDeniedView):
     """User could not be authenticated"""
+
+
+class ToDefaultFlow(View):
+    """Redirect to default flow matching by designation"""
+
+    designation: Optional[FlowDesignation] = None
+
+    def dispatch(self, request: HttpRequest) -> HttpResponse:
+        flow = get_object_or_404(Flow, designation=self.designation)
+        # TODO: Get Flow depending on subdomain?
+        return redirect_with_qs(
+            "passbook_flows:flow-executor", request.GET, flow_slug=flow.slug
+        )

From 131c3fdb32a1496f894c4ccad0a5f378428eb172 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sat, 9 May 2020 21:30:12 +0200
Subject: [PATCH 18/80] stages/password: fix broken authentication

---
 passbook/stages/password/stage.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/passbook/stages/password/stage.py b/passbook/stages/password/stage.py
index 3d6d96b29..2d721f0eb 100644
--- a/passbook/stages/password/stage.py
+++ b/passbook/stages/password/stage.py
@@ -45,6 +45,7 @@ def authenticate(
             # This backend says to stop in our tracks - this user should not be allowed in at all.
             break
         if user is None:
+            LOGGER.debug("Backend returned nothing, continuing")
             continue
         # Annotate the user object with the path of the backend.
         user.backend = backend_path
@@ -64,8 +65,14 @@ class PasswordStage(FormView, AuthenticationStage):
 
     def form_valid(self, form: PasswordForm) -> HttpResponse:
         """Authenticate against django's authentication backend"""
+        if PLAN_CONTEXT_PENDING_USER not in self.executor.plan.context:
+            return self.executor.stage_invalid()
+        # Get the pending user's username, which is used as
+        # an Identifier by most authentication backends
+        pending_user: User = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
         auth_kwargs = {
-            "password": form.cleaned_data.get("password"),
+            "password": form.cleaned_data.get("password", None),
+            "username": pending_user.username,
         }
         try:
             user = authenticate(

From 0aad0604d8f80bfdcea4354d29166e796cff0f4d Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sat, 9 May 2020 21:31:29 +0200
Subject: [PATCH 19/80] stages/identification: migrate from core to separate
 stage

---
 passbook/core/forms/authentication.py         | 24 ------
 .../core/tests/test_views_authentication.py   | 35 +--------
 passbook/core/urls.py                         |  8 +-
 passbook/core/views/authentication.py         | 78 +------------------
 .../flows/migrations/0002_default_flows.py    | 18 ++++-
 passbook/flows/models.py                      |  3 +-
 passbook/lib/utils/http.py                    |  6 +-
 passbook/stages/identification/__init__.py    |  0
 passbook/stages/identification/api.py         | 26 +++++++
 passbook/stages/identification/apps.py        | 10 +++
 passbook/stages/identification/forms.py       | 45 +++++++++++
 .../identification/migrations/0001_initial.py | 50 ++++++++++++
 .../migrations/0002_auto_20200509_1916.py     | 18 +++++
 .../identification/migrations/__init__.py     |  0
 passbook/stages/identification/models.py      | 40 ++++++++++
 passbook/stages/identification/stage.py       | 63 +++++++++++++++
 16 files changed, 285 insertions(+), 139 deletions(-)
 create mode 100644 passbook/stages/identification/__init__.py
 create mode 100644 passbook/stages/identification/api.py
 create mode 100644 passbook/stages/identification/apps.py
 create mode 100644 passbook/stages/identification/forms.py
 create mode 100644 passbook/stages/identification/migrations/0001_initial.py
 create mode 100644 passbook/stages/identification/migrations/0002_auto_20200509_1916.py
 create mode 100644 passbook/stages/identification/migrations/__init__.py
 create mode 100644 passbook/stages/identification/models.py
 create mode 100644 passbook/stages/identification/stage.py

diff --git a/passbook/core/forms/authentication.py b/passbook/core/forms/authentication.py
index 557341284..0b442815f 100644
--- a/passbook/core/forms/authentication.py
+++ b/passbook/core/forms/authentication.py
@@ -1,38 +1,14 @@
 """passbook core authentication forms"""
 from django import forms
 from django.core.exceptions import ValidationError
-from django.core.validators import validate_email
 from django.utils.translation import gettext_lazy as _
 from structlog import get_logger
 
 from passbook.core.models import User
-from passbook.lib.config import CONFIG
-from passbook.lib.utils.ui import human_list
 
 LOGGER = get_logger()
 
 
-class LoginForm(forms.Form):
-    """Allow users to login"""
-
-    title = _("Log in to your account")
-    uid_field = forms.CharField(label=_(""))
-
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        if CONFIG.y("passbook.uid_fields") == ["e-mail"]:
-            self.fields["uid_field"] = forms.EmailField()
-        self.fields["uid_field"].label = human_list(
-            [x.title() for x in CONFIG.y("passbook.uid_fields")]
-        )
-
-    def clean_uid_field(self):
-        """Validate uid_field after EmailValidator if 'email' is the only selected uid_fields"""
-        if CONFIG.y("passbook.uid_fields") == ["email"]:
-            validate_email(self.cleaned_data.get("uid_field"))
-        return self.cleaned_data.get("uid_field")
-
-
 class SignUpForm(forms.Form):
     """SignUp Form"""
 
diff --git a/passbook/core/tests/test_views_authentication.py b/passbook/core/tests/test_views_authentication.py
index 1144abbd7..1895e3e22 100644
--- a/passbook/core/tests/test_views_authentication.py
+++ b/passbook/core/tests/test_views_authentication.py
@@ -5,9 +5,8 @@ from random import SystemRandom
 from django.test import TestCase
 from django.urls import reverse
 
-from passbook.core.forms.authentication import LoginForm, SignUpForm
+from passbook.core.forms.authentication import SignUpForm
 from passbook.core.models import User
-from passbook.flows.models import Flow, FlowDesignation
 
 
 class TestAuthenticationViews(TestCase):
@@ -40,20 +39,6 @@ class TestAuthenticationViews(TestCase):
         response = self.client.get(reverse("passbook_core:auth-sign-up"))
         self.assertEqual(response.status_code, 200)
 
-    def test_login_view(self):
-        """Test account.login view (Anonymous)"""
-        self.client.logout()
-        response = self.client.get(reverse("passbook_core:auth-login"))
-        self.assertEqual(response.status_code, 200)
-        # test login with post
-        form = LoginForm(self.login_data)
-        self.assertTrue(form.is_valid())
-
-        response = self.client.post(
-            reverse("passbook_core:auth-login"), data=form.cleaned_data
-        )
-        self.assertEqual(response.status_code, 302)
-
     def test_logout_view(self):
         """Test account.logout view"""
         self.client.force_login(self.user)
@@ -66,24 +51,6 @@ class TestAuthenticationViews(TestCase):
         response = self.client.get(reverse("passbook_core:auth-logout"))
         self.assertEqual(response.status_code, 302)
 
-    def test_login_view_auth(self):
-        """Test account.login view (Authenticated)"""
-        self.client.force_login(self.user)
-        response = self.client.get(reverse("passbook_core:auth-login"))
-        self.assertEqual(response.status_code, 302)
-
-    def test_login_view_post(self):
-        """Test account.login view POST (Anonymous)"""
-        login_response = self.client.post(
-            reverse("passbook_core:auth-login"), data=self.login_data
-        )
-        self.assertEqual(login_response.status_code, 302)
-        flow = Flow.objects.get(designation=FlowDesignation.AUTHENTICATION)
-        expected = reverse(
-            "passbook_flows:flow-executor", kwargs={"flow_slug": flow.slug}
-        )
-        self.assertEqual(login_response.url, expected)
-
     def test_sign_up_view_post(self):
         """Test account.sign_up view POST (Anonymous)"""
         form = SignUpForm(self.sign_up_data)
diff --git a/passbook/core/urls.py b/passbook/core/urls.py
index 083a142d3..4660242df 100644
--- a/passbook/core/urls.py
+++ b/passbook/core/urls.py
@@ -2,10 +2,16 @@
 from django.urls import path
 
 from passbook.core.views import authentication, overview, user
+from passbook.flows.models import FlowDesignation
+from passbook.flows.views import ToDefaultFlow
 
 urlpatterns = [
     # Authentication views
-    path("auth/login/", authentication.LoginView.as_view(), name="auth-login"),
+    path(
+        "auth/login/",
+        ToDefaultFlow.as_view(designation=FlowDesignation.AUTHENTICATION),
+        name="auth-login",
+    ),
     path("auth/logout/", authentication.LogoutView.as_view(), name="auth-logout"),
     path("auth/sign_up/", authentication.SignUpView.as_view(), name="auth-sign-up"),
     path(
diff --git a/passbook/core/views/authentication.py b/passbook/core/views/authentication.py
index 86739871d..f970609cd 100644
--- a/passbook/core/views/authentication.py
+++ b/passbook/core/views/authentication.py
@@ -1,5 +1,5 @@
 """passbook core authentication views"""
-from typing import Dict, Optional
+from typing import Dict
 
 from django.contrib import messages
 from django.contrib.auth import login, logout
@@ -12,87 +12,15 @@ from django.views import View
 from django.views.generic import FormView
 from structlog import get_logger
 
-from passbook.core.forms.authentication import LoginForm, SignUpForm
-from passbook.core.models import Invitation, Nonce, Source, User
+from passbook.core.forms.authentication import SignUpForm
+from passbook.core.models import Invitation, Nonce, User
 from passbook.core.signals import invitation_used, user_signed_up
-from passbook.flows.models import Flow, FlowDesignation
-from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner
-from passbook.flows.views import SESSION_KEY_PLAN
 from passbook.lib.config import CONFIG
-from passbook.lib.utils.urls import redirect_with_qs
 from passbook.stages.password.exceptions import PasswordPolicyInvalid
 
 LOGGER = get_logger()
 
 
-class LoginView(UserPassesTestMixin, FormView):
-    """Allow users to sign in"""
-
-    template_name = "login/form.html"
-    form_class = LoginForm
-    success_url = "."
-
-    # Allow only not authenticated users to login
-    def test_func(self):
-        return self.request.user.is_authenticated is False
-
-    def handle_no_permission(self):
-        if "next" in self.request.GET:
-            return redirect(self.request.GET.get("next"))
-        return redirect(reverse("passbook_core:overview"))
-
-    def get_context_data(self, **kwargs):
-        kwargs["config"] = CONFIG.y("passbook")
-        kwargs["title"] = _("Log in to your account")
-        kwargs["primary_action"] = _("Log in")
-        kwargs["show_sign_up_notice"] = CONFIG.y("passbook.sign_up.enabled")
-        kwargs["sources"] = []
-        sources = (
-            Source.objects.filter(enabled=True).order_by("name").select_subclasses()
-        )
-        for source in sources:
-            ui_login_button = source.ui_login_button
-            if ui_login_button:
-                kwargs["sources"].append(ui_login_button)
-        return super().get_context_data(**kwargs)
-
-    def get_user(self, uid_value) -> Optional[User]:
-        """Find user instance. Returns None if no user was found."""
-        for search_field in CONFIG.y("passbook.uid_fields"):
-            # Workaround for E-Mail -> email
-            if search_field == "e-mail":
-                search_field = "email"
-            users = User.objects.filter(**{search_field: uid_value})
-            if users.exists():
-                LOGGER.debug("Found user", user=users.first(), uid_field=search_field)
-                return users.first()
-        return None
-
-    def form_valid(self, form: LoginForm) -> HttpResponse:
-        """Form data is valid"""
-        pre_user = self.get_user(form.cleaned_data.get("uid_field"))
-        if not pre_user:
-            # No user found
-            return self.invalid_login(self.request)
-        # We run the Flow planner here so we can pass the Pending user in the context
-        flow = get_object_or_404(Flow, designation=FlowDesignation.AUTHENTICATION)
-        planner = FlowPlanner(flow)
-        plan = planner.plan(self.request)
-        plan.context[PLAN_CONTEXT_PENDING_USER] = pre_user
-        self.request.session[SESSION_KEY_PLAN] = plan
-        return redirect_with_qs(
-            "passbook_flows:flow-executor", self.request.GET, flow_slug=flow.slug,
-        )
-
-    def invalid_login(
-        self, request: HttpRequest, disabled_user: User = None
-    ) -> HttpResponse:
-        """Handle login for disabled users/invalid login attempts"""
-        LOGGER.debug("invalid_login", user=disabled_user)
-        messages.error(request, _("Failed to authenticate."))
-        return self.render_to_response(self.get_context_data())
-
-
 class LogoutView(LoginRequiredMixin, View):
     """Log current user out"""
 
diff --git a/passbook/flows/migrations/0002_default_flows.py b/passbook/flows/migrations/0002_default_flows.py
index d2c326b7b..18812ad75 100644
--- a/passbook/flows/migrations/0002_default_flows.py
+++ b/passbook/flows/migrations/0002_default_flows.py
@@ -5,23 +5,35 @@ from django.db import migrations
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 
 from passbook.flows.models import FlowDesignation
+from passbook.stages.identification.models import Templates, UserFields
 
 
 def create_default_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
     Flow = apps.get_model("passbook_flows", "Flow")
     FlowStageBinding = apps.get_model("passbook_flows", "FlowStageBinding")
     PasswordStage = apps.get_model("passbook_stages_password", "PasswordStage")
+    IdentificationStage = apps.get_model(
+        "passbook_stages_identification", "IdentificationStage"
+    )
     db_alias = schema_editor.connection.alias
 
     if Flow.objects.using(db_alias).all().exists():
         # Only create default flow when none exist
         return
 
+    if not IdentificationStage.objects.using(db_alias).exists():
+        IdentificationStage.objects.using(db_alias).create(
+            name="identification",
+            user_fields=[UserFields.E_MAIL],
+            template=Templates.DEFAULT_LOGIN,
+        )
+
     if not PasswordStage.objects.using(db_alias).exists():
         PasswordStage.objects.using(db_alias).create(
             name="password", backends=["django.contrib.auth.backends.ModelBackend"],
         )
 
+    ident_stage = IdentificationStage.objects.using(db_alias).first()
     pw_stage = PasswordStage.objects.using(db_alias).first()
     flow = Flow.objects.using(db_alias).create(
         name="default-authentication-flow",
@@ -29,7 +41,10 @@ def create_default_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
         designation=FlowDesignation.AUTHENTICATION,
     )
     FlowStageBinding.objects.using(db_alias).create(
-        flow=flow, stage=pw_stage, order=0,
+        flow=flow, stage=ident_stage, order=0,
+    )
+    FlowStageBinding.objects.using(db_alias).create(
+        flow=flow, stage=pw_stage, order=1,
     )
 
 
@@ -38,6 +53,7 @@ class Migration(migrations.Migration):
     dependencies = [
         ("passbook_flows", "0001_initial"),
         ("passbook_stages_password", "0001_initial"),
+        ("passbook_stages_identification", "0001_initial"),
     ]
 
     operations = [migrations.RunPython(create_default_flow)]
diff --git a/passbook/flows/models.py b/passbook/flows/models.py
index 8b6ecbddb..cb62df1f7 100644
--- a/passbook/flows/models.py
+++ b/passbook/flows/models.py
@@ -1,6 +1,5 @@
 """Flow models"""
-from enum import Enum
-from typing import Optional, Tuple
+from typing import Optional
 
 from django.db import models
 from django.utils.translation import gettext_lazy as _
diff --git a/passbook/lib/utils/http.py b/passbook/lib/utils/http.py
index 22dc038b6..cb34a31aa 100644
--- a/passbook/lib/utils/http.py
+++ b/passbook/lib/utils/http.py
@@ -18,7 +18,9 @@ def _get_client_ip_from_meta(meta: Dict[str, Any]) -> Optional[str]:
     return None
 
 
-def get_client_ip(request: HttpRequest) -> Optional[str]:
+def get_client_ip(request: Optional[HttpRequest]) -> Optional[str]:
     """Attempt to get the client's IP by checking common HTTP Headers.
     Returns none if no IP Could be found"""
-    return _get_client_ip_from_meta(request.META)
+    if request:
+        return _get_client_ip_from_meta(request.META)
+    return ""
diff --git a/passbook/stages/identification/__init__.py b/passbook/stages/identification/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/passbook/stages/identification/api.py b/passbook/stages/identification/api.py
new file mode 100644
index 000000000..bd56a0a61
--- /dev/null
+++ b/passbook/stages/identification/api.py
@@ -0,0 +1,26 @@
+"""Identification Stage API Views"""
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import ModelViewSet
+
+from passbook.stages.identification.models import IdentificationStage
+
+
+class IdentificationStageSerializer(ModelSerializer):
+    """IdentificationStage Serializer"""
+
+    class Meta:
+
+        model = IdentificationStage
+        fields = [
+            "pk",
+            "name",
+            "user_fields",
+            "template",
+        ]
+
+
+class IdentificationStageViewSet(ModelViewSet):
+    """IdentificationStage Viewset"""
+
+    queryset = IdentificationStage.objects.all()
+    serializer_class = IdentificationStageSerializer
diff --git a/passbook/stages/identification/apps.py b/passbook/stages/identification/apps.py
new file mode 100644
index 000000000..714721728
--- /dev/null
+++ b/passbook/stages/identification/apps.py
@@ -0,0 +1,10 @@
+"""passbook identification stage app config"""
+from django.apps import AppConfig
+
+
+class PassbookStageIdentificationConfig(AppConfig):
+    """passbook identification stage config"""
+
+    name = "passbook.stages.identification"
+    label = "passbook_stages_identification"
+    verbose_name = "passbook Stages.Identification"
diff --git a/passbook/stages/identification/forms.py b/passbook/stages/identification/forms.py
new file mode 100644
index 000000000..5f6f04c75
--- /dev/null
+++ b/passbook/stages/identification/forms.py
@@ -0,0 +1,45 @@
+"""passbook flows identification forms"""
+from django import forms
+from django.core.validators import validate_email
+from django.utils.translation import gettext_lazy as _
+from structlog import get_logger
+
+from passbook.lib.config import CONFIG
+from passbook.lib.utils.ui import human_list
+from passbook.stages.identification.models import IdentificationStage
+
+LOGGER = get_logger()
+
+
+class IdentificationStageForm(forms.ModelForm):
+    """Form to create/edit IdentificationStage instances"""
+
+    class Meta:
+
+        model = IdentificationStage
+        fields = ["name", "user_fields", "template"]
+        widgets = {
+            "name": forms.TextInput(),
+        }
+
+
+class IdentificationForm(forms.Form):
+    """Allow users to login"""
+
+    title = _("Log in to your account")
+    uid_field = forms.CharField(label=_(""))
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        # TODO: Get UID Fields from stage config
+        if CONFIG.y("passbook.uid_fields") == ["e-mail"]:
+            self.fields["uid_field"] = forms.EmailField()
+        self.fields["uid_field"].label = human_list(
+            [x.title() for x in CONFIG.y("passbook.uid_fields")]
+        )
+
+    def clean_uid_field(self):
+        """Validate uid_field after EmailValidator if 'email' is the only selected uid_fields"""
+        if CONFIG.y("passbook.uid_fields") == ["email"]:
+            validate_email(self.cleaned_data.get("uid_field"))
+        return self.cleaned_data.get("uid_field")
diff --git a/passbook/stages/identification/migrations/0001_initial.py b/passbook/stages/identification/migrations/0001_initial.py
new file mode 100644
index 000000000..1158f9598
--- /dev/null
+++ b/passbook/stages/identification/migrations/0001_initial.py
@@ -0,0 +1,50 @@
+# Generated by Django 3.0.3 on 2020-05-09 18:34
+
+import django.contrib.postgres.fields
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("passbook_flows", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="IdentificationStage",
+            fields=[
+                (
+                    "stage_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="passbook_flows.Stage",
+                    ),
+                ),
+                (
+                    "user_fields",
+                    django.contrib.postgres.fields.ArrayField(
+                        base_field=models.CharField(
+                            choices=[("e-mail", "E Mail"), ("username", "Username")],
+                            max_length=100,
+                        ),
+                        help_text="Fields of the user object to match against.",
+                        size=None,
+                    ),
+                ),
+                ("template", models.TextField()),
+            ],
+            options={
+                "verbose_name": "Identification Stage",
+                "verbose_name_plural": "Identification Stages",
+            },
+            bases=("passbook_flows.stage",),
+        ),
+    ]
diff --git a/passbook/stages/identification/migrations/0002_auto_20200509_1916.py b/passbook/stages/identification/migrations/0002_auto_20200509_1916.py
new file mode 100644
index 000000000..6b5aeef2e
--- /dev/null
+++ b/passbook/stages/identification/migrations/0002_auto_20200509_1916.py
@@ -0,0 +1,18 @@
+# Generated by Django 3.0.3 on 2020-05-09 19:16
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_stages_identification", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="identificationstage",
+            name="template",
+            field=models.TextField(choices=[("login/form.html", "Default Login")]),
+        ),
+    ]
diff --git a/passbook/stages/identification/migrations/__init__.py b/passbook/stages/identification/migrations/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/passbook/stages/identification/models.py b/passbook/stages/identification/models.py
new file mode 100644
index 000000000..1e56f572e
--- /dev/null
+++ b/passbook/stages/identification/models.py
@@ -0,0 +1,40 @@
+"""identification stage models"""
+from django.contrib.postgres.fields import ArrayField
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+
+from passbook.flows.models import Stage
+
+
+class UserFields(models.TextChoices):
+    """Fields which the user can identifiy themselves with"""
+
+    E_MAIL = "email"
+    USERNAME = "username"
+
+
+class Templates(models.TextChoices):
+    """Templates to be used for the stage"""
+
+    DEFAULT_LOGIN = "login/form.html"
+
+
+class IdentificationStage(Stage):
+    """Identification stage, allows a user to identify themselves to authenticate."""
+
+    user_fields = ArrayField(
+        models.CharField(max_length=100, choices=UserFields.choices),
+        help_text=_("Fields of the user object to match against."),
+    )
+    template = models.TextField(choices=Templates.choices)
+
+    type = "passbook.stages.identification.stage.IdentificationStageView"
+    form = "passbook.stages.identification.forms.IdentificationStageForm"
+
+    def __str__(self):
+        return f"Identification Stage {self.name}"
+
+    class Meta:
+
+        verbose_name = _("Identification Stage")
+        verbose_name_plural = _("Identification Stages")
diff --git a/passbook/stages/identification/stage.py b/passbook/stages/identification/stage.py
new file mode 100644
index 000000000..1bbd32143
--- /dev/null
+++ b/passbook/stages/identification/stage.py
@@ -0,0 +1,63 @@
+"""Identification stage logic"""
+from typing import List, Optional
+
+from django.contrib import messages
+from django.http import HttpResponse
+from django.utils.translation import gettext as _
+from django.views.generic import FormView
+from structlog import get_logger
+
+from passbook.core.models import Source, User
+from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER
+from passbook.flows.stage import AuthenticationStage
+from passbook.lib.config import CONFIG
+from passbook.stages.identification.forms import IdentificationForm
+from passbook.stages.identification.models import IdentificationStage
+
+LOGGER = get_logger()
+
+
+class IdentificationStageView(FormView, AuthenticationStage):
+    """Form to identify the user"""
+
+    template_name = "login/form.html"
+    form_class = IdentificationForm
+
+    def get_template_names(self) -> List[str]:
+        current_stage: IdentificationStage = self.executor.current_stage
+        return [current_stage.template]
+
+    def get_context_data(self, **kwargs):
+        kwargs["config"] = CONFIG.y("passbook")
+        kwargs["title"] = _("Log in to your account")
+        kwargs["primary_action"] = _("Log in")
+        kwargs["show_sign_up_notice"] = CONFIG.y("passbook.sign_up.enabled")
+        kwargs["sources"] = []
+        sources = (
+            Source.objects.filter(enabled=True).order_by("name").select_subclasses()
+        )
+        for source in sources:
+            ui_login_button = source.ui_login_button
+            if ui_login_button:
+                kwargs["sources"].append(ui_login_button)
+        return super().get_context_data(**kwargs)
+
+    def get_user(self, uid_value) -> Optional[User]:
+        """Find user instance. Returns None if no user was found."""
+        current_stage: IdentificationStage = self.executor.current_stage
+        for search_field in current_stage.user_fields:
+            users = User.objects.filter(**{search_field: uid_value})
+            if users.exists():
+                LOGGER.debug("Found user", user=users.first(), uid_field=search_field)
+                return users.first()
+        return None
+
+    def form_valid(self, form: IdentificationForm) -> HttpResponse:
+        """Form data is valid"""
+        pre_user = self.get_user(form.cleaned_data.get("uid_field"))
+        if not pre_user:
+            LOGGER.debug("invalid_login")
+            messages.error(self.request, _("Failed to authenticate."))
+            return self.executor.stage_invalid()
+        self.executor.plan.context[PLAN_CONTEXT_PENDING_USER] = pre_user
+        return self.executor.stage_ok()

From c46f0781fc86ad41afa4a34b9b59fedf406dfec1 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sat, 9 May 2020 23:19:36 +0200
Subject: [PATCH 20/80] flows: separate final login step from flow executor

---
 passbook/api/v2/urls.py                       | 11 ++++++
 .../flows/migrations/0002_default_flows.py    | 11 ++++++
 passbook/flows/views.py                       | 15 +-------
 passbook/stages/login/__init__.py             |  0
 passbook/stages/login/api.py                  | 24 ++++++++++++
 passbook/stages/login/apps.py                 | 10 +++++
 passbook/stages/login/forms.py                | 16 ++++++++
 .../stages/login/migrations/0001_initial.py   | 37 +++++++++++++++++++
 passbook/stages/login/migrations/__init__.py  |  0
 passbook/stages/login/models.py               | 19 ++++++++++
 passbook/stages/login/stage.py                | 36 ++++++++++++++++++
 11 files changed, 166 insertions(+), 13 deletions(-)
 create mode 100644 passbook/stages/login/__init__.py
 create mode 100644 passbook/stages/login/api.py
 create mode 100644 passbook/stages/login/apps.py
 create mode 100644 passbook/stages/login/forms.py
 create mode 100644 passbook/stages/login/migrations/0001_initial.py
 create mode 100644 passbook/stages/login/migrations/__init__.py
 create mode 100644 passbook/stages/login/models.py
 create mode 100644 passbook/stages/login/stage.py

diff --git a/passbook/api/v2/urls.py b/passbook/api/v2/urls.py
index d651e991f..2a66dca99 100644
--- a/passbook/api/v2/urls.py
+++ b/passbook/api/v2/urls.py
@@ -33,6 +33,8 @@ from passbook.sources.oauth.api import OAuthSourceViewSet
 from passbook.stages.captcha.api import CaptchaStageViewSet
 from passbook.stages.dummy.api import DummyStageViewSet
 from passbook.stages.email.api import EmailStageViewSet
+from passbook.stages.identification.api import IdentificationStageViewSet
+from passbook.stages.login.api import LoginStageViewSet
 from passbook.stages.otp.api import OTPStageViewSet
 from passbook.stages.password.api import PasswordStageViewSet
 
@@ -49,10 +51,13 @@ router.register("core/applications", ApplicationViewSet)
 router.register("core/invitations", InvitationViewSet)
 router.register("core/groups", GroupViewSet)
 router.register("core/users", UserViewSet)
+
 router.register("audit/events", EventViewSet)
+
 router.register("sources/all", SourceViewSet)
 router.register("sources/ldap", LDAPSourceViewSet)
 router.register("sources/oauth", OAuthSourceViewSet)
+
 router.register("policies/all", PolicyViewSet)
 router.register("policies/passwordexpiry", PasswordExpiryPolicyViewSet)
 router.register("policies/haveibeenpwned", HaveIBeenPwendPolicyViewSet)
@@ -60,20 +65,26 @@ router.register("policies/password", PasswordPolicyViewSet)
 router.register("policies/reputation", ReputationPolicyViewSet)
 router.register("policies/webhook", WebhookPolicyViewSet)
 router.register("policies/expression", ExpressionPolicyViewSet)
+
 router.register("providers/all", ProviderViewSet)
 router.register("providers/applicationgateway", ApplicationGatewayProviderViewSet)
 router.register("providers/oauth", OAuth2ProviderViewSet)
 router.register("providers/openid", OpenIDProviderViewSet)
 router.register("providers/saml", SAMLProviderViewSet)
+
 router.register("propertymappings/all", PropertyMappingViewSet)
 router.register("propertymappings/ldap", LDAPPropertyMappingViewSet)
 router.register("propertymappings/saml", SAMLPropertyMappingViewSet)
+
 router.register("stages/all", StageViewSet)
 router.register("stages/captcha", CaptchaStageViewSet)
 router.register("stages/dummy", DummyStageViewSet)
 router.register("stages/email", EmailStageViewSet)
 router.register("stages/otp", OTPStageViewSet)
 router.register("stages/password", PasswordStageViewSet)
+router.register("stages/identification", IdentificationStageViewSet)
+router.register("stages/login", LoginStageViewSet)
+
 router.register("flows", FlowViewSet)
 router.register("flows/bindings", FlowStageBindingViewSet)
 
diff --git a/passbook/flows/migrations/0002_default_flows.py b/passbook/flows/migrations/0002_default_flows.py
index 18812ad75..556cfaa3c 100644
--- a/passbook/flows/migrations/0002_default_flows.py
+++ b/passbook/flows/migrations/0002_default_flows.py
@@ -12,6 +12,9 @@ def create_default_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
     Flow = apps.get_model("passbook_flows", "Flow")
     FlowStageBinding = apps.get_model("passbook_flows", "FlowStageBinding")
     PasswordStage = apps.get_model("passbook_stages_password", "PasswordStage")
+    LoginStage = apps.get_model(
+        "passbook_stages_login", "LoginStage"
+    )
     IdentificationStage = apps.get_model(
         "passbook_stages_identification", "IdentificationStage"
     )
@@ -33,8 +36,12 @@ def create_default_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
             name="password", backends=["django.contrib.auth.backends.ModelBackend"],
         )
 
+    if not LoginStage.objects.using(db_alias).exists():
+        LoginStage.objects.using(db_alias).create(name="authentication")
+
     ident_stage = IdentificationStage.objects.using(db_alias).first()
     pw_stage = PasswordStage.objects.using(db_alias).first()
+    login_stage = LoginStage.objects.using(db_alias).first()
     flow = Flow.objects.using(db_alias).create(
         name="default-authentication-flow",
         slug="default-authentication-flow",
@@ -46,12 +53,16 @@ def create_default_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
     FlowStageBinding.objects.using(db_alias).create(
         flow=flow, stage=pw_stage, order=1,
     )
+    FlowStageBinding.objects.using(db_alias).create(
+        flow=flow, stage=login_stage, order=2,
+    )
 
 
 class Migration(migrations.Migration):
 
     dependencies = [
         ("passbook_flows", "0001_initial"),
+        ("passbook_stages_login", "0001_initial"),
         ("passbook_stages_password", "0001_initial"),
         ("passbook_stages_identification", "0001_initial"),
     ]
diff --git a/passbook/flows/views.py b/passbook/flows/views.py
index f4a3805db..eaa3b7e97 100644
--- a/passbook/flows/views.py
+++ b/passbook/flows/views.py
@@ -1,7 +1,6 @@
 """passbook multi-stage authentication engine"""
 from typing import Optional
 
-from django.contrib.auth import login
 from django.http import HttpRequest, HttpResponse
 from django.shortcuts import get_object_or_404, redirect
 from django.views.generic import View
@@ -27,7 +26,7 @@ class FlowExecutorView(View):
 
     flow: Flow
 
-    plan: FlowPlan
+    plan: Optional[FlowPlan] = None
     current_stage: Stage
     current_stage_view: View
 
@@ -116,15 +115,6 @@ class FlowExecutorView(View):
 
     def _flow_done(self) -> HttpResponse:
         """User Successfully passed all stages"""
-        backend = self.plan.context[PLAN_CONTEXT_PENDING_USER].backend
-        login(
-            self.request, self.plan.context[PLAN_CONTEXT_PENDING_USER], backend=backend
-        )
-        LOGGER.debug(
-            "Logged in",
-            user=self.plan.context[PLAN_CONTEXT_PENDING_USER],
-            flow_slug=self.flow.slug,
-        )
         self.cancel()
         next_param = self.request.GET.get(NEXT_ARG_NAME, None)
         if next_param and not is_url_absolute(next_param):
@@ -165,10 +155,9 @@ class FlowExecutorView(View):
         self.cancel()
         return redirect_with_qs("passbook_flows:denied", self.request.GET)
 
-    def cancel(self) -> HttpResponse:
+    def cancel(self):
         """Cancel current execution and return a redirect"""
         del self.request.session[SESSION_KEY_PLAN]
-        return redirect_with_qs("passbook_flows:denied", self.request.GET)
 
 
 class FlowPermissionDeniedView(PermissionDeniedView):
diff --git a/passbook/stages/login/__init__.py b/passbook/stages/login/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/passbook/stages/login/api.py b/passbook/stages/login/api.py
new file mode 100644
index 000000000..eb28d9042
--- /dev/null
+++ b/passbook/stages/login/api.py
@@ -0,0 +1,24 @@
+"""Login Stage API Views"""
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import ModelViewSet
+
+from passbook.stages.login.models import LoginStage
+
+
+class LoginStageSerializer(ModelSerializer):
+    """LoginStage Serializer"""
+
+    class Meta:
+
+        model = LoginStage
+        fields = [
+            "pk",
+            "name",
+        ]
+
+
+class LoginStageViewSet(ModelViewSet):
+    """LoginStage Viewset"""
+
+    queryset = LoginStage.objects.all()
+    serializer_class = LoginStageSerializer
diff --git a/passbook/stages/login/apps.py b/passbook/stages/login/apps.py
new file mode 100644
index 000000000..83ec4e638
--- /dev/null
+++ b/passbook/stages/login/apps.py
@@ -0,0 +1,10 @@
+"""passbook login stage app config"""
+from django.apps import AppConfig
+
+
+class PassbookStageLoginConfig(AppConfig):
+    """passbook login stage config"""
+
+    name = "passbook.stages.login"
+    label = "passbook_stages_login"
+    verbose_name = "passbook Stages.Login"
diff --git a/passbook/stages/login/forms.py b/passbook/stages/login/forms.py
new file mode 100644
index 000000000..5dc8d6ee5
--- /dev/null
+++ b/passbook/stages/login/forms.py
@@ -0,0 +1,16 @@
+"""passbook flows login forms"""
+from django import forms
+
+from passbook.stages.login.models import LoginStage
+
+
+class LoginStageForm(forms.ModelForm):
+    """Form to create/edit LoginStage instances"""
+
+    class Meta:
+
+        model = LoginStage
+        fields = ["name"]
+        widgets = {
+            "name": forms.TextInput(),
+        }
diff --git a/passbook/stages/login/migrations/0001_initial.py b/passbook/stages/login/migrations/0001_initial.py
new file mode 100644
index 000000000..52e6060d8
--- /dev/null
+++ b/passbook/stages/login/migrations/0001_initial.py
@@ -0,0 +1,37 @@
+# Generated by Django 3.0.3 on 2020-05-09 20:26
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("passbook_flows", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="LoginStage",
+            fields=[
+                (
+                    "stage_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="passbook_flows.Stage",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Login Stage",
+                "verbose_name_plural": "Login Stages",
+            },
+            bases=("passbook_flows.stage",),
+        ),
+    ]
diff --git a/passbook/stages/login/migrations/__init__.py b/passbook/stages/login/migrations/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/passbook/stages/login/models.py b/passbook/stages/login/models.py
new file mode 100644
index 000000000..b48f0566e
--- /dev/null
+++ b/passbook/stages/login/models.py
@@ -0,0 +1,19 @@
+"""login stage models"""
+from django.utils.translation import gettext_lazy as _
+
+from passbook.flows.models import Stage
+
+
+class LoginStage(Stage):
+    """Login stage, allows a user to identify themselves to authenticate."""
+
+    type = "passbook.stages.login.stage.LoginStageView"
+    form = "passbook.stages.login.forms.LoginStageForm"
+
+    def __str__(self):
+        return f"Login Stage {self.name}"
+
+    class Meta:
+
+        verbose_name = _("Login Stage")
+        verbose_name_plural = _("Login Stages")
diff --git a/passbook/stages/login/stage.py b/passbook/stages/login/stage.py
new file mode 100644
index 000000000..74bce930b
--- /dev/null
+++ b/passbook/stages/login/stage.py
@@ -0,0 +1,36 @@
+"""Login stage logic"""
+from django.contrib import messages
+from django.contrib.auth import login
+from django.http import HttpRequest, HttpResponse
+from django.utils.translation import gettext as _
+from structlog import get_logger
+
+from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER
+from passbook.flows.stage import AuthenticationStage
+from passbook.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
+
+LOGGER = get_logger()
+
+
+class LoginStageView(AuthenticationStage):
+    """Finalise Authentication flow by logging the user in"""
+
+    def get(self, request: HttpRequest) -> HttpResponse:
+        if PLAN_CONTEXT_PENDING_USER not in self.executor.plan.context:
+            messages.error(request, _("No Pending user to login."))
+            return self.executor.stage_invalid()
+        if PLAN_CONTEXT_AUTHENTICATION_BACKEND not in self.executor.plan.context:
+            messages.error(request, _("Pending user has no backend."))
+            return self.executor.stage_invalid()
+        backend = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER].backend
+        login(
+            self.request,
+            self.executor.plan.context[PLAN_CONTEXT_PENDING_USER],
+            backend=backend,
+        )
+        LOGGER.debug(
+            "Logged in",
+            user=self.executor.plan.context[PLAN_CONTEXT_PENDING_USER],
+            flow_slug=self.executor.flow.slug,
+        )
+        return self.executor.stage_ok()

From caeaf8d5a97bb588ef10a308cde365b8334519d1 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sat, 9 May 2020 23:20:20 +0200
Subject: [PATCH 21/80] stages/identification: optimise User lookup query

---
 .../migrations/0003_auto_20200509_2025.py     | 26 +++++++++++++++++++
 passbook/stages/identification/stage.py       | 15 ++++++-----
 2 files changed, 35 insertions(+), 6 deletions(-)
 create mode 100644 passbook/stages/identification/migrations/0003_auto_20200509_2025.py

diff --git a/passbook/stages/identification/migrations/0003_auto_20200509_2025.py b/passbook/stages/identification/migrations/0003_auto_20200509_2025.py
new file mode 100644
index 000000000..5f9672350
--- /dev/null
+++ b/passbook/stages/identification/migrations/0003_auto_20200509_2025.py
@@ -0,0 +1,26 @@
+# Generated by Django 3.0.3 on 2020-05-09 20:25
+
+import django.contrib.postgres.fields
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_stages_identification", "0002_auto_20200509_1916"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="identificationstage",
+            name="user_fields",
+            field=django.contrib.postgres.fields.ArrayField(
+                base_field=models.CharField(
+                    choices=[("email", "E Mail"), ("username", "Username")],
+                    max_length=100,
+                ),
+                help_text="Fields of the user object to match against.",
+                size=None,
+            ),
+        ),
+    ]
diff --git a/passbook/stages/identification/stage.py b/passbook/stages/identification/stage.py
index 1bbd32143..dfe4965b7 100644
--- a/passbook/stages/identification/stage.py
+++ b/passbook/stages/identification/stage.py
@@ -2,6 +2,7 @@
 from typing import List, Optional
 
 from django.contrib import messages
+from django.db.models import Q
 from django.http import HttpResponse
 from django.utils.translation import gettext as _
 from django.views.generic import FormView
@@ -20,7 +21,6 @@ LOGGER = get_logger()
 class IdentificationStageView(FormView, AuthenticationStage):
     """Form to identify the user"""
 
-    template_name = "login/form.html"
     form_class = IdentificationForm
 
     def get_template_names(self) -> List[str]:
@@ -31,6 +31,7 @@ class IdentificationStageView(FormView, AuthenticationStage):
         kwargs["config"] = CONFIG.y("passbook")
         kwargs["title"] = _("Log in to your account")
         kwargs["primary_action"] = _("Log in")
+        # TODO: show this based on the existence of an enrollment flow
         kwargs["show_sign_up_notice"] = CONFIG.y("passbook.sign_up.enabled")
         kwargs["sources"] = []
         sources = (
@@ -42,14 +43,16 @@ class IdentificationStageView(FormView, AuthenticationStage):
                 kwargs["sources"].append(ui_login_button)
         return super().get_context_data(**kwargs)
 
-    def get_user(self, uid_value) -> Optional[User]:
+    def get_user(self, uid_value: str) -> Optional[User]:
         """Find user instance. Returns None if no user was found."""
         current_stage: IdentificationStage = self.executor.current_stage
+        query = Q()
         for search_field in current_stage.user_fields:
-            users = User.objects.filter(**{search_field: uid_value})
-            if users.exists():
-                LOGGER.debug("Found user", user=users.first(), uid_field=search_field)
-                return users.first()
+            query |= Q(**{search_field: uid_value})
+        users = User.objects.filter(query)
+        if users.exists():
+            LOGGER.debug("Found user", user=users.first(), query=query)
+            return users.first()
         return None
 
     def form_valid(self, form: IdentificationForm) -> HttpResponse:

From fd5b2298e586034680f00cdce678cf9d4f3e1313 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sat, 9 May 2020 23:31:35 +0200
Subject: [PATCH 22/80] flows: fix unittests and migrations

---
 passbook/flows/migrations/0002_default_flows.py | 4 +---
 passbook/root/settings.py                       | 1 +
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/passbook/flows/migrations/0002_default_flows.py b/passbook/flows/migrations/0002_default_flows.py
index 556cfaa3c..d42b8ded6 100644
--- a/passbook/flows/migrations/0002_default_flows.py
+++ b/passbook/flows/migrations/0002_default_flows.py
@@ -12,9 +12,7 @@ def create_default_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
     Flow = apps.get_model("passbook_flows", "Flow")
     FlowStageBinding = apps.get_model("passbook_flows", "FlowStageBinding")
     PasswordStage = apps.get_model("passbook_stages_password", "PasswordStage")
-    LoginStage = apps.get_model(
-        "passbook_stages_login", "LoginStage"
-    )
+    LoginStage = apps.get_model("passbook_stages_login", "LoginStage")
     IdentificationStage = apps.get_model(
         "passbook_stages_identification", "IdentificationStage"
     )
diff --git a/passbook/root/settings.py b/passbook/root/settings.py
index d7edbfb05..30ff8bbf8 100644
--- a/passbook/root/settings.py
+++ b/passbook/root/settings.py
@@ -96,6 +96,7 @@ INSTALLED_APPS = [
     "passbook.providers.oidc.apps.PassbookProviderOIDCConfig",
     "passbook.providers.saml.apps.PassbookProviderSAMLConfig",
     "passbook.providers.samlv2.apps.PassbookProviderSAMLv2Config",
+    "passbook.stages.login.apps.PassbookStageLoginConfig",
     "passbook.stages.identification.apps.PassbookStageIdentificationConfig",
     "passbook.stages.otp.apps.PassbookStageOTPConfig",
     "passbook.stages.captcha.apps.PassbookStageCaptchaConfig",

From 8e488670ad4a592a53deda49b3205f5d8966ecb0 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 00:05:36 +0200
Subject: [PATCH 23/80] stages/identification: load uid_fields from stage in
 form, add more unit tests

---
 passbook/flows/urls.py                   |  2 +-
 passbook/flows/views.py                  |  2 +-
 passbook/stages/identification/forms.py  | 13 ++--
 passbook/stages/identification/models.py |  2 +-
 passbook/stages/identification/stage.py  |  7 +-
 passbook/stages/identification/tests.py  | 84 ++++++++++++++++++++++++
 6 files changed, 100 insertions(+), 10 deletions(-)
 create mode 100644 passbook/stages/identification/tests.py

diff --git a/passbook/flows/urls.py b/passbook/flows/urls.py
index 9198aab18..038e21d8b 100644
--- a/passbook/flows/urls.py
+++ b/passbook/flows/urls.py
@@ -4,6 +4,6 @@ from django.urls import path
 from passbook.flows.views import FlowExecutorView, FlowPermissionDeniedView
 
 urlpatterns = [
-    path("<slug:flow_slug>/", FlowExecutorView.as_view(), name="flow-executor"),
     path("denied/", FlowPermissionDeniedView.as_view(), name="denied"),
+    path("<slug:flow_slug>/", FlowExecutorView.as_view(), name="flow-executor"),
 ]
diff --git a/passbook/flows/views.py b/passbook/flows/views.py
index eaa3b7e97..5774460af 100644
--- a/passbook/flows/views.py
+++ b/passbook/flows/views.py
@@ -151,7 +151,7 @@ class FlowExecutorView(View):
     def stage_invalid(self) -> HttpResponse:
         """Callback used stage when data is correct but a policy denies access
         or the user account is disabled."""
-        LOGGER.debug("User invalid", flow_slug=self.flow.slug)
+        LOGGER.debug("Stage invalid", flow_slug=self.flow.slug)
         self.cancel()
         return redirect_with_qs("passbook_flows:denied", self.request.GET)
 
diff --git a/passbook/stages/identification/forms.py b/passbook/stages/identification/forms.py
index 5f6f04c75..cd03e46d4 100644
--- a/passbook/stages/identification/forms.py
+++ b/passbook/stages/identification/forms.py
@@ -4,9 +4,8 @@ from django.core.validators import validate_email
 from django.utils.translation import gettext_lazy as _
 from structlog import get_logger
 
-from passbook.lib.config import CONFIG
 from passbook.lib.utils.ui import human_list
-from passbook.stages.identification.models import IdentificationStage
+from passbook.stages.identification.models import IdentificationStage, UserFields
 
 LOGGER = get_logger()
 
@@ -26,20 +25,22 @@ class IdentificationStageForm(forms.ModelForm):
 class IdentificationForm(forms.Form):
     """Allow users to login"""
 
+    stage: IdentificationStage
+
     title = _("Log in to your account")
     uid_field = forms.CharField(label=_(""))
 
     def __init__(self, *args, **kwargs):
+        self.stage = kwargs.pop("stage")
         super().__init__(*args, **kwargs)
-        # TODO: Get UID Fields from stage config
-        if CONFIG.y("passbook.uid_fields") == ["e-mail"]:
+        if self.stage.user_fields == [UserFields.E_MAIL]:
             self.fields["uid_field"] = forms.EmailField()
         self.fields["uid_field"].label = human_list(
-            [x.title() for x in CONFIG.y("passbook.uid_fields")]
+            [y.title() for x, y in UserFields.choices]
         )
 
     def clean_uid_field(self):
         """Validate uid_field after EmailValidator if 'email' is the only selected uid_fields"""
-        if CONFIG.y("passbook.uid_fields") == ["email"]:
+        if self.stage.user_fields == [UserFields.E_MAIL]:
             validate_email(self.cleaned_data.get("uid_field"))
         return self.cleaned_data.get("uid_field")
diff --git a/passbook/stages/identification/models.py b/passbook/stages/identification/models.py
index 1e56f572e..40616d0ac 100644
--- a/passbook/stages/identification/models.py
+++ b/passbook/stages/identification/models.py
@@ -7,7 +7,7 @@ from passbook.flows.models import Stage
 
 
 class UserFields(models.TextChoices):
-    """Fields which the user can identifiy themselves with"""
+    """Fields which the user can identify themselves with"""
 
     E_MAIL = "email"
     USERNAME = "username"
diff --git a/passbook/stages/identification/stage.py b/passbook/stages/identification/stage.py
index dfe4965b7..9e9fb4b0b 100644
--- a/passbook/stages/identification/stage.py
+++ b/passbook/stages/identification/stage.py
@@ -23,6 +23,11 @@ class IdentificationStageView(FormView, AuthenticationStage):
 
     form_class = IdentificationForm
 
+    def get_form_kwargs(self):
+        kwargs = super().get_form_kwargs()
+        kwargs["stage"] = self.executor.current_stage
+        return kwargs
+
     def get_template_names(self) -> List[str]:
         current_stage: IdentificationStage = self.executor.current_stage
         return [current_stage.template]
@@ -61,6 +66,6 @@ class IdentificationStageView(FormView, AuthenticationStage):
         if not pre_user:
             LOGGER.debug("invalid_login")
             messages.error(self.request, _("Failed to authenticate."))
-            return self.executor.stage_invalid()
+            return self.form_invalid(form)
         self.executor.plan.context[PLAN_CONTEXT_PENDING_USER] = pre_user
         return self.executor.stage_ok()
diff --git a/passbook/stages/identification/tests.py b/passbook/stages/identification/tests.py
new file mode 100644
index 000000000..2c2bf98ab
--- /dev/null
+++ b/passbook/stages/identification/tests.py
@@ -0,0 +1,84 @@
+"""identification tests"""
+from django.shortcuts import reverse
+from django.test import Client, TestCase
+
+from passbook.core.models import User
+from passbook.flows.models import Flow, FlowDesignation, FlowStageBinding
+from passbook.sources.oauth.models import OAuthSource
+from passbook.stages.identification.models import (
+    IdentificationStage,
+    Templates,
+    UserFields,
+)
+from passbook.stages.login.models import LoginStage
+
+
+class TestIdentificationStage(TestCase):
+    """Identification tests"""
+
+    def setUp(self):
+        super().setUp()
+        self.user = User.objects.create(username="unittest", email="test@beryju.org")
+        self.client = Client()
+
+        self.flow = Flow.objects.create(
+            name="test-identification",
+            slug="test-identification",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+        FlowStageBinding.objects.create(
+            flow=self.flow,
+            stage=IdentificationStage.objects.create(
+                name="identification",
+                user_fields=[UserFields.E_MAIL],
+                template=Templates.DEFAULT_LOGIN,
+            ),
+            order=0,
+        )
+        FlowStageBinding.objects.create(
+            flow=self.flow, stage=LoginStage.objects.create(name="login",), order=1
+        )
+
+        # OAuthSource for the login view
+        OAuthSource.objects.create(name="test", slug="test")
+
+    def test_valid_render(self):
+        """Test that View renders correctly"""
+        response = self.client.get(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            )
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_valid_with_email(self):
+        """Test with valid email, check that URL redirects back to itself"""
+        form_data = {"uid_field": self.user.email}
+        url = reverse(
+            "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+        )
+        response = self.client.post(url, form_data,)
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, url)
+
+    def test_invalid_with_username(self):
+        """Test invalid with username (user exists but stage only allows e-mail)"""
+        form_data = {"uid_field": self.user.username}
+        response = self.client.post(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            ),
+            form_data,
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_invalid_with_invalid_email(self):
+        """Test with invalid e-mail (user doesn't exist) -> Will return to login form"""
+        form_data = {"uid_field": self.user.email + "test"}
+        response = self.client.post(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            ),
+            form_data,
+        )
+        self.assertEqual(response.status_code, 200)

From 9a700e506bc1064cbc30519ae687f8a7b60c570b Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 01:01:58 +0200
Subject: [PATCH 24/80] stages/identification: simplify unittests

---
 passbook/flows/views.py                 | 26 +++++++++++++------------
 passbook/stages/identification/tests.py | 19 +++++++-----------
 2 files changed, 21 insertions(+), 24 deletions(-)

diff --git a/passbook/flows/views.py b/passbook/flows/views.py
index 5774460af..e5e07aa71 100644
--- a/passbook/flows/views.py
+++ b/passbook/flows/views.py
@@ -54,7 +54,7 @@ class FlowExecutorView(View):
     def handle_invalid_flow(self, exc: BaseException) -> HttpResponse:
         """When a flow is non-applicable check if user is on the correct domain"""
         if NEXT_ARG_NAME in self.request.GET:
-            LOGGER.debug("Redirecting to next on fail")
+            LOGGER.debug("f(exec): Redirecting to next on fail")
             return redirect(self.request.GET.get(NEXT_ARG_NAME))
         incorrect_domain_message = self._check_config_domain()
         if incorrect_domain_message:
@@ -65,24 +65,26 @@ class FlowExecutorView(View):
         # Early check if theres an active Plan for the current session
         if SESSION_KEY_PLAN not in self.request.session:
             LOGGER.debug(
-                "No active Plan found, initiating planner", flow_slug=flow_slug
+                "f(exec): No active Plan found, initiating planner", flow_slug=flow_slug
             )
             try:
                 self.plan = self._initiate_plan()
             except FlowNonApplicableException as exc:
-                LOGGER.warning("Flow not applicable to current user", exc=exc)
+                LOGGER.warning("f(exec): Flow not applicable to current user", exc=exc)
                 return self.handle_invalid_flow(exc)
             except EmptyFlowException as exc:
-                LOGGER.warning("Flow is empty", exc=exc)
+                LOGGER.warning("f(exec): Flow is empty", exc=exc)
                 return self.handle_invalid_flow(exc)
         else:
-            LOGGER.debug("Continuing existing plan", flow_slug=flow_slug)
+            LOGGER.debug("f(exec): Continuing existing plan", flow_slug=flow_slug)
             self.plan = self.request.session[SESSION_KEY_PLAN]
         # We don't save the Plan after getting the next stage
         # as it hasn't been successfully passed yet
         self.current_stage = self.plan.next()
         LOGGER.debug(
-            "Current stage", current_stage=self.current_stage, flow_slug=self.flow.slug,
+            "f(exec): Current stage",
+            current_stage=self.current_stage,
+            flow_slug=self.flow.slug,
         )
         stage_cls = path_to_class(self.current_stage.type)
         self.current_stage_view = stage_cls(self)
@@ -92,7 +94,7 @@ class FlowExecutorView(View):
     def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
         """pass get request to current stage"""
         LOGGER.debug(
-            "Passing GET",
+            "f(exec): Passing GET",
             view_class=class_to_path(self.current_stage_view.__class__),
             flow_slug=self.flow.slug,
         )
@@ -101,7 +103,7 @@ class FlowExecutorView(View):
     def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
         """pass post request to current stage"""
         LOGGER.debug(
-            "Passing POST",
+            "f(exec): Passing POST",
             view_class=class_to_path(self.current_stage_view.__class__),
             flow_slug=self.flow.slug,
         )
@@ -125,7 +127,7 @@ class FlowExecutorView(View):
         """Callback called by stages upon successful completion.
         Persists updated plan and context to session."""
         LOGGER.debug(
-            "Stage ok",
+            "f(exec): Stage ok",
             stage_class=class_to_path(self.current_stage_view.__class__),
             flow_slug=self.flow.slug,
         )
@@ -133,7 +135,7 @@ class FlowExecutorView(View):
         self.request.session[SESSION_KEY_PLAN] = self.plan
         if self.plan.stages:
             LOGGER.debug(
-                "Continuing with next stage",
+                "f(exec): Continuing with next stage",
                 reamining=len(self.plan.stages),
                 flow_slug=self.flow.slug,
             )
@@ -142,7 +144,7 @@ class FlowExecutorView(View):
             )
         # User passed all stages
         LOGGER.debug(
-            "User passed all stages",
+            "f(exec): User passed all stages",
             user=self.plan.context[PLAN_CONTEXT_PENDING_USER],
             flow_slug=self.flow.slug,
         )
@@ -151,7 +153,7 @@ class FlowExecutorView(View):
     def stage_invalid(self) -> HttpResponse:
         """Callback used stage when data is correct but a policy denies access
         or the user account is disabled."""
-        LOGGER.debug("Stage invalid", flow_slug=self.flow.slug)
+        LOGGER.debug("f(exec): Stage invalid", flow_slug=self.flow.slug)
         self.cancel()
         return redirect_with_qs("passbook_flows:denied", self.request.GET)
 
diff --git a/passbook/stages/identification/tests.py b/passbook/stages/identification/tests.py
index 2c2bf98ab..3f550478a 100644
--- a/passbook/stages/identification/tests.py
+++ b/passbook/stages/identification/tests.py
@@ -10,7 +10,6 @@ from passbook.stages.identification.models import (
     Templates,
     UserFields,
 )
-from passbook.stages.login.models import LoginStage
 
 
 class TestIdentificationStage(TestCase):
@@ -26,17 +25,13 @@ class TestIdentificationStage(TestCase):
             slug="test-identification",
             designation=FlowDesignation.AUTHENTICATION,
         )
-        FlowStageBinding.objects.create(
-            flow=self.flow,
-            stage=IdentificationStage.objects.create(
-                name="identification",
-                user_fields=[UserFields.E_MAIL],
-                template=Templates.DEFAULT_LOGIN,
-            ),
-            order=0,
+        self.stage = IdentificationStage.objects.create(
+            name="identification",
+            user_fields=[UserFields.E_MAIL],
+            template=Templates.DEFAULT_LOGIN,
         )
         FlowStageBinding.objects.create(
-            flow=self.flow, stage=LoginStage.objects.create(name="login",), order=1
+            flow=self.flow, stage=self.stage, order=0,
         )
 
         # OAuthSource for the login view
@@ -57,9 +52,9 @@ class TestIdentificationStage(TestCase):
         url = reverse(
             "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
         )
-        response = self.client.post(url, form_data,)
+        response = self.client.post(url, form_data)
         self.assertEqual(response.status_code, 302)
-        self.assertEqual(response.url, url)
+        self.assertEqual(response.url, reverse("passbook_core:overview"))
 
     def test_invalid_with_username(self):
         """Test invalid with username (user exists but stage only allows e-mail)"""

From c140c39d071dc40bbedfb00ebd3025111a0f6a39 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 01:02:04 +0200
Subject: [PATCH 25/80] stages/login: add unittests

---
 passbook/stages/login/stage.py | 10 +++--
 passbook/stages/login/tests.py | 77 ++++++++++++++++++++++++++++++++++
 2 files changed, 84 insertions(+), 3 deletions(-)
 create mode 100644 passbook/stages/login/tests.py

diff --git a/passbook/stages/login/stage.py b/passbook/stages/login/stage.py
index 74bce930b..1e43c163f 100644
--- a/passbook/stages/login/stage.py
+++ b/passbook/stages/login/stage.py
@@ -17,12 +17,16 @@ class LoginStageView(AuthenticationStage):
 
     def get(self, request: HttpRequest) -> HttpResponse:
         if PLAN_CONTEXT_PENDING_USER not in self.executor.plan.context:
-            messages.error(request, _("No Pending user to login."))
+            message = _("No Pending user to login.")
+            messages.error(request, message)
+            LOGGER.debug(message)
             return self.executor.stage_invalid()
         if PLAN_CONTEXT_AUTHENTICATION_BACKEND not in self.executor.plan.context:
-            messages.error(request, _("Pending user has no backend."))
+            message = _("Pending user has no backend.")
+            messages.error(request, message)
+            LOGGER.debug(message)
             return self.executor.stage_invalid()
-        backend = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER].backend
+        backend = self.executor.plan.context[PLAN_CONTEXT_AUTHENTICATION_BACKEND]
         login(
             self.request,
             self.executor.plan.context[PLAN_CONTEXT_PENDING_USER],
diff --git a/passbook/stages/login/tests.py b/passbook/stages/login/tests.py
new file mode 100644
index 000000000..e15078567
--- /dev/null
+++ b/passbook/stages/login/tests.py
@@ -0,0 +1,77 @@
+"""login tests"""
+from django.shortcuts import reverse
+from django.test import Client, TestCase
+
+from passbook.core.models import User
+from passbook.flows.models import Flow, FlowDesignation, FlowStageBinding
+from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
+from passbook.flows.views import SESSION_KEY_PLAN
+from passbook.stages.login.models import LoginStage
+from passbook.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
+
+
+class TestLoginStage(TestCase):
+    """Login tests"""
+
+    def setUp(self):
+        super().setUp()
+        self.user = User.objects.create(username="unittest", email="test@beryju.org")
+        self.client = Client()
+
+        self.flow = Flow.objects.create(
+            name="test-login",
+            slug="test-login",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+        self.stage = LoginStage.objects.create(name="login")
+        FlowStageBinding.objects.create(flow=self.flow, stage=self.stage, order=2)
+
+    def test_valid_password(self):
+        """Test with a valid pending user and backend"""
+        plan = FlowPlan(stages=[self.stage])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
+        plan.context[
+            PLAN_CONTEXT_AUTHENTICATION_BACKEND
+        ] = "django.contrib.auth.backends.ModelBackend"
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.get(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            )
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse("passbook_core:overview"))
+
+    def test_without_user(self):
+        """Test a plan without any pending user, resulting in a denied"""
+        plan = FlowPlan(stages=[self.stage])
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.get(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            )
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse("passbook_flows:denied"))
+
+    def test_without_backend(self):
+        """Test a plan with pending user, without backend, resulting in a denied"""
+        plan = FlowPlan(stages=[self.stage])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.get(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            )
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse("passbook_flows:denied"))

From c0b05a62f49f9336cadd7f7a569e5d36c4bcee8a Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 02:00:38 +0200
Subject: [PATCH 26/80] stages/password: add unittests

---
 passbook/stages/password/stage.py |  49 +++++--------
 passbook/stages/password/tests.py | 118 ++++++++++++++++++++++++++++++
 2 files changed, 137 insertions(+), 30 deletions(-)
 create mode 100644 passbook/stages/password/tests.py

diff --git a/passbook/stages/password/stage.py b/passbook/stages/password/stage.py
index 2d721f0eb..67c30990b 100644
--- a/passbook/stages/password/stage.py
+++ b/passbook/stages/password/stage.py
@@ -1,5 +1,4 @@
 """passbook password stage"""
-from inspect import Signature
 from typing import Any, Dict, List, Optional
 
 from django.contrib.auth import _clean_credentials
@@ -23,32 +22,21 @@ PLAN_CONTEXT_AUTHENTICATION_BACKEND = "user_backend"
 
 
 def authenticate(
-    request: HttpRequest, backends: List[BaseBackend], **credentials: Dict[str, Any]
+    request: HttpRequest, backends: List[str], **credentials: Dict[str, Any]
 ) -> Optional[User]:
     """If the given credentials are valid, return a User object.
 
     Customized version of django's authenticate, which accepts a list of backends"""
     for backend_path in backends:
-        backend = path_to_class(backend_path)()
-        try:
-            signature = Signature.from_callable(backend.authenticate)
-            signature.bind(request, **credentials)
-        except TypeError:
-            LOGGER.warning("Backend doesn't accept our arguments", backend=backend)
-            # This backend doesn't accept these credentials as arguments. Try the next one.
-            continue
+        backend: BaseBackend = path_to_class(backend_path)()
         LOGGER.debug("Attempting authentication...", backend=backend)
-        try:
-            user = backend.authenticate(request, **credentials)
-        except PermissionDenied:
-            LOGGER.debug("Backend threw PermissionDenied", backend=backend)
-            # This backend says to stop in our tracks - this user should not be allowed in at all.
-            break
+        user = backend.authenticate(request, **credentials)
         if user is None:
             LOGGER.debug("Backend returned nothing, continuing")
             continue
         # Annotate the user object with the path of the backend.
         user.backend = backend_path
+        LOGGER.debug("Successful authentication", user=user, backend=backend)
         return user
 
     # The credentials supplied are invalid to all backends, fire signal
@@ -78,22 +66,23 @@ class PasswordStage(FormView, AuthenticationStage):
             user = authenticate(
                 self.request, self.executor.current_stage.backends, **auth_kwargs
             )
-            if user:
-                # User instance returned from authenticate() has .backend property set
-                self.executor.plan.context[PLAN_CONTEXT_PENDING_USER] = user
-                self.executor.plan.context[
-                    PLAN_CONTEXT_AUTHENTICATION_BACKEND
-                ] = user.backend
-                return self.executor.stage_ok()
-            # No user was found -> invalid credentials
-            LOGGER.debug("Invalid credentials")
-            # Manually inject error into form
-            # pylint: disable=protected-access
-            errors = form._errors.setdefault("password", ErrorList())
-            errors.append(_("Invalid password"))
-            return self.form_invalid(form)
         except PermissionDenied:
             del auth_kwargs["password"]
             # User was found, but permission was denied (i.e. user is not active)
             LOGGER.debug("Denied access", **auth_kwargs)
             return self.executor.stage_invalid()
+        else:
+            if not user:
+                # No user was found -> invalid credentials
+                LOGGER.debug("Invalid credentials")
+                # Manually inject error into form
+                # pylint: disable=protected-access
+                errors = form._errors.setdefault("password", ErrorList())
+                errors.append(_("Invalid password"))
+                return self.form_invalid(form)
+            # User instance returned from authenticate() has .backend property set
+            self.executor.plan.context[PLAN_CONTEXT_PENDING_USER] = user
+            self.executor.plan.context[
+                PLAN_CONTEXT_AUTHENTICATION_BACKEND
+            ] = user.backend
+            return self.executor.stage_ok()
diff --git a/passbook/stages/password/tests.py b/passbook/stages/password/tests.py
new file mode 100644
index 000000000..1a98333e4
--- /dev/null
+++ b/passbook/stages/password/tests.py
@@ -0,0 +1,118 @@
+"""password tests"""
+import string
+from random import SystemRandom
+from unittest.mock import MagicMock, patch
+
+from django.core.exceptions import PermissionDenied
+from django.shortcuts import reverse
+from django.test import Client, TestCase
+
+from passbook.core.models import User
+from passbook.flows.models import Flow, FlowDesignation, FlowStageBinding
+from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
+from passbook.flows.views import SESSION_KEY_PLAN
+from passbook.stages.password.models import PasswordStage
+
+MOCK_BACKEND_AUTHENTICATE = MagicMock(side_effect=PermissionDenied("test"))
+
+
+class TestPasswordStage(TestCase):
+    """Password tests"""
+
+    def setUp(self):
+        super().setUp()
+        self.password = "".join(
+            SystemRandom().choice(string.ascii_uppercase + string.digits)
+            for _ in range(8)
+        )
+        self.user = User.objects.create_user(
+            username="unittest", email="test@beryju.org", password=self.password
+        )
+        self.client = Client()
+
+        self.flow = Flow.objects.create(
+            name="test-password",
+            slug="test-password",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+        self.stage = PasswordStage.objects.create(
+            name="password", backends=["django.contrib.auth.backends.ModelBackend"]
+        )
+        FlowStageBinding.objects.create(flow=self.flow, stage=self.stage, order=2)
+
+    def test_without_user(self):
+        """Test without user"""
+        plan = FlowPlan(stages=[self.stage])
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.post(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            ),
+            # Still have to send the password so the form is valid
+            {"password": self.password},
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse("passbook_flows:denied"))
+
+    def test_valid_password(self):
+        """Test with a valid pending user and valid password"""
+        plan = FlowPlan(stages=[self.stage])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.post(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            ),
+            # Form data
+            {"password": self.password},
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse("passbook_core:overview"))
+
+    def test_invalid_password(self):
+        """Test with a valid pending user and invalid password"""
+        plan = FlowPlan(stages=[self.stage])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.post(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            ),
+            # Form data
+            {"password": self.password + "test"},
+        )
+        self.assertEqual(response.status_code, 200)
+
+    @patch(
+        "django.contrib.auth.backends.ModelBackend.authenticate",
+        MOCK_BACKEND_AUTHENTICATE,
+    )
+    def test_permission_denied(self):
+        """Test with a valid pending user and valid password.
+        Backend is patched to return PermissionError"""
+        # from django.contrib.auth.backends import ModelBackend
+        # ModelBackend().authenticate()
+        plan = FlowPlan(stages=[self.stage])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.post(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            ),
+            # Form data
+            {"password": self.password + "test"},
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse("passbook_flows:denied"))

From 9bccf9bb0a9d85ed61a5ca2da48c791564833d70 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 02:14:55 +0200
Subject: [PATCH 27/80] policies/dummy: separate dummy policy from core into
 app

---
 passbook/api/v2/urls.py                       | 10 ++++-
 .../migrations/0013_delete_debugpolicy.py     | 14 +++++++
 passbook/core/models.py                       | 25 ------------
 passbook/policies/dummy/__init__.py           |  0
 passbook/policies/dummy/api.py                | 21 ++++++++++
 passbook/policies/dummy/apps.py               | 11 +++++
 .../policies.py => policies/dummy/forms.py}   |  8 ++--
 .../policies/dummy/migrations/0001_initial.py | 40 +++++++++++++++++++
 .../policies/dummy/migrations/__init__.py     |  0
 passbook/policies/dummy/models.py             | 35 ++++++++++++++++
 passbook/policies/expiry/api.py               |  4 +-
 passbook/policies/expiry/forms.py             |  2 +-
 passbook/policies/hibp/forms.py               |  2 +-
 passbook/policies/reputation/forms.py         |  2 +-
 passbook/policies/tests/test_engine.py        | 15 +++----
 passbook/root/settings.py                     |  7 +++-
 16 files changed, 152 insertions(+), 44 deletions(-)
 create mode 100644 passbook/core/migrations/0013_delete_debugpolicy.py
 create mode 100644 passbook/policies/dummy/__init__.py
 create mode 100644 passbook/policies/dummy/api.py
 create mode 100644 passbook/policies/dummy/apps.py
 rename passbook/{core/forms/policies.py => policies/dummy/forms.py} (69%)
 create mode 100644 passbook/policies/dummy/migrations/0001_initial.py
 create mode 100644 passbook/policies/dummy/migrations/__init__.py
 create mode 100644 passbook/policies/dummy/models.py

diff --git a/passbook/api/v2/urls.py b/passbook/api/v2/urls.py
index 2a66dca99..55ccc07a3 100644
--- a/passbook/api/v2/urls.py
+++ b/passbook/api/v2/urls.py
@@ -1,4 +1,5 @@
 """api v2 urls"""
+from django.conf import settings
 from django.conf.urls import url
 from django.urls import path
 from drf_yasg import openapi
@@ -31,7 +32,6 @@ from passbook.providers.saml.api import SAMLPropertyMappingViewSet, SAMLProvider
 from passbook.sources.ldap.api import LDAPPropertyMappingViewSet, LDAPSourceViewSet
 from passbook.sources.oauth.api import OAuthSourceViewSet
 from passbook.stages.captcha.api import CaptchaStageViewSet
-from passbook.stages.dummy.api import DummyStageViewSet
 from passbook.stages.email.api import EmailStageViewSet
 from passbook.stages.identification.api import IdentificationStageViewSet
 from passbook.stages.login.api import LoginStageViewSet
@@ -78,7 +78,6 @@ router.register("propertymappings/saml", SAMLPropertyMappingViewSet)
 
 router.register("stages/all", StageViewSet)
 router.register("stages/captcha", CaptchaStageViewSet)
-router.register("stages/dummy", DummyStageViewSet)
 router.register("stages/email", EmailStageViewSet)
 router.register("stages/otp", OTPStageViewSet)
 router.register("stages/password", PasswordStageViewSet)
@@ -88,6 +87,13 @@ router.register("stages/login", LoginStageViewSet)
 router.register("flows", FlowViewSet)
 router.register("flows/bindings", FlowStageBindingViewSet)
 
+if settings.DEBUG:
+    from passbook.stages.dummy.api import DummyStageViewSet
+    from passbook.policies.dummy.api import DummyPolicyViewSet
+
+    router.register("stages/dummy", DummyStageViewSet)
+    router.register("policies/dummy", DummyPolicyViewSet)
+
 info = openapi.Info(
     title="passbook API",
     default_version="v2",
diff --git a/passbook/core/migrations/0013_delete_debugpolicy.py b/passbook/core/migrations/0013_delete_debugpolicy.py
new file mode 100644
index 000000000..b34c7cfce
--- /dev/null
+++ b/passbook/core/migrations/0013_delete_debugpolicy.py
@@ -0,0 +1,14 @@
+# Generated by Django 3.0.5 on 2020-05-10 00:08
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_core", "0012_delete_factor"),
+    ]
+
+    operations = [
+        migrations.DeleteModel(name="DebugPolicy",),
+    ]
diff --git a/passbook/core/models.py b/passbook/core/models.py
index 29f489f2a..7cb523113 100644
--- a/passbook/core/models.py
+++ b/passbook/core/models.py
@@ -1,7 +1,5 @@
 """passbook core models"""
 from datetime import timedelta
-from random import SystemRandom
-from time import sleep
 from typing import Any, Optional
 from uuid import uuid4
 
@@ -198,29 +196,6 @@ class Policy(ExportModelOperationsMixin("policy"), UUIDModel, CreatedUpdatedMode
         raise PolicyException()
 
 
-class DebugPolicy(Policy):
-    """Policy used for debugging the PolicyEngine. Returns a fixed result,
-    but takes a random time to process."""
-
-    result = models.BooleanField(default=False)
-    wait_min = models.IntegerField(default=5)
-    wait_max = models.IntegerField(default=30)
-
-    form = "passbook.core.forms.policies.DebugPolicyForm"
-
-    def passes(self, request: PolicyRequest) -> PolicyResult:
-        """Wait random time then return result"""
-        wait = SystemRandom().randrange(self.wait_min, self.wait_max)
-        LOGGER.debug("Policy waiting", policy=self, delay=wait)
-        sleep(wait)
-        return PolicyResult(self.result, "Debugging")
-
-    class Meta:
-
-        verbose_name = _("Debug Policy")
-        verbose_name_plural = _("Debug Policies")
-
-
 class Invitation(ExportModelOperationsMixin("invitation"), UUIDModel):
     """Single-use invitation link"""
 
diff --git a/passbook/policies/dummy/__init__.py b/passbook/policies/dummy/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/passbook/policies/dummy/api.py b/passbook/policies/dummy/api.py
new file mode 100644
index 000000000..dffe5b668
--- /dev/null
+++ b/passbook/policies/dummy/api.py
@@ -0,0 +1,21 @@
+"""Dummy Policy API Views"""
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import ModelViewSet
+
+from passbook.policies.dummy.models import DummyPolicy
+from passbook.policies.forms import GENERAL_SERIALIZER_FIELDS
+
+
+class DummyPolicySerializer(ModelSerializer):
+    """Dummy Policy Serializer"""
+
+    class Meta:
+        model = DummyPolicy
+        fields = GENERAL_SERIALIZER_FIELDS + ["result", "wait_min", "wait_max"]
+
+
+class DummyPolicyViewSet(ModelViewSet):
+    """Dummy Viewset"""
+
+    queryset = DummyPolicy.objects.all()
+    serializer_class = DummyPolicySerializer
diff --git a/passbook/policies/dummy/apps.py b/passbook/policies/dummy/apps.py
new file mode 100644
index 000000000..5f60a03f0
--- /dev/null
+++ b/passbook/policies/dummy/apps.py
@@ -0,0 +1,11 @@
+"""Passbook policy dummy app config"""
+
+from django.apps import AppConfig
+
+
+class PassbookPolicyDummyConfig(AppConfig):
+    """Passbook policy_dummy app config"""
+
+    name = "passbook.policies.dummy"
+    label = "passbook_policies_dummy"
+    verbose_name = "passbook Policies.Dummy"
diff --git a/passbook/core/forms/policies.py b/passbook/policies/dummy/forms.py
similarity index 69%
rename from passbook/core/forms/policies.py
rename to passbook/policies/dummy/forms.py
index b2d9cb5e8..05e6a6bdb 100644
--- a/passbook/core/forms/policies.py
+++ b/passbook/policies/dummy/forms.py
@@ -3,16 +3,16 @@
 from django import forms
 from django.utils.translation import gettext as _
 
-from passbook.core.models import DebugPolicy
+from passbook.policies.dummy.models import DummyPolicy
 from passbook.policies.forms import GENERAL_FIELDS
 
 
-class DebugPolicyForm(forms.ModelForm):
-    """DebugPolicyForm Form"""
+class DummyPolicyForm(forms.ModelForm):
+    """DummyPolicyForm Form"""
 
     class Meta:
 
-        model = DebugPolicy
+        model = DummyPolicy
         fields = GENERAL_FIELDS + ["result", "wait_min", "wait_max"]
         widgets = {
             "name": forms.TextInput(),
diff --git a/passbook/policies/dummy/migrations/0001_initial.py b/passbook/policies/dummy/migrations/0001_initial.py
new file mode 100644
index 000000000..5e388616a
--- /dev/null
+++ b/passbook/policies/dummy/migrations/0001_initial.py
@@ -0,0 +1,40 @@
+# Generated by Django 3.0.5 on 2020-05-10 00:08
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("passbook_core", "0013_delete_debugpolicy"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="DummyPolicy",
+            fields=[
+                (
+                    "policy_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="passbook_core.Policy",
+                    ),
+                ),
+                ("result", models.BooleanField(default=False)),
+                ("wait_min", models.IntegerField(default=5)),
+                ("wait_max", models.IntegerField(default=30)),
+            ],
+            options={
+                "verbose_name": "Dummy Policy",
+                "verbose_name_plural": "Dummy Policies",
+            },
+            bases=("passbook_core.policy",),
+        ),
+    ]
diff --git a/passbook/policies/dummy/migrations/__init__.py b/passbook/policies/dummy/migrations/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/passbook/policies/dummy/models.py b/passbook/policies/dummy/models.py
new file mode 100644
index 000000000..98d9e22f5
--- /dev/null
+++ b/passbook/policies/dummy/models.py
@@ -0,0 +1,35 @@
+"""Dummy policy"""
+from random import SystemRandom
+from time import sleep
+
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+from structlog import get_logger
+
+from passbook.core.models import Policy
+from passbook.policies.types import PolicyRequest, PolicyResult
+
+LOGGER = get_logger()
+
+
+class DummyPolicy(Policy):
+    """Policy used for debugging the PolicyEngine. Returns a fixed result,
+    but takes a random time to process."""
+
+    result = models.BooleanField(default=False)
+    wait_min = models.IntegerField(default=5)
+    wait_max = models.IntegerField(default=30)
+
+    form = "passbook.policies.dummy.forms.DummyPolicyForm"
+
+    def passes(self, request: PolicyRequest) -> PolicyResult:
+        """Wait random time then return result"""
+        wait = SystemRandom().randrange(self.wait_min, self.wait_max)
+        LOGGER.debug("Policy waiting", policy=self, delay=wait)
+        sleep(wait)
+        return PolicyResult(self.result, "dummy")
+
+    class Meta:
+
+        verbose_name = _("Dummy Policy")
+        verbose_name_plural = _("Dummy Policies")
diff --git a/passbook/policies/expiry/api.py b/passbook/policies/expiry/api.py
index 545411cef..fd206371c 100644
--- a/passbook/policies/expiry/api.py
+++ b/passbook/policies/expiry/api.py
@@ -1,4 +1,4 @@
-"""Source API Views"""
+"""Password Expiry Policy API Views"""
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
@@ -15,7 +15,7 @@ class PasswordExpiryPolicySerializer(ModelSerializer):
 
 
 class PasswordExpiryPolicyViewSet(ModelViewSet):
-    """Source Viewset"""
+    """Password Expiry Viewset"""
 
     queryset = PasswordExpiryPolicy.objects.all()
     serializer_class = PasswordExpiryPolicySerializer
diff --git a/passbook/policies/expiry/forms.py b/passbook/policies/expiry/forms.py
index 63c9a2bf6..e84794ac1 100644
--- a/passbook/policies/expiry/forms.py
+++ b/passbook/policies/expiry/forms.py
@@ -4,8 +4,8 @@ from django import forms
 from django.contrib.admin.widgets import FilteredSelectMultiple
 from django.utils.translation import gettext as _
 
-from passbook.core.forms.policies import GENERAL_FIELDS
 from passbook.policies.expiry.models import PasswordExpiryPolicy
+from passbook.policies.forms import GENERAL_FIELDS
 
 
 class PasswordExpiryPolicyForm(forms.ModelForm):
diff --git a/passbook/policies/hibp/forms.py b/passbook/policies/hibp/forms.py
index bc31196ca..f9560bf14 100644
--- a/passbook/policies/hibp/forms.py
+++ b/passbook/policies/hibp/forms.py
@@ -4,7 +4,7 @@ from django import forms
 from django.contrib.admin.widgets import FilteredSelectMultiple
 from django.utils.translation import gettext as _
 
-from passbook.core.forms.policies import GENERAL_FIELDS
+from passbook.policies.forms import GENERAL_FIELDS
 from passbook.policies.hibp.models import HaveIBeenPwendPolicy
 
 
diff --git a/passbook/policies/reputation/forms.py b/passbook/policies/reputation/forms.py
index 1b9ccd667..0c4af1b37 100644
--- a/passbook/policies/reputation/forms.py
+++ b/passbook/policies/reputation/forms.py
@@ -2,7 +2,7 @@
 from django import forms
 from django.utils.translation import gettext_lazy as _
 
-from passbook.core.forms.policies import GENERAL_FIELDS
+from passbook.policies.forms import GENERAL_FIELDS
 from passbook.policies.reputation.models import ReputationPolicy
 
 
diff --git a/passbook/policies/tests/test_engine.py b/passbook/policies/tests/test_engine.py
index 07a111ba8..31e4d6855 100644
--- a/passbook/policies/tests/test_engine.py
+++ b/passbook/policies/tests/test_engine.py
@@ -2,7 +2,8 @@
 from django.core.cache import cache
 from django.test import TestCase
 
-from passbook.core.models import DebugPolicy, Policy, User
+from passbook.core.models import Policy, User
+from passbook.policies.dummy.models import DummyPolicy
 from passbook.policies.engine import PolicyEngine
 
 
@@ -12,13 +13,13 @@ class PolicyTestEngine(TestCase):
     def setUp(self):
         cache.clear()
         self.user = User.objects.create_user(username="policyuser")
-        self.policy_false = DebugPolicy.objects.create(
+        self.policy_false = DummyPolicy.objects.create(
             result=False, wait_min=0, wait_max=1
         )
-        self.policy_true = DebugPolicy.objects.create(
+        self.policy_true = DummyPolicy.objects.create(
             result=True, wait_min=0, wait_max=1
         )
-        self.policy_negate = DebugPolicy.objects.create(
+        self.policy_negate = DummyPolicy.objects.create(
             negate=True, result=True, wait_min=0, wait_max=1
         )
         self.policy_raises = Policy.objects.create(name="raises")
@@ -31,13 +32,13 @@ class PolicyTestEngine(TestCase):
     def test_engine(self):
         """Ensure all policies passes (Mix of false and true -> false)"""
         engine = PolicyEngine(
-            DebugPolicy.objects.filter(negate__exact=False), self.user
+            DummyPolicy.objects.filter(negate__exact=False), self.user
         )
         self.assertEqual(engine.build().passing, False)
 
     def test_engine_negate(self):
         """Test negate flag"""
-        engine = PolicyEngine(DebugPolicy.objects.filter(negate__exact=True), self.user)
+        engine = PolicyEngine(DummyPolicy.objects.filter(negate__exact=True), self.user)
         self.assertEqual(engine.build().passing, False)
 
     def test_engine_policy_error(self):
@@ -48,7 +49,7 @@ class PolicyTestEngine(TestCase):
     def test_engine_cache(self):
         """Ensure empty policy list passes"""
         engine = PolicyEngine(
-            DebugPolicy.objects.filter(negate__exact=False), self.user
+            DummyPolicy.objects.filter(negate__exact=False), self.user
         )
         self.assertEqual(len(cache.keys("policy_*")), 0)
         self.assertEqual(engine.build().passing, False)
diff --git a/passbook/root/settings.py b/passbook/root/settings.py
index 30ff8bbf8..ba5920f82 100644
--- a/passbook/root/settings.py
+++ b/passbook/root/settings.py
@@ -101,7 +101,6 @@ INSTALLED_APPS = [
     "passbook.stages.otp.apps.PassbookStageOTPConfig",
     "passbook.stages.captcha.apps.PassbookStageCaptchaConfig",
     "passbook.stages.password.apps.PassbookStagePasswordConfig",
-    "passbook.stages.dummy.apps.PassbookStageDummyConfig",
     "passbook.stages.email.apps.PassbookStageEmailConfig",
     "passbook.policies.expiry.apps.PassbookPolicyExpiryConfig",
     "passbook.policies.reputation.apps.PassbookPolicyReputationConfig",
@@ -391,4 +390,10 @@ if DEBUG:
     INSTALLED_APPS.append("debug_toolbar")
     MIDDLEWARE.append("debug_toolbar.middleware.DebugToolbarMiddleware")
 
+    # Load Dummy/Debug objects
+    INSTALLED_APPS += [
+        "passbook.stages.dummy.apps.PassbookStageDummyConfig",
+        "passbook.policies.dummy.apps.PassbookPolicyDummyConfig",
+    ]
+
 INSTALLED_APPS.append("passbook.core.apps.PassbookCoreConfig")

From c27d257146febd7db3e83d8820a575369a558465 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 12:07:40 +0200
Subject: [PATCH 28/80] core: fix migrations

---
 passbook/core/migrations/0013_delete_debugpolicy.py | 4 +++-
 passbook/policies/dummy/migrations/0001_initial.py  | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/passbook/core/migrations/0013_delete_debugpolicy.py b/passbook/core/migrations/0013_delete_debugpolicy.py
index b34c7cfce..4e658f01f 100644
--- a/passbook/core/migrations/0013_delete_debugpolicy.py
+++ b/passbook/core/migrations/0013_delete_debugpolicy.py
@@ -1,4 +1,4 @@
-# Generated by Django 3.0.5 on 2020-05-10 00:08
+# Generated by Django 3.0.5 on 2020-05-10 10:01
 
 from django.db import migrations
 
@@ -6,6 +6,8 @@ from django.db import migrations
 class Migration(migrations.Migration):
 
     dependencies = [
+        ("passbook_policies", "0003_auto_20200508_1642"),
+        ("passbook_stages_password", "0001_initial"),
         ("passbook_core", "0012_delete_factor"),
     ]
 
diff --git a/passbook/policies/dummy/migrations/0001_initial.py b/passbook/policies/dummy/migrations/0001_initial.py
index 5e388616a..22a1e007d 100644
--- a/passbook/policies/dummy/migrations/0001_initial.py
+++ b/passbook/policies/dummy/migrations/0001_initial.py
@@ -1,4 +1,4 @@
-# Generated by Django 3.0.5 on 2020-05-10 00:08
+# Generated by Django 3.0.5 on 2020-05-10 10:01
 
 import django.db.models.deletion
 from django.db import migrations, models

From 7a96f9e894806573734e31e35c80e12ac16e3aa3 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 12:27:10 +0200
Subject: [PATCH 29/80] policies/dummy: fix migrations

---
 passbook/policies/dummy/migrations/0001_initial.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/passbook/policies/dummy/migrations/0001_initial.py b/passbook/policies/dummy/migrations/0001_initial.py
index 22a1e007d..14e77000e 100644
--- a/passbook/policies/dummy/migrations/0001_initial.py
+++ b/passbook/policies/dummy/migrations/0001_initial.py
@@ -9,6 +9,7 @@ class Migration(migrations.Migration):
     initial = True
 
     dependencies = [
+        ("passbook_policies", "0003_auto_20200508_1642"),
         ("passbook_core", "0013_delete_debugpolicy"),
     ]
 

From ff4bd1c91f6a24c9918cdaf6daf92f84fffe443c Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 12:50:58 +0200
Subject: [PATCH 30/80] root: increase testing verbosity to debug CI

---
 passbook/root/settings.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/passbook/root/settings.py b/passbook/root/settings.py
index ba5920f82..3186cfc2f 100644
--- a/passbook/root/settings.py
+++ b/passbook/root/settings.py
@@ -349,12 +349,11 @@ for handler_name, level in _LOGGING_HANDLER_MAP.items():
 
 TEST = False
 TEST_RUNNER = "xmlrunner.extra.djangotestrunner.XMLTestRunner"
-TEST_OUTPUT_VERBOSE = 2
 
 TEST_OUTPUT_FILE_NAME = "unittest.xml"
 
 if any("test" in arg for arg in sys.argv):
-    LOGGING = None
+    LOGGING["loggers"]["django"]["level"] = "DEBUG"
     TEST = True
     CELERY_TASK_ALWAYS_EAGER = True
 

From 4f785da452000f764ec8fd745a7500caf99b4495 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 13:06:38 +0200
Subject: [PATCH 31/80] root: fix migrations for CI

---
 passbook/root/settings.py | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/passbook/root/settings.py b/passbook/root/settings.py
index 3186cfc2f..608d1364d 100644
--- a/passbook/root/settings.py
+++ b/passbook/root/settings.py
@@ -96,12 +96,14 @@ INSTALLED_APPS = [
     "passbook.providers.oidc.apps.PassbookProviderOIDCConfig",
     "passbook.providers.saml.apps.PassbookProviderSAMLConfig",
     "passbook.providers.samlv2.apps.PassbookProviderSAMLv2Config",
+    "passbook.stages.dummy.apps.PassbookStageDummyConfig",
     "passbook.stages.login.apps.PassbookStageLoginConfig",
     "passbook.stages.identification.apps.PassbookStageIdentificationConfig",
     "passbook.stages.otp.apps.PassbookStageOTPConfig",
     "passbook.stages.captcha.apps.PassbookStageCaptchaConfig",
     "passbook.stages.password.apps.PassbookStagePasswordConfig",
     "passbook.stages.email.apps.PassbookStageEmailConfig",
+    "passbook.policies.dummy.apps.PassbookPolicyDummyConfig",
     "passbook.policies.expiry.apps.PassbookPolicyExpiryConfig",
     "passbook.policies.reputation.apps.PassbookPolicyReputationConfig",
     "passbook.policies.hibp.apps.PassbookPolicyHIBPConfig",
@@ -353,7 +355,7 @@ TEST_RUNNER = "xmlrunner.extra.djangotestrunner.XMLTestRunner"
 TEST_OUTPUT_FILE_NAME = "unittest.xml"
 
 if any("test" in arg for arg in sys.argv):
-    LOGGING["loggers"]["django"]["level"] = "DEBUG"
+    LOGGING = None
     TEST = True
     CELERY_TASK_ALWAYS_EAGER = True
 
@@ -389,10 +391,4 @@ if DEBUG:
     INSTALLED_APPS.append("debug_toolbar")
     MIDDLEWARE.append("debug_toolbar.middleware.DebugToolbarMiddleware")
 
-    # Load Dummy/Debug objects
-    INSTALLED_APPS += [
-        "passbook.stages.dummy.apps.PassbookStageDummyConfig",
-        "passbook.policies.dummy.apps.PassbookPolicyDummyConfig",
-    ]
-
 INSTALLED_APPS.append("passbook.core.apps.PassbookCoreConfig")

From fbc3ac6b30691dc76fe4136d30d810bc263a652e Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 15:28:52 +0200
Subject: [PATCH 32/80] flows: make FlowExecutor fully working without pending
 user

---
 passbook/flows/views.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/passbook/flows/views.py b/passbook/flows/views.py
index e5e07aa71..a7a54d85a 100644
--- a/passbook/flows/views.py
+++ b/passbook/flows/views.py
@@ -9,7 +9,7 @@ from structlog import get_logger
 from passbook.core.views.utils import PermissionDeniedView
 from passbook.flows.exceptions import EmptyFlowException, FlowNonApplicableException
 from passbook.flows.models import Flow, FlowDesignation, Stage
-from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan, FlowPlanner
+from passbook.flows.planner import FlowPlan, FlowPlanner
 from passbook.lib.config import CONFIG
 from passbook.lib.utils.reflection import class_to_path, path_to_class
 from passbook.lib.utils.urls import is_url_absolute, redirect_with_qs
@@ -145,8 +145,8 @@ class FlowExecutorView(View):
         # User passed all stages
         LOGGER.debug(
             "f(exec): User passed all stages",
-            user=self.plan.context[PLAN_CONTEXT_PENDING_USER],
             flow_slug=self.flow.slug,
+            context=self.plan.context,
         )
         return self._flow_done()
 
@@ -159,7 +159,8 @@ class FlowExecutorView(View):
 
     def cancel(self):
         """Cancel current execution and return a redirect"""
-        del self.request.session[SESSION_KEY_PLAN]
+        if SESSION_KEY_PLAN in self.request.session:
+            del self.request.session[SESSION_KEY_PLAN]
 
 
 class FlowPermissionDeniedView(PermissionDeniedView):
@@ -172,6 +173,8 @@ class ToDefaultFlow(View):
     designation: Optional[FlowDesignation] = None
 
     def dispatch(self, request: HttpRequest) -> HttpResponse:
+        if SESSION_KEY_PLAN in self.request.session:
+            del self.request.session[SESSION_KEY_PLAN]
         flow = get_object_or_404(Flow, designation=self.designation)
         # TODO: Get Flow depending on subdomain?
         return redirect_with_qs(

From 358922b09b91e97a30fafab848d604534b0b7e49 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 15:29:10 +0200
Subject: [PATCH 33/80] lib/ui: fix human_list for lists with one item

---
 passbook/lib/utils/ui.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/passbook/lib/utils/ui.py b/passbook/lib/utils/ui.py
index b04aec2d4..f898e086a 100644
--- a/passbook/lib/utils/ui.py
+++ b/passbook/lib/utils/ui.py
@@ -1,8 +1,11 @@
 """passbook UI utils"""
+from typing import Any, List
 
 
-def human_list(_list) -> str:
+def human_list(_list: List[Any]) -> str:
     """Convert a list of items into 'a, b or c'"""
     last_item = _list.pop()
+    if len(_list) < 1:
+        return last_item
     result = ", ".join(_list)
     return "%s or %s" % (result, last_item)

From 9def45c8d71dad67545149d6126aef752cac0ac0 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 15:29:27 +0200
Subject: [PATCH 34/80] stages/identification: fix label for inputs

---
 passbook/stages/identification/forms.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/passbook/stages/identification/forms.py b/passbook/stages/identification/forms.py
index cd03e46d4..04217f7f8 100644
--- a/passbook/stages/identification/forms.py
+++ b/passbook/stages/identification/forms.py
@@ -36,7 +36,7 @@ class IdentificationForm(forms.Form):
         if self.stage.user_fields == [UserFields.E_MAIL]:
             self.fields["uid_field"] = forms.EmailField()
         self.fields["uid_field"].label = human_list(
-            [y.title() for x, y in UserFields.choices]
+            [x.title() for x in self.stage.user_fields]
         )
 
     def clean_uid_field(self):

From 4315d1a03c0abfae8519d47935f39abfa68b5959 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 16:20:17 +0200
Subject: [PATCH 35/80] stages/prompt: add prompt stage: dynamically created
 forms based on database

---
 passbook/api/v2/urls.py                       |   3 +
 passbook/core/forms/authentication.py         |  65 --------
 .../core/tests/test_views_authentication.py   |  85 -----------
 passbook/core/urls.py                         |   9 +-
 passbook/core/views/authentication.py         | 144 +-----------------
 passbook/root/settings.py                     |  35 ++---
 passbook/stages/prompt/__init__.py            |   0
 passbook/stages/prompt/api.py                 |  48 ++++++
 passbook/stages/prompt/apps.py                |  10 ++
 passbook/stages/prompt/forms.py               |  29 ++++
 .../stages/prompt/migrations/0001_initial.py  |  76 +++++++++
 passbook/stages/prompt/migrations/__init__.py |   0
 passbook/stages/prompt/models.py              |  75 +++++++++
 passbook/stages/prompt/stage.py               |  35 +++++
 14 files changed, 303 insertions(+), 311 deletions(-)
 delete mode 100644 passbook/core/forms/authentication.py
 create mode 100644 passbook/stages/prompt/__init__.py
 create mode 100644 passbook/stages/prompt/api.py
 create mode 100644 passbook/stages/prompt/apps.py
 create mode 100644 passbook/stages/prompt/forms.py
 create mode 100644 passbook/stages/prompt/migrations/0001_initial.py
 create mode 100644 passbook/stages/prompt/migrations/__init__.py
 create mode 100644 passbook/stages/prompt/models.py
 create mode 100644 passbook/stages/prompt/stage.py

diff --git a/passbook/api/v2/urls.py b/passbook/api/v2/urls.py
index 55ccc07a3..2adb3788d 100644
--- a/passbook/api/v2/urls.py
+++ b/passbook/api/v2/urls.py
@@ -37,6 +37,7 @@ from passbook.stages.identification.api import IdentificationStageViewSet
 from passbook.stages.login.api import LoginStageViewSet
 from passbook.stages.otp.api import OTPStageViewSet
 from passbook.stages.password.api import PasswordStageViewSet
+from passbook.stages.prompt.api import PromptStageViewSet, PromptViewSet
 
 LOGGER = get_logger()
 router = routers.DefaultRouter()
@@ -83,6 +84,8 @@ router.register("stages/otp", OTPStageViewSet)
 router.register("stages/password", PasswordStageViewSet)
 router.register("stages/identification", IdentificationStageViewSet)
 router.register("stages/login", LoginStageViewSet)
+router.register("stages/prompt", PromptStageViewSet)
+router.register("stages/prompt/prompts", PromptViewSet)
 
 router.register("flows", FlowViewSet)
 router.register("flows/bindings", FlowStageBindingViewSet)
diff --git a/passbook/core/forms/authentication.py b/passbook/core/forms/authentication.py
deleted file mode 100644
index 0b442815f..000000000
--- a/passbook/core/forms/authentication.py
+++ /dev/null
@@ -1,65 +0,0 @@
-"""passbook core authentication forms"""
-from django import forms
-from django.core.exceptions import ValidationError
-from django.utils.translation import gettext_lazy as _
-from structlog import get_logger
-
-from passbook.core.models import User
-
-LOGGER = get_logger()
-
-
-class SignUpForm(forms.Form):
-    """SignUp Form"""
-
-    title = _("Sign Up")
-    name = forms.CharField(
-        label=_("Name"), widget=forms.TextInput(attrs={"placeholder": _("Name")})
-    )
-    username = forms.CharField(
-        label=_("Username"),
-        widget=forms.TextInput(attrs={"placeholder": _("Username")}),
-    )
-    email = forms.EmailField(
-        label=_("E-Mail"), widget=forms.TextInput(attrs={"placeholder": _("E-Mail")})
-    )
-    password = forms.CharField(
-        label=_("Password"),
-        widget=forms.PasswordInput(attrs={"placeholder": _("Password")}),
-    )
-    password_repeat = forms.CharField(
-        label=_("Repeat Password"),
-        widget=forms.PasswordInput(attrs={"placeholder": _("Repeat Password")}),
-    )
-
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        # All fields which have initial data supplied are set to read only
-        if "initial" in kwargs:
-            for field in kwargs.get("initial").keys():
-                self.fields[field].widget.attrs["readonly"] = "readonly"
-
-    def clean_username(self):
-        """Check if username is used already"""
-        username = self.cleaned_data.get("username")
-        if User.objects.filter(username=username).exists():
-            LOGGER.warning("username already exists", username=username)
-            raise ValidationError(_("Username already exists"))
-        return username
-
-    def clean_email(self):
-        """Check if email is already used in django or other auth sources"""
-        email = self.cleaned_data.get("email")
-        # Check if user exists already, error early
-        if User.objects.filter(email=email).exists():
-            LOGGER.debug("email already exists", email=email)
-            raise ValidationError(_("Email already exists"))
-        return email
-
-    def clean_password_repeat(self):
-        """Check if Password adheres to filter and if passwords matche"""
-        password = self.cleaned_data.get("password")
-        password_repeat = self.cleaned_data.get("password_repeat")
-        if password != password_repeat:
-            raise ValidationError(_("Passwords don't match"))
-        return self.cleaned_data.get("password_repeat")
diff --git a/passbook/core/tests/test_views_authentication.py b/passbook/core/tests/test_views_authentication.py
index 1895e3e22..8cc9f1769 100644
--- a/passbook/core/tests/test_views_authentication.py
+++ b/passbook/core/tests/test_views_authentication.py
@@ -5,7 +5,6 @@ from random import SystemRandom
 from django.test import TestCase
 from django.urls import reverse
 
-from passbook.core.forms.authentication import SignUpForm
 from passbook.core.models import User
 
 
@@ -33,12 +32,6 @@ class TestAuthenticationViews(TestCase):
             ),
         )
 
-    def test_sign_up_view(self):
-        """Test account.sign_up view (Anonymous)"""
-        self.client.logout()
-        response = self.client.get(reverse("passbook_core:auth-sign-up"))
-        self.assertEqual(response.status_code, 200)
-
     def test_logout_view(self):
         """Test account.logout view"""
         self.client.force_login(self.user)
@@ -50,81 +43,3 @@ class TestAuthenticationViews(TestCase):
         self.client.force_login(self.user)
         response = self.client.get(reverse("passbook_core:auth-logout"))
         self.assertEqual(response.status_code, 302)
-
-    def test_sign_up_view_post(self):
-        """Test account.sign_up view POST (Anonymous)"""
-        form = SignUpForm(self.sign_up_data)
-        self.assertTrue(form.is_valid())
-
-        response = self.client.post(
-            reverse("passbook_core:auth-sign-up"), data=form.cleaned_data
-        )
-        self.assertEqual(response.status_code, 302)
-
-    # def test_reset_password_init_view(self):
-    #     """Test account.reset_password_init view POST (Anonymous)"""
-    #     form = SignUpForm(self.sign_up_data)
-    #     self.assertTrue(form.is_valid())
-
-    #     res = test_request(accounts.SignUpView.as_view(),
-    #                        method='POST',
-    #                        req_kwargs=form.cleaned_data)
-    #     self.assertEqual(res.status_code, 302)
-
-    #     res = test_request(accounts.PasswordResetInitView.as_view())
-    #     self.assertEqual(res.status_code, 200)
-
-    # def test_resend_confirmation(self):
-    #     """Test AccountController.resend_confirmation"""
-    #     form = SignUpForm(self.sign_up_data)
-    #     self.assertTrue(form.is_valid())
-
-    #     res = test_request(accounts.SignUpView.as_view(),
-    #                        method='POST',
-    #                        req_kwargs=form.cleaned_data)
-    #     self.assertEqual(res.status_code, 302)
-    #     user = User.objects.get(email=self.sign_up_data['email'])
-    #     # Invalidate all other links for this user
-    #     old_acs = AccountConfirmation.objects.filter(
-    #         user=user)
-    #     for old_ac in old_acs:
-    #         old_ac.confirmed = True
-    #         old_ac.save()
-    #     # Create Account Confirmation UUID
-    #     new_ac = AccountConfirmation.objects.create(user=user)
-    #     self.assertFalse(new_ac.is_expired)
-    #     on_user_confirm_resend.send(
-    #         sender=None,
-    #         user=user,
-    #         request=None)
-
-    # def test_reset_passowrd(self):
-    #     """Test reset password POST"""
-    #     # Signup user first
-    #     sign_up_form = SignUpForm(self.sign_up_data)
-    #     self.assertTrue(sign_up_form.is_valid())
-
-    #     sign_up_res = test_request(accounts.SignUpView.as_view(),
-    #                               method='POST',
-    #                               req_kwargs=sign_up_form.cleaned_data)
-    #     self.assertEqual(sign_up_res.status_code, 302)
-
-    #     user = User.objects.get(email=self.sign_up_data['email'])
-    #     # Invalidate all other links for this user
-    #     old_acs = AccountConfirmation.objects.filter(
-    #         user=user)
-    #     for old_ac in old_acs:
-    #         old_ac.confirmed = True
-    #         old_ac.save()
-    #     # Create Account Confirmation UUID
-    #     new_ac = AccountConfirmation.objects.create(user=user)
-    #     self.assertFalse(new_ac.is_expired)
-    #     uuid = AccountConfirmation.objects.filter(user=user).first().pk
-    #     reset_res = test_request(accounts.PasswordResetFinishView.as_view(),
-    #                              method='POST',
-    #                              user=user,
-    #                              url_kwargs={'uuid': uuid},
-    #                              req_kwargs=self.change_data)
-
-    #     self.assertEqual(reset_res.status_code, 302)
-    #     self.assertEqual(reset_res.url, reverse('common-index'))
diff --git a/passbook/core/urls.py b/passbook/core/urls.py
index 4660242df..f891325f3 100644
--- a/passbook/core/urls.py
+++ b/passbook/core/urls.py
@@ -13,14 +13,13 @@ urlpatterns = [
         name="auth-login",
     ),
     path("auth/logout/", authentication.LogoutView.as_view(), name="auth-logout"),
-    path("auth/sign_up/", authentication.SignUpView.as_view(), name="auth-sign-up"),
     path(
-        "auth/sign_up/<uuid:nonce>/confirm/",
-        authentication.SignUpConfirmView.as_view(),
-        name="auth-sign-up-confirm",
+        "auth/sign_up/",
+        ToDefaultFlow.as_view(designation=FlowDesignation.ENROLLMENT),
+        name="auth-sign-up",
     ),
     path(
-        "auth/password/reset/<uuid:nonce>/",
+        "auth/password/reset/<uuid:nonce_uuid>/",
         authentication.PasswordResetView.as_view(),
         name="auth-password-reset",
     ),
diff --git a/passbook/core/views/authentication.py b/passbook/core/views/authentication.py
index f970609cd..993b2a205 100644
--- a/passbook/core/views/authentication.py
+++ b/passbook/core/views/authentication.py
@@ -1,22 +1,14 @@
 """passbook core authentication views"""
-from typing import Dict
-
 from django.contrib import messages
 from django.contrib.auth import login, logout
-from django.contrib.auth.mixins import LoginRequiredMixin, UserPassesTestMixin
-from django.forms.utils import ErrorList
+from django.contrib.auth.mixins import LoginRequiredMixin
 from django.http import HttpRequest, HttpResponse
 from django.shortcuts import get_object_or_404, redirect, reverse
 from django.utils.translation import ugettext as _
 from django.views import View
-from django.views.generic import FormView
 from structlog import get_logger
 
-from passbook.core.forms.authentication import SignUpForm
-from passbook.core.models import Invitation, Nonce, User
-from passbook.core.signals import invitation_used, user_signed_up
-from passbook.lib.config import CONFIG
-from passbook.stages.password.exceptions import PasswordPolicyInvalid
+from passbook.core.models import Nonce
 
 LOGGER = get_logger()
 
@@ -24,146 +16,20 @@ LOGGER = get_logger()
 class LogoutView(LoginRequiredMixin, View):
     """Log current user out"""
 
-    def dispatch(self, request):
+    def dispatch(self, request: HttpRequest) -> HttpResponse:
         """Log current user out"""
         logout(request)
         messages.success(request, _("You've successfully been logged out."))
         return redirect(reverse("passbook_core:auth-login"))
 
 
-class SignUpView(UserPassesTestMixin, FormView):
-    """Sign up new user, optionally consume one-use invitation link."""
-
-    template_name = "login/form.html"
-    form_class = SignUpForm
-    success_url = "."
-    # Invitation instance, if invitation link was used
-    _invitation = None
-    # Instance of newly created user
-    _user = None
-
-    # Allow only not authenticated users to login
-    def test_func(self):
-        return self.request.user.is_authenticated is False
-
-    def handle_no_permission(self):
-        return redirect(reverse("passbook_core:overview"))
-
-    def dispatch(self, request, *args, **kwargs):
-        """Check if sign-up is enabled or invitation link given"""
-        allowed = False
-        if "invitation" in request.GET:
-            invitations = Invitation.objects.filter(uuid=request.GET.get("invitation"))
-            allowed = invitations.exists()
-            if allowed:
-                self._invitation = invitations.first()
-        if CONFIG.y("passbook.sign_up.enabled"):
-            allowed = True
-        if not allowed:
-            messages.error(request, _("Sign-ups are currently disabled."))
-            return redirect(reverse("passbook_core:auth-login"))
-        return super().dispatch(request, *args, **kwargs)
-
-    def get_initial(self):
-        if self._invitation:
-            initial = {}
-            if self._invitation.fixed_username:
-                initial["username"] = self._invitation.fixed_username
-            if self._invitation.fixed_email:
-                initial["email"] = self._invitation.fixed_email
-            return initial
-        return super().get_initial()
-
-    def get_context_data(self, **kwargs):
-        kwargs["config"] = CONFIG.y("passbook")
-        kwargs["title"] = _("Sign Up")
-        kwargs["primary_action"] = _("Sign up")
-        return super().get_context_data(**kwargs)
-
-    def form_valid(self, form: SignUpForm) -> HttpResponse:
-        """Create user"""
-        try:
-            self._user = SignUpView.create_user(form.cleaned_data, self.request)
-        except PasswordPolicyInvalid as exc:
-            # Manually inject error into form
-            # pylint: disable=protected-access
-            errors = form._errors.setdefault("password", ErrorList())
-            for error in exc.messages:
-                errors.append(error)
-            return self.form_invalid(form)
-        self.consume_invitation()
-        messages.success(self.request, _("Successfully signed up!"))
-        LOGGER.debug("Successfully signed up", email=form.cleaned_data.get("email"))
-        return redirect(reverse("passbook_core:auth-login"))
-
-    def consume_invitation(self):
-        """Consume invitation if an invitation was used"""
-        if self._invitation:
-            invitation_used.send(
-                sender=self,
-                request=self.request,
-                invitation=self._invitation,
-                user=self._user,
-            )
-            self._invitation.delete()
-
-    @staticmethod
-    def create_user(data: Dict, request: HttpRequest = None) -> User:
-        """Create user from data
-
-        Args:
-            data: Dictionary as returned by SignUpForm's cleaned_data
-            request: Optional current request.
-
-        Returns:
-            The user created
-
-        Raises:
-            PasswordPolicyInvalid: if any policy are not fulfilled.
-                                   This also deletes the created user.
-        """
-        # Create user
-        new_user = User.objects.create(
-            username=data.get("username"),
-            email=data.get("email"),
-            name=data.get("name"),
-        )
-        new_user.is_active = True
-        try:
-            new_user.set_password(data.get("password"))
-            new_user.save()
-            request.user = new_user
-            # Send signal for other auth sources
-            user_signed_up.send(sender=SignUpView, user=new_user, request=request)
-            return new_user
-        except PasswordPolicyInvalid as exc:
-            new_user.delete()
-            raise exc
-
-
-class SignUpConfirmView(View):
-    """Confirm registration from Nonce"""
-
-    def get(self, request, nonce):
-        """Verify UUID and activate user"""
-        nonce = get_object_or_404(Nonce, uuid=nonce)
-        nonce.user.is_active = True
-        nonce.user.save()
-        # Workaround: hardcoded reference to ModelBackend, needs testing
-        nonce.user.backend = "django.contrib.auth.backends.ModelBackend"
-        login(request, nonce.user)
-        nonce.delete()
-        messages.success(request, _("Successfully confirmed registration."))
-        return redirect("passbook_core:overview")
-
-
 class PasswordResetView(View):
     """Temporarily authenticate User and allow them to reset their password"""
 
-    def get(self, request, nonce):
+    def get(self, request: HttpRequest, nonce_uuid: str) -> HttpResponse:
         """Authenticate user with nonce and redirect to password change view"""
         # 3. (Optional) Trap user in password change view
-        nonce = get_object_or_404(Nonce, uuid=nonce)
+        nonce = get_object_or_404(Nonce, uuid=nonce_uuid)
         # Workaround: hardcoded reference to ModelBackend, needs testing
         nonce.user.backend = "django.contrib.auth.backends.ModelBackend"
         login(request, nonce.user)
diff --git a/passbook/root/settings.py b/passbook/root/settings.py
index 608d1364d..9c970cbd9 100644
--- a/passbook/root/settings.py
+++ b/passbook/root/settings.py
@@ -79,37 +79,38 @@ INSTALLED_APPS = [
     "drf_yasg",
     "guardian",
     "django_prometheus",
-    "passbook.static.apps.PassbookStaticConfig",
     "passbook.admin.apps.PassbookAdminConfig",
     "passbook.api.apps.PassbookAPIConfig",
-    "passbook.lib.apps.PassbookLibConfig",
-    "passbook.flows.apps.PassbookFlowsConfig",
-    "passbook.policies.apps.PassbookPoliciesConfig",
     "passbook.audit.apps.PassbookAuditConfig",
     "passbook.crypto.apps.PassbookCryptoConfig",
-    "passbook.recovery.apps.PassbookRecoveryConfig",
-    "passbook.sources.saml.apps.PassbookSourceSAMLConfig",
-    "passbook.sources.ldap.apps.PassbookSourceLDAPConfig",
-    "passbook.sources.oauth.apps.PassbookSourceOAuthConfig",
+    "passbook.flows.apps.PassbookFlowsConfig",
+    "passbook.lib.apps.PassbookLibConfig",
+    "passbook.policies.apps.PassbookPoliciesConfig",
+    "passbook.policies.dummy.apps.PassbookPolicyDummyConfig",
+    "passbook.policies.expiry.apps.PassbookPolicyExpiryConfig",
+    "passbook.policies.expression.apps.PassbookPolicyExpressionConfig",
+    "passbook.policies.hibp.apps.PassbookPolicyHIBPConfig",
+    "passbook.policies.password.apps.PassbookPoliciesPasswordConfig",
+    "passbook.policies.reputation.apps.PassbookPolicyReputationConfig",
+    "passbook.policies.webhook.apps.PassbookPoliciesWebhookConfig",
     "passbook.providers.app_gw.apps.PassbookApplicationApplicationGatewayConfig",
     "passbook.providers.oauth.apps.PassbookProviderOAuthConfig",
     "passbook.providers.oidc.apps.PassbookProviderOIDCConfig",
     "passbook.providers.saml.apps.PassbookProviderSAMLConfig",
     "passbook.providers.samlv2.apps.PassbookProviderSAMLv2Config",
+    "passbook.recovery.apps.PassbookRecoveryConfig",
+    "passbook.sources.ldap.apps.PassbookSourceLDAPConfig",
+    "passbook.sources.oauth.apps.PassbookSourceOAuthConfig",
+    "passbook.sources.saml.apps.PassbookSourceSAMLConfig",
+    "passbook.stages.captcha.apps.PassbookStageCaptchaConfig",
     "passbook.stages.dummy.apps.PassbookStageDummyConfig",
     "passbook.stages.login.apps.PassbookStageLoginConfig",
+    "passbook.stages.email.apps.PassbookStageEmailConfig",
+    "passbook.stages.prompt.apps.PassbookStagPromptConfig",
     "passbook.stages.identification.apps.PassbookStageIdentificationConfig",
     "passbook.stages.otp.apps.PassbookStageOTPConfig",
-    "passbook.stages.captcha.apps.PassbookStageCaptchaConfig",
     "passbook.stages.password.apps.PassbookStagePasswordConfig",
-    "passbook.stages.email.apps.PassbookStageEmailConfig",
-    "passbook.policies.dummy.apps.PassbookPolicyDummyConfig",
-    "passbook.policies.expiry.apps.PassbookPolicyExpiryConfig",
-    "passbook.policies.reputation.apps.PassbookPolicyReputationConfig",
-    "passbook.policies.hibp.apps.PassbookPolicyHIBPConfig",
-    "passbook.policies.password.apps.PassbookPoliciesPasswordConfig",
-    "passbook.policies.webhook.apps.PassbookPoliciesWebhookConfig",
-    "passbook.policies.expression.apps.PassbookPolicyExpressionConfig",
+    "passbook.static.apps.PassbookStaticConfig",
 ]
 
 GUARDIAN_MONKEY_PATCH = False
diff --git a/passbook/stages/prompt/__init__.py b/passbook/stages/prompt/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/passbook/stages/prompt/api.py b/passbook/stages/prompt/api.py
new file mode 100644
index 000000000..381e9427c
--- /dev/null
+++ b/passbook/stages/prompt/api.py
@@ -0,0 +1,48 @@
+"""Prompt Stage API Views"""
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import ModelViewSet
+
+from passbook.stages.prompt.models import Prompt, PromptStage
+
+
+class PromptStageSerializer(ModelSerializer):
+    """PromptStage Serializer"""
+
+    class Meta:
+
+        model = PromptStage
+        fields = [
+            "pk",
+            "name",
+            "fields",
+        ]
+
+
+class PromptStageViewSet(ModelViewSet):
+    """PromptStage Viewset"""
+
+    queryset = PromptStage.objects.all()
+    serializer_class = PromptStageSerializer
+
+
+class PromptSerializer(ModelSerializer):
+    """Prompt Serializer"""
+
+    class Meta:
+
+        model = Prompt
+        fields = [
+            "pk",
+            "field_key",
+            "label",
+            "type",
+            "required",
+            "placeholder",
+        ]
+
+
+class PromptViewSet(ModelViewSet):
+    """Prompt Viewset"""
+
+    queryset = Prompt.objects.all()
+    serializer_class = PromptSerializer
diff --git a/passbook/stages/prompt/apps.py b/passbook/stages/prompt/apps.py
new file mode 100644
index 000000000..783823381
--- /dev/null
+++ b/passbook/stages/prompt/apps.py
@@ -0,0 +1,10 @@
+"""passbook prompt stage app config"""
+from django.apps import AppConfig
+
+
+class PassbookStagPromptConfig(AppConfig):
+    """passbook prompt stage config"""
+
+    name = "passbook.stages.prompt"
+    label = "passbook_stages_prompt"
+    verbose_name = "passbook Stages.Prompt"
diff --git a/passbook/stages/prompt/forms.py b/passbook/stages/prompt/forms.py
new file mode 100644
index 000000000..e15811cc2
--- /dev/null
+++ b/passbook/stages/prompt/forms.py
@@ -0,0 +1,29 @@
+"""Prompt forms"""
+from django import forms
+
+from passbook.stages.prompt.models import Prompt, PromptStage
+
+
+class PromptStageForm(forms.ModelForm):
+    """Form to create/edit Prompt Stage instances"""
+
+    class Meta:
+
+        model = PromptStage
+        fields = ["name", "fields"]
+        widgets = {
+            "name": forms.TextInput(),
+        }
+
+
+class PromptForm(forms.Form):
+    """Dynamically created form based on PromptStage"""
+
+    stage: PromptStage
+
+    def __init__(self, stage: PromptStage, *args, **kwargs):
+        self.stage = stage
+        super().__init__(*args, **kwargs)
+        for field in self.stage.fields.all():
+            field: Prompt
+            self.fields[field.field_key] = field.field
diff --git a/passbook/stages/prompt/migrations/0001_initial.py b/passbook/stages/prompt/migrations/0001_initial.py
new file mode 100644
index 000000000..5227f0c67
--- /dev/null
+++ b/passbook/stages/prompt/migrations/0001_initial.py
@@ -0,0 +1,76 @@
+# Generated by Django 3.0.5 on 2020-05-10 14:03
+
+import uuid
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("passbook_flows", "0003_auto_20200509_1258"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="Prompt",
+            fields=[
+                (
+                    "uuid",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                (
+                    "field_key",
+                    models.SlugField(
+                        help_text="Name of the form field, also used to store the value"
+                    ),
+                ),
+                ("label", models.TextField()),
+                (
+                    "type",
+                    models.CharField(
+                        choices=[
+                            ("text", "Text"),
+                            ("e-mail", "Email"),
+                            ("password", "Password"),
+                            ("number", "Number"),
+                        ],
+                        max_length=100,
+                    ),
+                ),
+                ("required", models.BooleanField(default=True)),
+                ("placeholder", models.TextField()),
+            ],
+            options={"abstract": False,},
+        ),
+        migrations.CreateModel(
+            name="PromptStage",
+            fields=[
+                (
+                    "stage_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="passbook_flows.Stage",
+                    ),
+                ),
+                ("fields", models.ManyToManyField(to="passbook_stages_prompt.Prompt")),
+            ],
+            options={
+                "verbose_name": "Prompt Stage",
+                "verbose_name_plural": "Prompt Stages",
+            },
+            bases=("passbook_flows.stage",),
+        ),
+    ]
diff --git a/passbook/stages/prompt/migrations/__init__.py b/passbook/stages/prompt/migrations/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/passbook/stages/prompt/models.py b/passbook/stages/prompt/models.py
new file mode 100644
index 000000000..268e88741
--- /dev/null
+++ b/passbook/stages/prompt/models.py
@@ -0,0 +1,75 @@
+"""prompt models"""
+from django import forms
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+
+from passbook.flows.models import Stage
+from passbook.lib.models import UUIDModel
+
+
+class FieldTypes(models.TextChoices):
+    """Field types an Prompt can be"""
+
+    TEXT = "text"
+    EMAIL = "e-mail"
+    PASSWORD = "password"  # noqa # nosec
+    NUMBER = "number"
+
+
+class Prompt(UUIDModel):
+    """Single Prompt, part of a prompt stage."""
+
+    field_key = models.SlugField(
+        help_text=_("Name of the form field, also used to store the value")
+    )
+    label = models.TextField()
+    type = models.CharField(max_length=100, choices=FieldTypes.choices)
+    required = models.BooleanField(default=True)
+    placeholder = models.TextField()
+
+    @property
+    def field(self):
+        """Return instantiated form input field"""
+        attrs = {"placeholder": _(self.placeholder)}
+        if self.type == FieldTypes.TEXT:
+            return forms.CharField(
+                label=_(self.label),
+                widget=forms.TextInput(attrs=attrs),
+                required=self.required,
+            )
+        if self.type == FieldTypes.EMAIL:
+            return forms.EmailField(
+                label=_(self.label),
+                widget=forms.TextInput(attrs=attrs),
+                required=self.required,
+            )
+        if self.type == FieldTypes.PASSWORD:
+            return forms.CharField(
+                label=_(self.label),
+                widget=forms.PasswordInput(attrs=attrs),
+                required=self.required,
+            )
+        if self.type == FieldTypes.NUMBER:
+            return forms.IntegerField(
+                label=_(self.label),
+                widget=forms.NumberInput(attrs=attrs),
+                requred=self.required,
+            )
+        raise ValueError
+
+
+class PromptStage(Stage):
+    """Prompt Stage, pointing to multiple prompts"""
+
+    fields = models.ManyToManyField(Prompt)
+
+    type = "passbook.stages.prompt.stage.PromptStageView"
+    form = "passbook.stages.prompt.forms.PromptStageForm"
+
+    def __str__(self):
+        return f"Prompt Stage {self.name}"
+
+    class Meta:
+
+        verbose_name = _("Prompt Stage")
+        verbose_name_plural = _("Prompt Stages")
diff --git a/passbook/stages/prompt/stage.py b/passbook/stages/prompt/stage.py
new file mode 100644
index 000000000..f25be58d6
--- /dev/null
+++ b/passbook/stages/prompt/stage.py
@@ -0,0 +1,35 @@
+"""Enrollment Stage Logic"""
+from django.http import HttpResponse
+from django.utils.translation import gettext_lazy as _
+from django.views.generic import FormView
+from structlog import get_logger
+
+from passbook.flows.stage import AuthenticationStage
+from passbook.stages.prompt.forms import PromptForm
+
+LOGGER = get_logger()
+PLAN_CONTEXT_PROMPT = "prompt_data"
+
+
+class EnrollmentStageView(FormView, AuthenticationStage):
+    """Enrollment Stage, save form data in plan context."""
+
+    template_name = "login/form.html"
+    form_class = PromptForm
+
+    def get_context_data(self, **kwargs):
+        ctx = super().get_context_data(**kwargs)
+        ctx["title"] = _(self.executor.current_stage.name)
+        return ctx
+
+    def get_form_kwargs(self):
+        kwargs = super().get_form_kwargs()
+        kwargs["stage"] = self.executor.current_stage
+        return kwargs
+
+    def form_valid(self, form: PromptForm) -> HttpResponse:
+        """Form data is valid"""
+        if PLAN_CONTEXT_PROMPT not in self.executor.plan.context:
+            self.executor.plan.context[PLAN_CONTEXT_PROMPT] = {}
+        self.executor.plan.context[PLAN_CONTEXT_PROMPT].update(form.cleaned_data)
+        return self.executor.stage_ok()

From f111604b704632ecf2121c8dcbbd0002d6a447af Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 16:20:44 +0200
Subject: [PATCH 36/80] stages/login: -> stages/user_login: rename login to
 user_login for user_create stage

---
 passbook/api/v2/urls.py                       |  4 ++--
 .../flows/migrations/0002_default_flows.py    | 10 ++++----
 passbook/root/settings.py                     |  2 +-
 passbook/stages/login/api.py                  | 24 -------------------
 passbook/stages/login/apps.py                 | 10 --------
 passbook/stages/login/forms.py                | 16 -------------
 passbook/stages/login/models.py               | 19 ---------------
 .../stages/{login => user_login}/__init__.py  |  0
 passbook/stages/user_login/api.py             | 24 +++++++++++++++++++
 passbook/stages/user_login/apps.py            | 10 ++++++++
 passbook/stages/user_login/forms.py           | 16 +++++++++++++
 .../migrations/0001_initial.py                |  8 +++----
 .../migrations/__init__.py                    |  0
 passbook/stages/user_login/models.py          | 19 +++++++++++++++
 .../stages/{login => user_login}/stage.py     |  2 +-
 .../stages/{login => user_login}/tests.py     |  6 ++---
 16 files changed, 85 insertions(+), 85 deletions(-)
 delete mode 100644 passbook/stages/login/api.py
 delete mode 100644 passbook/stages/login/apps.py
 delete mode 100644 passbook/stages/login/forms.py
 delete mode 100644 passbook/stages/login/models.py
 rename passbook/stages/{login => user_login}/__init__.py (100%)
 create mode 100644 passbook/stages/user_login/api.py
 create mode 100644 passbook/stages/user_login/apps.py
 create mode 100644 passbook/stages/user_login/forms.py
 rename passbook/stages/{login => user_login}/migrations/0001_initial.py (80%)
 rename passbook/stages/{login => user_login}/migrations/__init__.py (100%)
 create mode 100644 passbook/stages/user_login/models.py
 rename passbook/stages/{login => user_login}/stage.py (97%)
 rename passbook/stages/{login => user_login}/tests.py (94%)

diff --git a/passbook/api/v2/urls.py b/passbook/api/v2/urls.py
index 2adb3788d..b9fd4e23c 100644
--- a/passbook/api/v2/urls.py
+++ b/passbook/api/v2/urls.py
@@ -34,10 +34,10 @@ from passbook.sources.oauth.api import OAuthSourceViewSet
 from passbook.stages.captcha.api import CaptchaStageViewSet
 from passbook.stages.email.api import EmailStageViewSet
 from passbook.stages.identification.api import IdentificationStageViewSet
-from passbook.stages.login.api import LoginStageViewSet
 from passbook.stages.otp.api import OTPStageViewSet
 from passbook.stages.password.api import PasswordStageViewSet
 from passbook.stages.prompt.api import PromptStageViewSet, PromptViewSet
+from passbook.stages.user_login.api import UserLoginStageViewSet
 
 LOGGER = get_logger()
 router = routers.DefaultRouter()
@@ -83,7 +83,7 @@ router.register("stages/email", EmailStageViewSet)
 router.register("stages/otp", OTPStageViewSet)
 router.register("stages/password", PasswordStageViewSet)
 router.register("stages/identification", IdentificationStageViewSet)
-router.register("stages/login", LoginStageViewSet)
+router.register("stages/user_login", UserLoginStageViewSet)
 router.register("stages/prompt", PromptStageViewSet)
 router.register("stages/prompt/prompts", PromptViewSet)
 
diff --git a/passbook/flows/migrations/0002_default_flows.py b/passbook/flows/migrations/0002_default_flows.py
index d42b8ded6..2db2f3af4 100644
--- a/passbook/flows/migrations/0002_default_flows.py
+++ b/passbook/flows/migrations/0002_default_flows.py
@@ -12,7 +12,7 @@ def create_default_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
     Flow = apps.get_model("passbook_flows", "Flow")
     FlowStageBinding = apps.get_model("passbook_flows", "FlowStageBinding")
     PasswordStage = apps.get_model("passbook_stages_password", "PasswordStage")
-    LoginStage = apps.get_model("passbook_stages_login", "LoginStage")
+    UserLoginStage = apps.get_model("passbook_stages_user_login", "UserLoginStage")
     IdentificationStage = apps.get_model(
         "passbook_stages_identification", "IdentificationStage"
     )
@@ -34,12 +34,12 @@ def create_default_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
             name="password", backends=["django.contrib.auth.backends.ModelBackend"],
         )
 
-    if not LoginStage.objects.using(db_alias).exists():
-        LoginStage.objects.using(db_alias).create(name="authentication")
+    if not UserLoginStage.objects.using(db_alias).exists():
+        UserLoginStage.objects.using(db_alias).create(name="authentication")
 
     ident_stage = IdentificationStage.objects.using(db_alias).first()
     pw_stage = PasswordStage.objects.using(db_alias).first()
-    login_stage = LoginStage.objects.using(db_alias).first()
+    login_stage = UserLoginStage.objects.using(db_alias).first()
     flow = Flow.objects.using(db_alias).create(
         name="default-authentication-flow",
         slug="default-authentication-flow",
@@ -60,7 +60,7 @@ class Migration(migrations.Migration):
 
     dependencies = [
         ("passbook_flows", "0001_initial"),
-        ("passbook_stages_login", "0001_initial"),
+        ("passbook_stages_user_login", "0001_initial"),
         ("passbook_stages_password", "0001_initial"),
         ("passbook_stages_identification", "0001_initial"),
     ]
diff --git a/passbook/root/settings.py b/passbook/root/settings.py
index 9c970cbd9..c0405bd42 100644
--- a/passbook/root/settings.py
+++ b/passbook/root/settings.py
@@ -104,10 +104,10 @@ INSTALLED_APPS = [
     "passbook.sources.saml.apps.PassbookSourceSAMLConfig",
     "passbook.stages.captcha.apps.PassbookStageCaptchaConfig",
     "passbook.stages.dummy.apps.PassbookStageDummyConfig",
-    "passbook.stages.login.apps.PassbookStageLoginConfig",
     "passbook.stages.email.apps.PassbookStageEmailConfig",
     "passbook.stages.prompt.apps.PassbookStagPromptConfig",
     "passbook.stages.identification.apps.PassbookStageIdentificationConfig",
+    "passbook.stages.user_login.apps.PassbookStageUserLoginConfig",
     "passbook.stages.otp.apps.PassbookStageOTPConfig",
     "passbook.stages.password.apps.PassbookStagePasswordConfig",
     "passbook.static.apps.PassbookStaticConfig",
diff --git a/passbook/stages/login/api.py b/passbook/stages/login/api.py
deleted file mode 100644
index eb28d9042..000000000
--- a/passbook/stages/login/api.py
+++ /dev/null
@@ -1,24 +0,0 @@
-"""Login Stage API Views"""
-from rest_framework.serializers import ModelSerializer
-from rest_framework.viewsets import ModelViewSet
-
-from passbook.stages.login.models import LoginStage
-
-
-class LoginStageSerializer(ModelSerializer):
-    """LoginStage Serializer"""
-
-    class Meta:
-
-        model = LoginStage
-        fields = [
-            "pk",
-            "name",
-        ]
-
-
-class LoginStageViewSet(ModelViewSet):
-    """LoginStage Viewset"""
-
-    queryset = LoginStage.objects.all()
-    serializer_class = LoginStageSerializer
diff --git a/passbook/stages/login/apps.py b/passbook/stages/login/apps.py
deleted file mode 100644
index 83ec4e638..000000000
--- a/passbook/stages/login/apps.py
+++ /dev/null
@@ -1,10 +0,0 @@
-"""passbook login stage app config"""
-from django.apps import AppConfig
-
-
-class PassbookStageLoginConfig(AppConfig):
-    """passbook login stage config"""
-
-    name = "passbook.stages.login"
-    label = "passbook_stages_login"
-    verbose_name = "passbook Stages.Login"
diff --git a/passbook/stages/login/forms.py b/passbook/stages/login/forms.py
deleted file mode 100644
index 5dc8d6ee5..000000000
--- a/passbook/stages/login/forms.py
+++ /dev/null
@@ -1,16 +0,0 @@
-"""passbook flows login forms"""
-from django import forms
-
-from passbook.stages.login.models import LoginStage
-
-
-class LoginStageForm(forms.ModelForm):
-    """Form to create/edit LoginStage instances"""
-
-    class Meta:
-
-        model = LoginStage
-        fields = ["name"]
-        widgets = {
-            "name": forms.TextInput(),
-        }
diff --git a/passbook/stages/login/models.py b/passbook/stages/login/models.py
deleted file mode 100644
index b48f0566e..000000000
--- a/passbook/stages/login/models.py
+++ /dev/null
@@ -1,19 +0,0 @@
-"""login stage models"""
-from django.utils.translation import gettext_lazy as _
-
-from passbook.flows.models import Stage
-
-
-class LoginStage(Stage):
-    """Login stage, allows a user to identify themselves to authenticate."""
-
-    type = "passbook.stages.login.stage.LoginStageView"
-    form = "passbook.stages.login.forms.LoginStageForm"
-
-    def __str__(self):
-        return f"Login Stage {self.name}"
-
-    class Meta:
-
-        verbose_name = _("Login Stage")
-        verbose_name_plural = _("Login Stages")
diff --git a/passbook/stages/login/__init__.py b/passbook/stages/user_login/__init__.py
similarity index 100%
rename from passbook/stages/login/__init__.py
rename to passbook/stages/user_login/__init__.py
diff --git a/passbook/stages/user_login/api.py b/passbook/stages/user_login/api.py
new file mode 100644
index 000000000..19188172e
--- /dev/null
+++ b/passbook/stages/user_login/api.py
@@ -0,0 +1,24 @@
+"""Login Stage API Views"""
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import ModelViewSet
+
+from passbook.stages.user_login.models import UserLoginStage
+
+
+class UserLoginStageSerializer(ModelSerializer):
+    """UserLoginStage Serializer"""
+
+    class Meta:
+
+        model = UserLoginStage
+        fields = [
+            "pk",
+            "name",
+        ]
+
+
+class UserLoginStageViewSet(ModelViewSet):
+    """UserLoginStage Viewset"""
+
+    queryset = UserLoginStage.objects.all()
+    serializer_class = UserLoginStageSerializer
diff --git a/passbook/stages/user_login/apps.py b/passbook/stages/user_login/apps.py
new file mode 100644
index 000000000..a032dfd72
--- /dev/null
+++ b/passbook/stages/user_login/apps.py
@@ -0,0 +1,10 @@
+"""passbook login stage app config"""
+from django.apps import AppConfig
+
+
+class PassbookStageUserLoginConfig(AppConfig):
+    """passbook login stage config"""
+
+    name = "passbook.stages.user_login"
+    label = "passbook_stages_user_login"
+    verbose_name = "passbook Stages.User Login"
diff --git a/passbook/stages/user_login/forms.py b/passbook/stages/user_login/forms.py
new file mode 100644
index 000000000..e5f26fb71
--- /dev/null
+++ b/passbook/stages/user_login/forms.py
@@ -0,0 +1,16 @@
+"""passbook flows login forms"""
+from django import forms
+
+from passbook.stages.user_login.models import UserLoginStage
+
+
+class UserLoginStageForm(forms.ModelForm):
+    """Form to create/edit UserLoginStage instances"""
+
+    class Meta:
+
+        model = UserLoginStage
+        fields = ["name"]
+        widgets = {
+            "name": forms.TextInput(),
+        }
diff --git a/passbook/stages/login/migrations/0001_initial.py b/passbook/stages/user_login/migrations/0001_initial.py
similarity index 80%
rename from passbook/stages/login/migrations/0001_initial.py
rename to passbook/stages/user_login/migrations/0001_initial.py
index 52e6060d8..5341ba28c 100644
--- a/passbook/stages/login/migrations/0001_initial.py
+++ b/passbook/stages/user_login/migrations/0001_initial.py
@@ -1,4 +1,4 @@
-# Generated by Django 3.0.3 on 2020-05-09 20:26
+# Generated by Django 3.0.5 on 2020-05-10 14:03
 
 import django.db.models.deletion
 from django.db import migrations, models
@@ -14,7 +14,7 @@ class Migration(migrations.Migration):
 
     operations = [
         migrations.CreateModel(
-            name="LoginStage",
+            name="UserLoginStage",
             fields=[
                 (
                     "stage_ptr",
@@ -29,8 +29,8 @@ class Migration(migrations.Migration):
                 ),
             ],
             options={
-                "verbose_name": "Login Stage",
-                "verbose_name_plural": "Login Stages",
+                "verbose_name": "User Login Stage",
+                "verbose_name_plural": "User Login Stages",
             },
             bases=("passbook_flows.stage",),
         ),
diff --git a/passbook/stages/login/migrations/__init__.py b/passbook/stages/user_login/migrations/__init__.py
similarity index 100%
rename from passbook/stages/login/migrations/__init__.py
rename to passbook/stages/user_login/migrations/__init__.py
diff --git a/passbook/stages/user_login/models.py b/passbook/stages/user_login/models.py
new file mode 100644
index 000000000..18a5bf4aa
--- /dev/null
+++ b/passbook/stages/user_login/models.py
@@ -0,0 +1,19 @@
+"""login stage models"""
+from django.utils.translation import gettext_lazy as _
+
+from passbook.flows.models import Stage
+
+
+class UserLoginStage(Stage):
+    """Login stage, allows a user to identify themselves to authenticate."""
+
+    type = "passbook.stages.user_login.stage.UserLoginStageView"
+    form = "passbook.stages.user_login.forms.UserLoginStageForm"
+
+    def __str__(self):
+        return f"User Login Stage {self.name}"
+
+    class Meta:
+
+        verbose_name = _("User Login Stage")
+        verbose_name_plural = _("User Login Stages")
diff --git a/passbook/stages/login/stage.py b/passbook/stages/user_login/stage.py
similarity index 97%
rename from passbook/stages/login/stage.py
rename to passbook/stages/user_login/stage.py
index 1e43c163f..6b3c85969 100644
--- a/passbook/stages/login/stage.py
+++ b/passbook/stages/user_login/stage.py
@@ -12,7 +12,7 @@ from passbook.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 LOGGER = get_logger()
 
 
-class LoginStageView(AuthenticationStage):
+class UserLoginStageView(AuthenticationStage):
     """Finalise Authentication flow by logging the user in"""
 
     def get(self, request: HttpRequest) -> HttpResponse:
diff --git a/passbook/stages/login/tests.py b/passbook/stages/user_login/tests.py
similarity index 94%
rename from passbook/stages/login/tests.py
rename to passbook/stages/user_login/tests.py
index e15078567..93b77f85e 100644
--- a/passbook/stages/login/tests.py
+++ b/passbook/stages/user_login/tests.py
@@ -6,11 +6,11 @@ from passbook.core.models import User
 from passbook.flows.models import Flow, FlowDesignation, FlowStageBinding
 from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
 from passbook.flows.views import SESSION_KEY_PLAN
-from passbook.stages.login.models import LoginStage
 from passbook.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
+from passbook.stages.user_login.models import UserLoginStage
 
 
-class TestLoginStage(TestCase):
+class TestUserLoginStage(TestCase):
     """Login tests"""
 
     def setUp(self):
@@ -23,7 +23,7 @@ class TestLoginStage(TestCase):
             slug="test-login",
             designation=FlowDesignation.AUTHENTICATION,
         )
-        self.stage = LoginStage.objects.create(name="login")
+        self.stage = UserLoginStage.objects.create(name="login")
         FlowStageBinding.objects.create(flow=self.flow, stage=self.stage, order=2)
 
     def test_valid_password(self):

From a3a3dde1c8bef04fd32a19da2b7836cbc7b1d608 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 17:02:01 +0200
Subject: [PATCH 37/80] stages/dummy: add unittests

stages/password: improve coverage
stages/user_login: improve coverage
---
 passbook/api/v2/urls.py                |  8 ++---
 passbook/core/views/user.py            |  7 ++--
 passbook/root/settings.py              |  1 +
 passbook/stages/dummy/tests.py         | 50 ++++++++++++++++++++++++++
 passbook/stages/password/exceptions.py | 12 -------
 passbook/stages/password/models.py     | 18 ----------
 passbook/stages/prompt/models.py       |  2 +-
 passbook/stages/user_login/tests.py    |  6 ++++
 8 files changed, 65 insertions(+), 39 deletions(-)
 create mode 100644 passbook/stages/dummy/tests.py
 delete mode 100644 passbook/stages/password/exceptions.py

diff --git a/passbook/api/v2/urls.py b/passbook/api/v2/urls.py
index b9fd4e23c..23b3b1ab1 100644
--- a/passbook/api/v2/urls.py
+++ b/passbook/api/v2/urls.py
@@ -60,12 +60,12 @@ router.register("sources/ldap", LDAPSourceViewSet)
 router.register("sources/oauth", OAuthSourceViewSet)
 
 router.register("policies/all", PolicyViewSet)
-router.register("policies/passwordexpiry", PasswordExpiryPolicyViewSet)
+router.register("policies/expression", ExpressionPolicyViewSet)
 router.register("policies/haveibeenpwned", HaveIBeenPwendPolicyViewSet)
 router.register("policies/password", PasswordPolicyViewSet)
+router.register("policies/passwordexpiry", PasswordExpiryPolicyViewSet)
 router.register("policies/reputation", ReputationPolicyViewSet)
 router.register("policies/webhook", WebhookPolicyViewSet)
-router.register("policies/expression", ExpressionPolicyViewSet)
 
 router.register("providers/all", ProviderViewSet)
 router.register("providers/applicationgateway", ApplicationGatewayProviderViewSet)
@@ -80,12 +80,12 @@ router.register("propertymappings/saml", SAMLPropertyMappingViewSet)
 router.register("stages/all", StageViewSet)
 router.register("stages/captcha", CaptchaStageViewSet)
 router.register("stages/email", EmailStageViewSet)
+router.register("stages/identification", IdentificationStageViewSet)
 router.register("stages/otp", OTPStageViewSet)
 router.register("stages/password", PasswordStageViewSet)
-router.register("stages/identification", IdentificationStageViewSet)
-router.register("stages/user_login", UserLoginStageViewSet)
 router.register("stages/prompt", PromptStageViewSet)
 router.register("stages/prompt/prompts", PromptViewSet)
+router.register("stages/user_login", UserLoginStageViewSet)
 
 router.register("flows", FlowViewSet)
 router.register("flows/bindings", FlowStageBindingViewSet)
diff --git a/passbook/core/views/user.py b/passbook/core/views/user.py
index 0127266a9..215efb2f5 100644
--- a/passbook/core/views/user.py
+++ b/passbook/core/views/user.py
@@ -11,7 +11,6 @@ from django.views.generic import DeleteView, FormView, UpdateView
 
 from passbook.core.forms.users import PasswordChangeForm, UserDetailForm
 from passbook.lib.config import CONFIG
-from passbook.stages.password.exceptions import PasswordPolicyInvalid
 
 
 class UserSettingsView(SuccessMessageMixin, LoginRequiredMixin, UpdateView):
@@ -48,20 +47,20 @@ class UserChangePasswordView(LoginRequiredMixin, FormView):
     template_name = "login/form_with_user.html"
 
     def form_valid(self, form: PasswordChangeForm):
+        # TODO: Rewrite to flow
         try:
             # user.set_password checks against Policies so we don't need to manually do it here
             self.request.user.set_password(form.cleaned_data.get("password"))
             self.request.user.save()
             update_session_auth_hash(self.request, self.request.user)
             messages.success(self.request, _("Successfully changed password"))
-        except PasswordPolicyInvalid as exc:
+        except ValueError:
             # Manually inject error into form
             # pylint: disable=protected-access
             errors = form._errors.setdefault("password_repeat", ErrorList(""))
             # pylint: disable=protected-access
             errors = form._errors.setdefault("password", ErrorList())
-            for error in exc.messages:
-                errors.append(error)
+            errors.append("foo")
             return self.form_invalid(form)
         return redirect("passbook_core:overview")
 
diff --git a/passbook/root/settings.py b/passbook/root/settings.py
index c0405bd42..ac8534c3e 100644
--- a/passbook/root/settings.py
+++ b/passbook/root/settings.py
@@ -352,6 +352,7 @@ for handler_name, level in _LOGGING_HANDLER_MAP.items():
 
 TEST = False
 TEST_RUNNER = "xmlrunner.extra.djangotestrunner.XMLTestRunner"
+TEST_OUTPUT_VERBOSE = 2
 
 TEST_OUTPUT_FILE_NAME = "unittest.xml"
 
diff --git a/passbook/stages/dummy/tests.py b/passbook/stages/dummy/tests.py
new file mode 100644
index 000000000..390f47aa8
--- /dev/null
+++ b/passbook/stages/dummy/tests.py
@@ -0,0 +1,50 @@
+"""dummy tests"""
+from django.shortcuts import reverse
+from django.test import Client, TestCase
+
+from passbook.core.models import User
+from passbook.flows.models import Flow, FlowDesignation, FlowStageBinding
+from passbook.stages.dummy.forms import DummyStageForm
+from passbook.stages.dummy.models import DummyStage
+
+
+class TestDummyStage(TestCase):
+    """Dummy tests"""
+
+    def setUp(self):
+        super().setUp()
+        self.user = User.objects.create(username="unittest", email="test@beryju.org")
+        self.client = Client()
+
+        self.flow = Flow.objects.create(
+            name="test-dummy",
+            slug="test-dummy",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+        self.stage = DummyStage.objects.create(name="dummy",)
+        FlowStageBinding.objects.create(
+            flow=self.flow, stage=self.stage, order=0,
+        )
+
+    def test_valid_render(self):
+        """Test that View renders correctly"""
+        response = self.client.get(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            )
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_post(self):
+        """Test with valid email, check that URL redirects back to itself"""
+        url = reverse(
+            "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+        )
+        response = self.client.post(url, {})
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse("passbook_core:overview"))
+
+    def test_form(self):
+        """Test Form"""
+        data = {"name": "test"}
+        self.assertEqual(DummyStageForm(data).is_valid(), True)
diff --git a/passbook/stages/password/exceptions.py b/passbook/stages/password/exceptions.py
deleted file mode 100644
index ca56c03c0..000000000
--- a/passbook/stages/password/exceptions.py
+++ /dev/null
@@ -1,12 +0,0 @@
-"""passbook password policy exceptions"""
-from passbook.lib.sentry import SentryIgnoredException
-
-
-class PasswordPolicyInvalid(SentryIgnoredException):
-    """Exception raised when a Password Policy fails"""
-
-    messages = []
-
-    def __init__(self, *messages):
-        super().__init__()
-        self.messages = messages
diff --git a/passbook/stages/password/models.py b/passbook/stages/password/models.py
index 74359a876..8d585cfb6 100644
--- a/passbook/stages/password/models.py
+++ b/passbook/stages/password/models.py
@@ -3,8 +3,6 @@ from django.contrib.postgres.fields import ArrayField
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 
-from passbook.core.models import Policy, User
-from passbook.core.types import UIUserSettings
 from passbook.flows.models import Stage
 
 
@@ -15,26 +13,10 @@ class PasswordStage(Stage):
         models.TextField(),
         help_text=_("Selection of backends to test the password against."),
     )
-    password_policies = models.ManyToManyField(Policy, blank=True)
 
     type = "passbook.stages.password.stage.PasswordStage"
     form = "passbook.stages.password.forms.PasswordStageForm"
 
-    @property
-    def ui_user_settings(self) -> UIUserSettings:
-        return UIUserSettings(
-            name="Change Password",
-            icon="pficon-key",
-            view_name="passbook_core:user-change-password",
-        )
-
-    def password_passes(self, user: User) -> bool:
-        """Return true if user's password passes, otherwise False or raise Exception"""
-        for policy in self.policies.all():
-            if not policy.passes(user):
-                return False
-        return True
-
     def __str__(self):
         return f"Password Stage {self.name}"
 
diff --git a/passbook/stages/prompt/models.py b/passbook/stages/prompt/models.py
index 268e88741..f0c85b6f9 100644
--- a/passbook/stages/prompt/models.py
+++ b/passbook/stages/prompt/models.py
@@ -53,7 +53,7 @@ class Prompt(UUIDModel):
             return forms.IntegerField(
                 label=_(self.label),
                 widget=forms.NumberInput(attrs=attrs),
-                requred=self.required,
+                required=self.required,
             )
         raise ValueError
 
diff --git a/passbook/stages/user_login/tests.py b/passbook/stages/user_login/tests.py
index 93b77f85e..83bb38b74 100644
--- a/passbook/stages/user_login/tests.py
+++ b/passbook/stages/user_login/tests.py
@@ -7,6 +7,7 @@ from passbook.flows.models import Flow, FlowDesignation, FlowStageBinding
 from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
 from passbook.flows.views import SESSION_KEY_PLAN
 from passbook.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
+from passbook.stages.user_login.forms import UserLoginStageForm
 from passbook.stages.user_login.models import UserLoginStage
 
 
@@ -75,3 +76,8 @@ class TestUserLoginStage(TestCase):
         )
         self.assertEqual(response.status_code, 302)
         self.assertEqual(response.url, reverse("passbook_flows:denied"))
+
+    def test_form(self):
+        """Test Form"""
+        data = {"name": "test"}
+        self.assertEqual(UserLoginStageForm(data).is_valid(), True)

From f6461b08d7ca35691c04eb6187ea0c4745bbec32 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 17:52:26 +0200
Subject: [PATCH 38/80] stages/prompt: add unittests

---
 passbook/stages/prompt/models.py |  22 ++++-
 passbook/stages/prompt/stage.py  |   6 +-
 passbook/stages/prompt/tests.py  | 147 +++++++++++++++++++++++++++++++
 3 files changed, 171 insertions(+), 4 deletions(-)
 create mode 100644 passbook/stages/prompt/tests.py

diff --git a/passbook/stages/prompt/models.py b/passbook/stages/prompt/models.py
index f0c85b6f9..28df19fb0 100644
--- a/passbook/stages/prompt/models.py
+++ b/passbook/stages/prompt/models.py
@@ -14,6 +14,7 @@ class FieldTypes(models.TextChoices):
     EMAIL = "e-mail"
     PASSWORD = "password"  # noqa # nosec
     NUMBER = "number"
+    HIDDEN = "hidden"
 
 
 class Prompt(UUIDModel):
@@ -55,7 +56,26 @@ class Prompt(UUIDModel):
                 widget=forms.NumberInput(attrs=attrs),
                 required=self.required,
             )
-        raise ValueError
+        if self.type == FieldTypes.HIDDEN:
+            return forms.CharField(
+                widget=forms.HiddenInput(attrs=attrs),
+                required=False,
+                initial=self.placeholder,
+            )
+        raise ValueError("field_type is not valid, not one of FieldTypes.")
+
+    def save(self, *args, **kwargs):
+        if self.type not in FieldTypes:
+            raise ValueError
+        return super().save(*args, **kwargs)
+
+    def __str__(self):
+        return f"Prompt '{self.field_key}' type={self.type}'"
+
+    class Meta:
+
+        verbose_name = _("Prompt")
+        verbose_name_plural = _("Prompts")
 
 
 class PromptStage(Stage):
diff --git a/passbook/stages/prompt/stage.py b/passbook/stages/prompt/stage.py
index f25be58d6..08c2601a7 100644
--- a/passbook/stages/prompt/stage.py
+++ b/passbook/stages/prompt/stage.py
@@ -1,4 +1,4 @@
-"""Enrollment Stage Logic"""
+"""Prompt Stage Logic"""
 from django.http import HttpResponse
 from django.utils.translation import gettext_lazy as _
 from django.views.generic import FormView
@@ -11,8 +11,8 @@ LOGGER = get_logger()
 PLAN_CONTEXT_PROMPT = "prompt_data"
 
 
-class EnrollmentStageView(FormView, AuthenticationStage):
-    """Enrollment Stage, save form data in plan context."""
+class PromptStageView(FormView, AuthenticationStage):
+    """Prompt Stage, save form data in plan context."""
 
     template_name = "login/form.html"
     form_class = PromptForm
diff --git a/passbook/stages/prompt/tests.py b/passbook/stages/prompt/tests.py
new file mode 100644
index 000000000..f94decf4a
--- /dev/null
+++ b/passbook/stages/prompt/tests.py
@@ -0,0 +1,147 @@
+"""Prompt tests"""
+from unittest.mock import MagicMock, patch
+
+from django.shortcuts import reverse
+from django.test import Client, TestCase
+
+from passbook.core.models import User
+from passbook.flows.models import Flow, FlowDesignation, FlowStageBinding
+from passbook.flows.planner import FlowPlan
+from passbook.flows.views import SESSION_KEY_PLAN
+from passbook.stages.prompt.forms import PromptForm
+from passbook.stages.prompt.models import FieldTypes, Prompt, PromptStage
+from passbook.stages.prompt.stage import PLAN_CONTEXT_PROMPT
+
+
+class TestPromptStage(TestCase):
+    """Prompt tests"""
+
+    def setUp(self):
+        super().setUp()
+        self.user = User.objects.create(username="unittest", email="test@beryju.org")
+        self.client = Client()
+
+        self.flow = Flow.objects.create(
+            name="test-prompt",
+            slug="test-prompt",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+        text_prompt = Prompt.objects.create(
+            field_key="text_prompt",
+            label="TEXT_LABEL",
+            type=FieldTypes.TEXT,
+            required=True,
+            placeholder="TEXT_PLACEHOLDER",
+        )
+        email_prompt = Prompt.objects.create(
+            field_key="email_prompt",
+            label="EMAIL_LABEL",
+            type=FieldTypes.EMAIL,
+            required=True,
+            placeholder="EMAIL_PLACEHOLDER",
+        )
+        password_prompt = Prompt.objects.create(
+            field_key="password_prompt",
+            label="PASSWORD_LABEL",
+            type=FieldTypes.PASSWORD,
+            required=True,
+            placeholder="PASSWORD_PLACEHOLDER",
+        )
+        number_prompt = Prompt.objects.create(
+            field_key="number_prompt",
+            label="NUMBER_LABEL",
+            type=FieldTypes.NUMBER,
+            required=True,
+            placeholder="NUMBER_PLACEHOLDER",
+        )
+        hidden_prompt = Prompt.objects.create(
+            field_key="hidden_prompt",
+            type=FieldTypes.HIDDEN,
+            required=True,
+            placeholder="HIDDEN_PLACEHOLDER",
+        )
+        self.stage = PromptStage.objects.create(name="prompt-stage")
+        self.stage.fields.set(
+            [text_prompt, email_prompt, password_prompt, number_prompt, hidden_prompt,]
+        )
+        self.stage.save()
+
+        self.prompt_data = {
+            text_prompt.field_key: "test-input",
+            email_prompt.field_key: "test@test.test",
+            password_prompt.field_key: "test",
+            number_prompt.field_key: 3,
+            hidden_prompt.field_key: hidden_prompt.placeholder,
+        }
+
+        FlowStageBinding.objects.create(flow=self.flow, stage=self.stage, order=2)
+
+    def test_invalid_type(self):
+        """Test that invalid form type raises an error"""
+        with self.assertRaises(ValueError):
+            _ = Prompt.objects.create(
+                field_key="hidden_prompt",
+                type="invalid",
+                required=True,
+                placeholder="HIDDEN_PLACEHOLDER",
+            )
+        with self.assertRaises(ValueError):
+            prompt = Prompt.objects.create(
+                field_key="hidden_prompt",
+                type=FieldTypes.HIDDEN,
+                required=True,
+                placeholder="HIDDEN_PLACEHOLDER",
+            )
+            with patch.object(prompt, "type", MagicMock(return_value="invalid")):
+                _ = prompt.field
+
+    def test_render(self):
+        """Test render of form, check if all prompts are rendered correctly"""
+        plan = FlowPlan(stages=[self.stage])
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.get(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            )
+        )
+        self.assertEqual(response.status_code, 200)
+        for prompt in self.stage.fields.all():
+            self.assertIn(prompt.field_key, response.rendered_content)
+            self.assertIn(prompt.label, response.rendered_content)
+            self.assertIn(prompt.placeholder, response.rendered_content)
+
+    def test_valid_form(self) -> PromptForm:
+        """Test form validation"""
+        form = PromptForm(stage=self.stage, data=self.prompt_data)
+        self.assertEqual(form.is_valid(), True)
+        return form
+
+    def test_valid_form_request(self):
+        """Test a request with valid form data"""
+        plan = FlowPlan(stages=[self.stage])
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        form = self.test_valid_form()
+
+        with patch("passbook.flows.views.FlowExecutorView.cancel", MagicMock()):
+            response = self.client.post(
+                reverse(
+                    "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+                ),
+                form.cleaned_data,
+            )
+            self.assertEqual(response.status_code, 302)
+            self.assertEqual(response.url, reverse("passbook_core:overview"))
+
+        # Check that valid data has been saved
+        session = self.client.session
+        plan: FlowPlan = session[SESSION_KEY_PLAN]
+        data = plan.context[PLAN_CONTEXT_PROMPT]
+        for prompt in self.stage.fields.all():
+            prompt: Prompt
+            self.assertEqual(data[prompt.field_key], self.prompt_data[prompt.field_key])

From 8dc3c49a2f74e5f60467e9d21b10411d706815fb Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 18:04:23 +0200
Subject: [PATCH 39/80] stages/user_create: add stage to create user after
 prompts

---
 passbook/api/v2/urls.py                       |  2 +
 passbook/root/settings.py                     |  3 +-
 passbook/stages/user_create/__init__.py       |  0
 passbook/stages/user_create/api.py            | 24 ++++++
 passbook/stages/user_create/apps.py           | 10 +++
 passbook/stages/user_create/forms.py          | 16 ++++
 .../user_create/migrations/0001_initial.py    | 37 ++++++++++
 .../stages/user_create/migrations/__init__.py |  0
 passbook/stages/user_create/models.py         | 19 +++++
 passbook/stages/user_create/stage.py          | 39 ++++++++++
 passbook/stages/user_create/tests.py          | 73 +++++++++++++++++++
 11 files changed, 222 insertions(+), 1 deletion(-)
 create mode 100644 passbook/stages/user_create/__init__.py
 create mode 100644 passbook/stages/user_create/api.py
 create mode 100644 passbook/stages/user_create/apps.py
 create mode 100644 passbook/stages/user_create/forms.py
 create mode 100644 passbook/stages/user_create/migrations/0001_initial.py
 create mode 100644 passbook/stages/user_create/migrations/__init__.py
 create mode 100644 passbook/stages/user_create/models.py
 create mode 100644 passbook/stages/user_create/stage.py
 create mode 100644 passbook/stages/user_create/tests.py

diff --git a/passbook/api/v2/urls.py b/passbook/api/v2/urls.py
index 23b3b1ab1..b06c3e45b 100644
--- a/passbook/api/v2/urls.py
+++ b/passbook/api/v2/urls.py
@@ -37,6 +37,7 @@ from passbook.stages.identification.api import IdentificationStageViewSet
 from passbook.stages.otp.api import OTPStageViewSet
 from passbook.stages.password.api import PasswordStageViewSet
 from passbook.stages.prompt.api import PromptStageViewSet, PromptViewSet
+from passbook.stages.user_create.api import UserCreateStageViewSet
 from passbook.stages.user_login.api import UserLoginStageViewSet
 
 LOGGER = get_logger()
@@ -85,6 +86,7 @@ router.register("stages/otp", OTPStageViewSet)
 router.register("stages/password", PasswordStageViewSet)
 router.register("stages/prompt", PromptStageViewSet)
 router.register("stages/prompt/prompts", PromptViewSet)
+router.register("stages/user_create", UserCreateStageViewSet)
 router.register("stages/user_login", UserLoginStageViewSet)
 
 router.register("flows", FlowViewSet)
diff --git a/passbook/root/settings.py b/passbook/root/settings.py
index ac8534c3e..ca5a6c087 100644
--- a/passbook/root/settings.py
+++ b/passbook/root/settings.py
@@ -107,6 +107,7 @@ INSTALLED_APPS = [
     "passbook.stages.email.apps.PassbookStageEmailConfig",
     "passbook.stages.prompt.apps.PassbookStagPromptConfig",
     "passbook.stages.identification.apps.PassbookStageIdentificationConfig",
+    "passbook.stages.user_create.apps.PassbookStageUserCreateConfig",
     "passbook.stages.user_login.apps.PassbookStageUserLoginConfig",
     "passbook.stages.otp.apps.PassbookStageOTPConfig",
     "passbook.stages.password.apps.PassbookStagePasswordConfig",
@@ -357,7 +358,7 @@ TEST_OUTPUT_VERBOSE = 2
 TEST_OUTPUT_FILE_NAME = "unittest.xml"
 
 if any("test" in arg for arg in sys.argv):
-    LOGGING = None
+    # LOGGING = None
     TEST = True
     CELERY_TASK_ALWAYS_EAGER = True
 
diff --git a/passbook/stages/user_create/__init__.py b/passbook/stages/user_create/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/passbook/stages/user_create/api.py b/passbook/stages/user_create/api.py
new file mode 100644
index 000000000..d95415eed
--- /dev/null
+++ b/passbook/stages/user_create/api.py
@@ -0,0 +1,24 @@
+"""User Create Stage API Views"""
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import ModelViewSet
+
+from passbook.stages.user_create.models import UserCreateStage
+
+
+class UserCreateStageSerializer(ModelSerializer):
+    """UserCreateStage Serializer"""
+
+    class Meta:
+
+        model = UserCreateStage
+        fields = [
+            "pk",
+            "name",
+        ]
+
+
+class UserCreateStageViewSet(ModelViewSet):
+    """UserCreateStage Viewset"""
+
+    queryset = UserCreateStage.objects.all()
+    serializer_class = UserCreateStageSerializer
diff --git a/passbook/stages/user_create/apps.py b/passbook/stages/user_create/apps.py
new file mode 100644
index 000000000..27bb3b467
--- /dev/null
+++ b/passbook/stages/user_create/apps.py
@@ -0,0 +1,10 @@
+"""passbook create stage app config"""
+from django.apps import AppConfig
+
+
+class PassbookStageUserCreateConfig(AppConfig):
+    """passbook create stage config"""
+
+    name = "passbook.stages.user_create"
+    label = "passbook_stages_user_create"
+    verbose_name = "passbook Stages.User Create"
diff --git a/passbook/stages/user_create/forms.py b/passbook/stages/user_create/forms.py
new file mode 100644
index 000000000..edf5bb784
--- /dev/null
+++ b/passbook/stages/user_create/forms.py
@@ -0,0 +1,16 @@
+"""passbook flows create forms"""
+from django import forms
+
+from passbook.stages.user_create.models import UserCreateStage
+
+
+class UserCreateStageForm(forms.ModelForm):
+    """Form to create/edit UserCreateStage instances"""
+
+    class Meta:
+
+        model = UserCreateStage
+        fields = ["name"]
+        widgets = {
+            "name": forms.TextInput(),
+        }
diff --git a/passbook/stages/user_create/migrations/0001_initial.py b/passbook/stages/user_create/migrations/0001_initial.py
new file mode 100644
index 000000000..35f3d418f
--- /dev/null
+++ b/passbook/stages/user_create/migrations/0001_initial.py
@@ -0,0 +1,37 @@
+# Generated by Django 3.0.5 on 2020-05-10 14:26
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("passbook_flows", "0003_auto_20200509_1258"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="UserCreateStage",
+            fields=[
+                (
+                    "stage_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="passbook_flows.Stage",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "User Create Stage",
+                "verbose_name_plural": "User Create Stages",
+            },
+            bases=("passbook_flows.stage",),
+        ),
+    ]
diff --git a/passbook/stages/user_create/migrations/__init__.py b/passbook/stages/user_create/migrations/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/passbook/stages/user_create/models.py b/passbook/stages/user_create/models.py
new file mode 100644
index 000000000..f0b48a97b
--- /dev/null
+++ b/passbook/stages/user_create/models.py
@@ -0,0 +1,19 @@
+"""create stage models"""
+from django.utils.translation import gettext_lazy as _
+
+from passbook.flows.models import Stage
+
+
+class UserCreateStage(Stage):
+    """Create stage, create a user from saved data."""
+
+    type = "passbook.stages.user_create.stage.UserCreateStageView"
+    form = "passbook.stages.user_create.forms.UserCreateStageForm"
+
+    def __str__(self):
+        return f"User Create Stage {self.name}"
+
+    class Meta:
+
+        verbose_name = _("User Create Stage")
+        verbose_name_plural = _("User Create Stages")
diff --git a/passbook/stages/user_create/stage.py b/passbook/stages/user_create/stage.py
new file mode 100644
index 000000000..122324683
--- /dev/null
+++ b/passbook/stages/user_create/stage.py
@@ -0,0 +1,39 @@
+"""Create stage logic"""
+from django.contrib import messages
+from django.contrib.auth.backends import ModelBackend
+from django.http import HttpRequest, HttpResponse
+from django.utils.translation import gettext as _
+from structlog import get_logger
+
+from passbook.core.models import User
+from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER
+from passbook.flows.stage import AuthenticationStage
+from passbook.lib.utils.reflection import class_to_path
+from passbook.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
+from passbook.stages.prompt.stage import PLAN_CONTEXT_PROMPT
+
+LOGGER = get_logger()
+
+
+class UserCreateStageView(AuthenticationStage):
+    """Finalise Enrollment flow by creating a user object."""
+
+    def get(self, request: HttpRequest) -> HttpResponse:
+        if PLAN_CONTEXT_PROMPT not in self.executor.plan.context:
+            message = _("No Pending data.")
+            messages.error(request, message)
+            LOGGER.debug(message)
+            return self.executor.stage_invalid()
+        data = self.executor.plan.context[PLAN_CONTEXT_PROMPT]
+        user = User.objects.create_user(**data)
+        # Set created user as pending_user, so this can be chained with user_login
+        self.executor.plan.context[PLAN_CONTEXT_PENDING_USER] = user
+        self.executor.plan.context[PLAN_CONTEXT_AUTHENTICATION_BACKEND] = class_to_path(
+            ModelBackend
+        )
+        LOGGER.debug(
+            "Created user",
+            user=self.executor.plan.context[PLAN_CONTEXT_PENDING_USER],
+            flow_slug=self.executor.flow.slug,
+        )
+        return self.executor.stage_ok()
diff --git a/passbook/stages/user_create/tests.py b/passbook/stages/user_create/tests.py
new file mode 100644
index 000000000..d0f21ba88
--- /dev/null
+++ b/passbook/stages/user_create/tests.py
@@ -0,0 +1,73 @@
+"""create tests"""
+import string
+from random import SystemRandom
+
+from django.shortcuts import reverse
+from django.test import Client, TestCase
+
+from passbook.core.models import User
+from passbook.flows.models import Flow, FlowDesignation, FlowStageBinding
+from passbook.flows.planner import FlowPlan
+from passbook.flows.views import SESSION_KEY_PLAN
+from passbook.stages.prompt.stage import PLAN_CONTEXT_PROMPT
+from passbook.stages.user_create.models import UserCreateStage
+
+
+class TestUserCreateStage(TestCase):
+    """Create tests"""
+
+    def setUp(self):
+        super().setUp()
+        self.client = Client()
+
+        self.password = "".join(
+            SystemRandom().choice(string.ascii_uppercase + string.digits)
+            for _ in range(8)
+        )
+        self.flow = Flow.objects.create(
+            name="test-create",
+            slug="test-create",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+        self.stage = UserCreateStage.objects.create(name="create")
+        FlowStageBinding.objects.create(flow=self.flow, stage=self.stage, order=2)
+
+    def test_valid_create(self):
+        """Test creation of user"""
+        plan = FlowPlan(stages=[self.stage])
+        plan.context[PLAN_CONTEXT_PROMPT] = {
+            "username": "test-user",
+            "name": "name",
+            "email": "test@beryju.org",
+            "password": self.password,
+        }
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.get(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            )
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertTrue(
+            User.objects.filter(
+                username=plan.context[PLAN_CONTEXT_PROMPT]["username"]
+            ).exists()
+        )
+
+    def test_without_data(self):
+        """Test without data results in error"""
+        plan = FlowPlan(stages=[self.stage])
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.get(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            )
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse("passbook_flows:denied"))

From 1d03b3675040d4f050b0a8162ad11fc2b5f94c7f Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 18:14:10 +0200
Subject: [PATCH 40/80] stages/identification: show sign up url when related
 flow exists

---
 passbook/core/templates/login/base.html |  4 ++--
 passbook/flows/models.py                |  5 +++++
 passbook/lib/default.yml                |  7 -------
 passbook/stages/identification/stage.py | 18 ++++++++++++------
 4 files changed, 19 insertions(+), 15 deletions(-)

diff --git a/passbook/core/templates/login/base.html b/passbook/core/templates/login/base.html
index ae82cfe3c..15f99a209 100644
--- a/passbook/core/templates/login/base.html
+++ b/passbook/core/templates/login/base.html
@@ -63,11 +63,11 @@
                     </li>
                     {% endfor %}
                 </ul>
-                {% if show_sign_up_notice %}
+                {% if enroll_url %}
                 <div class="pf-c-login__main-footer-band">
                     <p class="pf-c-login__main-footer-band-item">
                         {% trans 'Need an account?' %}
-                        <a href="{% url 'passbook_core:auth-sign-up' %}">{% trans 'Sign up.' %}</a>
+                        <a href="{{ enroll_url }}">{% trans 'Sign up.' %}</a>
                     </p>
                 </div>
                 {% endif %}
diff --git a/passbook/flows/models.py b/passbook/flows/models.py
index cb62df1f7..d24df11f5 100644
--- a/passbook/flows/models.py
+++ b/passbook/flows/models.py
@@ -56,6 +56,11 @@ class Flow(PolicyBindingModel, UUIDModel):
         PolicyBindingModel, parent_link=True, on_delete=models.CASCADE, related_name="+"
     )
 
+    def related_flow(self, designation: str) -> Optional["Flow"]:
+        """Get a related flow with `designation`. Currently this only queries
+        Flows by `designation`, but will eventually use `self` for related lookups."""
+        return Flow.objects.filter(designation=designation).first()
+
     def __str__(self) -> str:
         return f"Flow {self.name} ({self.slug})"
 
diff --git a/passbook/lib/default.yml b/passbook/lib/default.yml
index 591a17109..867b3798d 100644
--- a/passbook/lib/default.yml
+++ b/passbook/lib/default.yml
@@ -19,9 +19,6 @@ error_reporting: false
 domain: localhost
 
 passbook:
-  sign_up:
-    # Enables signup, created users are stored in internal Database and created in LDAP if ldap.create_users is true
-    enabled: true
   password_reset:
     # Enable password reset, passwords are reset in internal Database and in LDAP if ldap.reset_password is true
     enabled: true
@@ -30,7 +27,3 @@ passbook:
       # Optionally add links to the footer on the login page
       #  - name: test
       #    href: https://test
-  # Specify which fields can be used to authenticate. Can be any combination of `username` and `email`
-  uid_fields:
-    - username
-    - email
diff --git a/passbook/stages/identification/stage.py b/passbook/stages/identification/stage.py
index 9e9fb4b0b..81ca912f5 100644
--- a/passbook/stages/identification/stage.py
+++ b/passbook/stages/identification/stage.py
@@ -4,14 +4,15 @@ from typing import List, Optional
 from django.contrib import messages
 from django.db.models import Q
 from django.http import HttpResponse
+from django.shortcuts import reverse
 from django.utils.translation import gettext as _
 from django.views.generic import FormView
 from structlog import get_logger
 
 from passbook.core.models import Source, User
+from passbook.flows.models import FlowDesignation
 from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER
 from passbook.flows.stage import AuthenticationStage
-from passbook.lib.config import CONFIG
 from passbook.stages.identification.forms import IdentificationForm
 from passbook.stages.identification.models import IdentificationStage
 
@@ -33,11 +34,16 @@ class IdentificationStageView(FormView, AuthenticationStage):
         return [current_stage.template]
 
     def get_context_data(self, **kwargs):
-        kwargs["config"] = CONFIG.y("passbook")
-        kwargs["title"] = _("Log in to your account")
-        kwargs["primary_action"] = _("Log in")
-        # TODO: show this based on the existence of an enrollment flow
-        kwargs["show_sign_up_notice"] = CONFIG.y("passbook.sign_up.enabled")
+        # Check for related enrollment flow, add URL to view
+        enrollment_flow = self.executor.flow.related_flow(FlowDesignation.ENROLLMENT)
+        if enrollment_flow:
+            url = reverse(
+                "passbook_flows:flow-executor",
+                kwargs={"flow_slug": enrollment_flow.slug},
+            )
+            kwargs["enroll_url"] = url
+
+        # Check all enabled source, add them if they have a UI Login button.
         kwargs["sources"] = []
         sources = (
             Source.objects.filter(enabled=True).order_by("name").select_subclasses()

From 8de87d9acb8e0f6bdf7783da7731a90b7f279fc0 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 18:17:24 +0200
Subject: [PATCH 41/80] stages/identification: test signup notice

---
 passbook/root/settings.py               |  2 +-
 passbook/stages/identification/tests.py | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/passbook/root/settings.py b/passbook/root/settings.py
index ca5a6c087..c0ffdb0ba 100644
--- a/passbook/root/settings.py
+++ b/passbook/root/settings.py
@@ -358,7 +358,7 @@ TEST_OUTPUT_VERBOSE = 2
 TEST_OUTPUT_FILE_NAME = "unittest.xml"
 
 if any("test" in arg for arg in sys.argv):
-    # LOGGING = None
+    LOGGING = None
     TEST = True
     CELERY_TASK_ALWAYS_EAGER = True
 
diff --git a/passbook/stages/identification/tests.py b/passbook/stages/identification/tests.py
index 3f550478a..4b98a098a 100644
--- a/passbook/stages/identification/tests.py
+++ b/passbook/stages/identification/tests.py
@@ -77,3 +77,19 @@ class TestIdentificationStage(TestCase):
             form_data,
         )
         self.assertEqual(response.status_code, 200)
+
+    def test_enrollment_flow(self):
+        """Test that enrollment flow is linked correctly"""
+        flow = Flow.objects.create(
+            name="enroll-test",
+            slug="unique-string",
+            designation=FlowDesignation.ENROLLMENT,
+        )
+
+        response = self.client.get(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            ),
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertIn(flow.slug, response.rendered_content)

From 2ffa2fc6b805f114d32b48337e7e6f63e5640b6b Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 18:44:58 +0200
Subject: [PATCH 42/80] admin: update templates and stage views

---
 .../admin/templates/administration/base.html  |  6 ++--
 .../templates/administration/flow/list.html   |  4 +--
 .../templates/administration/overview.html    |  6 ++--
 .../templates/administration/policy/list.html |  2 +-
 .../{factor => stage}/list.html               | 30 +++++++++--------
 passbook/admin/views/stages.py                | 32 +++++++++----------
 passbook/core/templates/user/base.html        |  2 +-
 7 files changed, 42 insertions(+), 40 deletions(-)
 rename passbook/admin/templates/administration/{factor => stage}/list.html (73%)

diff --git a/passbook/admin/templates/administration/base.html b/passbook/admin/templates/administration/base.html
index 51240c85e..9bde9d06f 100644
--- a/passbook/admin/templates/administration/base.html
+++ b/passbook/admin/templates/administration/base.html
@@ -59,9 +59,9 @@
                     </a>
                 </li>
                 <li class="pf-c-nav__item">
-                    <a href="{% url 'passbook_admin:factors' %}"
-                        class="pf-c-nav__link {% is_active 'passbook_admin:factors' 'passbook_admin:factor-create' 'passbook_admin:factor-update' 'passbook_admin:factor-delete' %}">
-                        {% trans 'Factors' %}
+                    <a href="{% url 'passbook_admin:stages' %}"
+                        class="pf-c-nav__link {% is_active 'passbook_admin:stages' 'passbook_admin:stage-create' 'passbook_admin:stage-update' 'passbook_admin:stage-delete' %}">
+                        {% trans 'Stages' %}
                     </a>
                 </li>
                 <li class="pf-c-nav__item">
diff --git a/passbook/admin/templates/administration/flow/list.html b/passbook/admin/templates/administration/flow/list.html
index c22b38dea..8d1691686 100644
--- a/passbook/admin/templates/administration/flow/list.html
+++ b/passbook/admin/templates/administration/flow/list.html
@@ -26,7 +26,7 @@
                 <tr role="row">
                     <th role="columnheader" scope="col">{% trans 'Name' %}</th>
                     <th role="columnheader" scope="col">{% trans 'Designation' %}</th>
-                    <th role="columnheader" scope="col">{% trans 'Factors' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Stages' %}</th>
                     <th role="columnheader" scope="col">{% trans 'Policies' %}</th>
                     <th role="cell"></th>
                 </tr>
@@ -47,7 +47,7 @@
                     </td>
                     <td role="cell">
                         <span>
-                            {{ flow.factors.all|length }}
+                            {{ flow.stages.all|length }}
                         </span>
                     </td>
                     <td role="cell">
diff --git a/passbook/admin/templates/administration/overview.html b/passbook/admin/templates/administration/overview.html
index daf5f7e82..6442081c8 100644
--- a/passbook/admin/templates/administration/overview.html
+++ b/passbook/admin/templates/administration/overview.html
@@ -48,16 +48,16 @@
             </div>
         </a>
 
-        <a href="{% url 'passbook_admin:factors' %}" class="pf-c-card pf-m-hoverable pf-m-compact">
+        <a href="{% url 'passbook_admin:stages' %}" class="pf-c-card pf-m-hoverable pf-m-compact">
             <div class="pf-c-card__head">
                 <div class="pf-c-card__head-main">
-                    <i class="pf-icon pf-icon-plugged"></i> {% trans 'Factors' %}
+                    <i class="pf-icon pf-icon-plugged"></i> {% trans 'Stages' %}
                 </div>
             </div>
             <div class="pf-c-card__body">
                 {% if factor_count < 1 %}
                 <i class="pficon-error-circle-o"></i> {{ factor_count }}
-                <p>{% trans 'No Factors configured. No Users will be able to login.' %}"></p>
+                <p>{% trans 'No Stages configured. No Users will be able to login.' %}"></p>
                 {% else %}
                 <i class="pf-icon pf-icon-ok"></i> {{ factor_count }}
                 {% endif %}
diff --git a/passbook/admin/templates/administration/policy/list.html b/passbook/admin/templates/administration/policy/list.html
index d7b12417e..28f238854 100644
--- a/passbook/admin/templates/administration/policy/list.html
+++ b/passbook/admin/templates/administration/policy/list.html
@@ -10,7 +10,7 @@
             <i class="pf-icon pf-icon-infrastructure"></i>
             {% trans 'Policies' %}
         </h1>
-        <p>{% trans "Allow users to use Applications based on properties, enforce Password Criteria and selectively apply Factors." %}</p>
+        <p>{% trans "Allow users to use Applications based on properties, enforce Password Criteria and selectively apply Stages." %}</p>
     </div>
 </section>
 <section class="pf-c-page__main-section pf-m-no-padding-mobile">
diff --git a/passbook/admin/templates/administration/factor/list.html b/passbook/admin/templates/administration/stage/list.html
similarity index 73%
rename from passbook/admin/templates/administration/factor/list.html
rename to passbook/admin/templates/administration/stage/list.html
index 77468cb3a..0c8894165 100644
--- a/passbook/admin/templates/administration/factor/list.html
+++ b/passbook/admin/templates/administration/stage/list.html
@@ -9,9 +9,9 @@
     <div class="pf-c-content">
         <h1>
             <i class="pf-icon pf-icon-plugged"></i>
-            {% trans 'Factors' %}
+            {% trans 'Stages' %}
         </h1>
-        <p>{% trans "Factors required for a user to successfully authenticate." %}
+        <p>{% trans "Stages required for a user to successfully authenticate." %}
         </p>
     </div>
 </section>
@@ -27,7 +27,7 @@
                     <ul class="pf-c-dropdown__menu" hidden>
                         {% for type, name in types.items %}
                         <li>
-                            <a class="pf-c-dropdown__menu-item" href="{% url 'passbook_admin:factor-create' %}?type={{ type }}&back={{ request.get_full_path }}">{{ name }}</a>
+                            <a class="pf-c-dropdown__menu-item" href="{% url 'passbook_admin:stage-create' %}?type={{ type }}&back={{ request.get_full_path }}">{{ name }}</a>
                         </li>
                         {% endfor %}
                     </ul>
@@ -39,34 +39,36 @@
             <thead>
                 <tr role="row">
                     <th role="columnheader" scope="col">{% trans 'Name' %}</th>
-                    <th role="columnheader" scope="col">{% trans 'Order' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Flows' %}</th>
                     <th role="columnheader" scope="col">{% trans 'Enabled' %}</th>
                     <th role="cell"></th>
                 </tr>
             </thead>
             <tbody role="rowgroup">
-                {% for factor in object_list %}
+                {% for stage in object_list %}
                 <tr role="row">
                     <th role="columnheader">
                         <div>
-                            <div>{{ factor.name }} ({{ factor.slug }})</div>
-                            <small>{{ factor|verbose_name }}</small>
+                            <div>{{ stage.name }}</div>
+                            <small>{{ stage|verbose_name }}</small>
                         </div>
                     </th>
                     <td role="cell">
-                        <span>
-                            {{ factor.order }}
-                        </span>
+                        <ul>
+                            {% for flow in stage.flow_set.all %}
+                            <li><a href="{% url 'passbook_admin:flow-update' pk=flow.pk %}">{{ flow.slug }}</a></li>
+                            {% endfor %}
+                        </ul>
                     </td>
                     <td role="cell">
                         <span>
-                            {{ factor.enabled }}
+                            {{ stage.enabled }}
                         </span>
                     </td>
                     <td>
-                        <a class="pf-c-button pf-m-secondary" href="{% url 'passbook_admin:factor-update' pk=factor.pk %}?back={{ request.get_full_path }}">{% trans 'Edit' %}</a>
-                        <a class="pf-c-button pf-m-danger" href="{% url 'passbook_admin:factor-delete' pk=factor.pk %}?back={{ request.get_full_path }}">{% trans 'Delete' %}</a>
-                        {% get_links factor as links %}
+                        <a class="pf-c-button pf-m-secondary" href="{% url 'passbook_admin:stage-update' pk=stage.pk %}?back={{ request.get_full_path }}">{% trans 'Edit' %}</a>
+                        <a class="pf-c-button pf-m-danger" href="{% url 'passbook_admin:stage-delete' pk=stage.pk %}?back={{ request.get_full_path }}">{% trans 'Delete' %}</a>
+                        {% get_links stage as links %}
                         {% for name, href in links.items %}
                         <a class="pf-c-button pf-m-tertiary" href="{{ href }}?back={{ request.get_full_path }}">{% trans name %}</a>
                         {% endfor %}
diff --git a/passbook/admin/views/stages.py b/passbook/admin/views/stages.py
index c5623a22e..e60d7aa9f 100644
--- a/passbook/admin/views/stages.py
+++ b/passbook/admin/views/stages.py
@@ -24,12 +24,12 @@ def all_subclasses(cls):
 
 
 class StageListView(LoginRequiredMixin, PermissionListMixin, ListView):
-    """Show list of all flows"""
+    """Show list of all stages"""
 
     model = Stage
-    template_name = "administration/flow/list.html"
-    permission_required = "passbook_core.view_flow"
-    ordering = "order"
+    template_name = "administration/stage/list.html"
+    permission_required = "passbook_flows.view_stage"
+    ordering = "name"
     paginate_by = 40
 
     def get_context_data(self, **kwargs):
@@ -52,21 +52,21 @@ class StageCreateView(
 
     model = Stage
     template_name = "generic/create.html"
-    permission_required = "passbook_core.add_flow"
+    permission_required = "passbook_flows.add_stage"
 
-    success_url = reverse_lazy("passbook_admin:flows")
+    success_url = reverse_lazy("passbook_admin:stages")
     success_message = _("Successfully created Stage")
 
     def get_context_data(self, **kwargs):
         kwargs = super().get_context_data(**kwargs)
-        flow_type = self.request.GET.get("type")
-        model = next(x for x in all_subclasses(Stage) if x.__name__ == flow_type)
+        stage_type = self.request.GET.get("type")
+        model = next(x for x in all_subclasses(Stage) if x.__name__ == stage_type)
         kwargs["type"] = model._meta.verbose_name
         return kwargs
 
     def get_form_class(self):
-        flow_type = self.request.GET.get("type")
-        model = next(x for x in all_subclasses(Stage) if x.__name__ == flow_type)
+        stage_type = self.request.GET.get("type")
+        model = next(x for x in all_subclasses(Stage) if x.__name__ == stage_type)
         if not model:
             raise Http404
         return path_to_class(model.form)
@@ -75,12 +75,12 @@ class StageCreateView(
 class StageUpdateView(
     SuccessMessageMixin, LoginRequiredMixin, PermissionRequiredMixin, UpdateView
 ):
-    """Update flow"""
+    """Update stage"""
 
     model = Stage
-    permission_required = "passbook_core.update_application"
+    permission_required = "passbook_flows.update_application"
     template_name = "generic/update.html"
-    success_url = reverse_lazy("passbook_admin:flows")
+    success_url = reverse_lazy("passbook_admin:stages")
     success_message = _("Successfully updated Stage")
 
     def get_form_class(self):
@@ -97,12 +97,12 @@ class StageUpdateView(
 class StageDeleteView(
     SuccessMessageMixin, LoginRequiredMixin, PermissionRequiredMixin, DeleteView
 ):
-    """Delete flow"""
+    """Delete stage"""
 
     model = Stage
     template_name = "generic/delete.html"
-    permission_required = "passbook_core.delete_flow"
-    success_url = reverse_lazy("passbook_admin:flows")
+    permission_required = "passbook_flows.delete_stage"
+    success_url = reverse_lazy("passbook_admin:stages")
     success_message = _("Successfully deleted Stage")
 
     def get_object(self, queryset=None):
diff --git a/passbook/core/templates/user/base.html b/passbook/core/templates/user/base.html
index 274d08346..f1267358b 100644
--- a/passbook/core/templates/user/base.html
+++ b/passbook/core/templates/user/base.html
@@ -21,7 +21,7 @@
             {% user_stages as user_stages_loc %}
             {% if user_stages_loc %}
             <section class="pf-c-nav__section">
-                <h2 class="pf-c-nav__section-title">{% trans 'Factors' %}</h2>
+                <h2 class="pf-c-nav__section-title">{% trans 'Stages' %}</h2>
                 <ul class="pf-c-nav__list">
                     {% for stage in user_stages_loc %}
                     <li class="pf-c-nav__item">

From a7567ad8c678315ae92448199fae8fb40afecaed Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 18:45:16 +0200
Subject: [PATCH 43/80] stages/identification: add recovery support

---
 passbook/core/templates/login/base.html | 11 ++++++++++-
 passbook/stages/identification/stage.py | 11 ++++++++---
 passbook/stages/identification/tests.py | 18 +++++++++++++++++-
 3 files changed, 35 insertions(+), 5 deletions(-)

diff --git a/passbook/core/templates/login/base.html b/passbook/core/templates/login/base.html
index 15f99a209..6d1070dae 100644
--- a/passbook/core/templates/login/base.html
+++ b/passbook/core/templates/login/base.html
@@ -63,12 +63,21 @@
                     </li>
                     {% endfor %}
                 </ul>
-                {% if enroll_url %}
+                {% if enroll_url or recovery_url %}
                 <div class="pf-c-login__main-footer-band">
+                    {% if enroll_url %}
                     <p class="pf-c-login__main-footer-band-item">
                         {% trans 'Need an account?' %}
                         <a href="{{ enroll_url }}">{% trans 'Sign up.' %}</a>
                     </p>
+                    {% endif %}
+                    {% if recovery_url %}
+                    <p class="pf-c-login__main-footer-band-item">
+                        <a href="{{ recovery_url }}">
+                            {% trans 'Forgot username or password?' %}
+                        </a>
+                    </p>
+                    {% endif %}
                 </div>
                 {% endif %}
             </footer>
diff --git a/passbook/stages/identification/stage.py b/passbook/stages/identification/stage.py
index 81ca912f5..5c1a05e0a 100644
--- a/passbook/stages/identification/stage.py
+++ b/passbook/stages/identification/stage.py
@@ -34,14 +34,19 @@ class IdentificationStageView(FormView, AuthenticationStage):
         return [current_stage.template]
 
     def get_context_data(self, **kwargs):
-        # Check for related enrollment flow, add URL to view
+        # Check for related enrollment and recovery flow, add URL to view
         enrollment_flow = self.executor.flow.related_flow(FlowDesignation.ENROLLMENT)
         if enrollment_flow:
-            url = reverse(
+            kwargs["enroll_url"] = reverse(
                 "passbook_flows:flow-executor",
                 kwargs={"flow_slug": enrollment_flow.slug},
             )
-            kwargs["enroll_url"] = url
+        recovery_flow = self.executor.flow.related_flow(FlowDesignation.RECOVERY)
+        if recovery_flow:
+            kwargs["recovery_url"] = reverse(
+                "passbook_flows:flow-executor",
+                kwargs={"flow_slug": recovery_flow.slug},
+            )
 
         # Check all enabled source, add them if they have a UI Login button.
         kwargs["sources"] = []
diff --git a/passbook/stages/identification/tests.py b/passbook/stages/identification/tests.py
index 4b98a098a..f3389c1ec 100644
--- a/passbook/stages/identification/tests.py
+++ b/passbook/stages/identification/tests.py
@@ -82,7 +82,7 @@ class TestIdentificationStage(TestCase):
         """Test that enrollment flow is linked correctly"""
         flow = Flow.objects.create(
             name="enroll-test",
-            slug="unique-string",
+            slug="unique-enrollment-string",
             designation=FlowDesignation.ENROLLMENT,
         )
 
@@ -93,3 +93,19 @@ class TestIdentificationStage(TestCase):
         )
         self.assertEqual(response.status_code, 200)
         self.assertIn(flow.slug, response.rendered_content)
+
+    def test_recovery_flow(self):
+        """Test that recovery flow is linked correctly"""
+        flow = Flow.objects.create(
+            name="enroll-test",
+            slug="unique-recovery-string",
+            designation=FlowDesignation.RECOVERY,
+        )
+
+        response = self.client.get(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            ),
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertIn(flow.slug, response.rendered_content)

From 99bab03cce9b8fd1b59b1b5c6d81728fdc93ddb8 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 20:15:24 +0200
Subject: [PATCH 44/80] flows: add check if current plan matches current flow

---
 passbook/flows/planner.py                     | 11 ++++---
 passbook/flows/views.py                       | 18 ++++++++---
 ..._remove_passwordstage_password_policies.py | 14 +++++++++
 passbook/stages/password/tests.py             | 10 +++---
 .../migrations/0002_auto_20200510_1648.py     | 31 +++++++++++++++++++
 passbook/stages/prompt/tests.py               |  4 +--
 passbook/stages/user_create/tests.py          |  4 +--
 passbook/stages/user_login/tests.py           |  6 ++--
 8 files changed, 77 insertions(+), 21 deletions(-)
 create mode 100644 passbook/stages/password/migrations/0002_remove_passwordstage_password_policies.py
 create mode 100644 passbook/stages/prompt/migrations/0002_auto_20200510_1648.py

diff --git a/passbook/flows/planner.py b/passbook/flows/planner.py
index 48cb380f6..5ed272888 100644
--- a/passbook/flows/planner.py
+++ b/passbook/flows/planner.py
@@ -21,6 +21,7 @@ class FlowPlan:
     """This data-class is the output of a FlowPlanner. It holds a flat list
     of all Stages that should be run."""
 
+    flow_pk: str
     stages: List[Stage] = field(default_factory=list)
     context: Dict[str, Any] = field(default_factory=dict)
 
@@ -46,9 +47,9 @@ class FlowPlanner:
     def plan(self, request: HttpRequest) -> FlowPlan:
         """Check each of the flows' policies, check policies for each stage with PolicyBinding
         and return ordered list"""
-        LOGGER.debug("Starting planning process", flow=self.flow)
+        LOGGER.debug("f(plan): Starting planning process", flow=self.flow)
         start_time = time()
-        plan = FlowPlan()
+        plan = FlowPlan(flow_pk=self.flow.pk.hex)
         # First off, check the flow's direct policy bindings
         # to make sure the user even has access to the flow
         root_passing, root_passing_messages = self._check_flow_root_policies(request)
@@ -65,11 +66,13 @@ class FlowPlanner:
             engine.build()
             passing, _ = engine.result
             if passing:
-                LOGGER.debug("Stage passing", stage=stage)
+                LOGGER.debug("f(plan): Stage passing", stage=stage)
                 plan.stages.append(stage)
         end_time = time()
         LOGGER.debug(
-            "Finished planning", flow=self.flow, duration_s=end_time - start_time
+            "f(plan): Finished planning",
+            flow=self.flow,
+            duration_s=end_time - start_time,
         )
         if not plan.stages:
             raise EmptyFlowException()
diff --git a/passbook/flows/views.py b/passbook/flows/views.py
index a7a54d85a..d687c8800 100644
--- a/passbook/flows/views.py
+++ b/passbook/flows/views.py
@@ -63,7 +63,20 @@ class FlowExecutorView(View):
 
     def dispatch(self, request: HttpRequest, flow_slug: str) -> HttpResponse:
         # Early check if theres an active Plan for the current session
-        if SESSION_KEY_PLAN not in self.request.session:
+        if SESSION_KEY_PLAN in self.request.session:
+            self.plan = self.request.session[SESSION_KEY_PLAN]
+            if self.plan.flow_pk != self.flow.pk.hex:
+                LOGGER.warning(
+                    "f(exec): Found existing plan for other flow, deleteing plan",
+                    flow_slug=flow_slug,
+                )
+                # Existing plan is deleted from session and instance
+                self.plan = None
+                self.cancel()
+            LOGGER.debug("f(exec): Continuing existing plan", flow_slug=flow_slug)
+
+        # Don't check session again as we've either already loaded the plan or we need to plan
+        if not self.plan:
             LOGGER.debug(
                 "f(exec): No active Plan found, initiating planner", flow_slug=flow_slug
             )
@@ -75,9 +88,6 @@ class FlowExecutorView(View):
             except EmptyFlowException as exc:
                 LOGGER.warning("f(exec): Flow is empty", exc=exc)
                 return self.handle_invalid_flow(exc)
-        else:
-            LOGGER.debug("f(exec): Continuing existing plan", flow_slug=flow_slug)
-            self.plan = self.request.session[SESSION_KEY_PLAN]
         # We don't save the Plan after getting the next stage
         # as it hasn't been successfully passed yet
         self.current_stage = self.plan.next()
diff --git a/passbook/stages/password/migrations/0002_remove_passwordstage_password_policies.py b/passbook/stages/password/migrations/0002_remove_passwordstage_password_policies.py
new file mode 100644
index 000000000..2eff28c5d
--- /dev/null
+++ b/passbook/stages/password/migrations/0002_remove_passwordstage_password_policies.py
@@ -0,0 +1,14 @@
+# Generated by Django 3.0.5 on 2020-05-10 16:48
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_stages_password", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.RemoveField(model_name="passwordstage", name="password_policies",),
+    ]
diff --git a/passbook/stages/password/tests.py b/passbook/stages/password/tests.py
index 1a98333e4..82cb4d947 100644
--- a/passbook/stages/password/tests.py
+++ b/passbook/stages/password/tests.py
@@ -42,7 +42,7 @@ class TestPasswordStage(TestCase):
 
     def test_without_user(self):
         """Test without user"""
-        plan = FlowPlan(stages=[self.stage])
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
         session = self.client.session
         session[SESSION_KEY_PLAN] = plan
         session.save()
@@ -59,7 +59,7 @@ class TestPasswordStage(TestCase):
 
     def test_valid_password(self):
         """Test with a valid pending user and valid password"""
-        plan = FlowPlan(stages=[self.stage])
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
         plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
         session = self.client.session
         session[SESSION_KEY_PLAN] = plan
@@ -77,7 +77,7 @@ class TestPasswordStage(TestCase):
 
     def test_invalid_password(self):
         """Test with a valid pending user and invalid password"""
-        plan = FlowPlan(stages=[self.stage])
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
         plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
         session = self.client.session
         session[SESSION_KEY_PLAN] = plan
@@ -99,9 +99,7 @@ class TestPasswordStage(TestCase):
     def test_permission_denied(self):
         """Test with a valid pending user and valid password.
         Backend is patched to return PermissionError"""
-        # from django.contrib.auth.backends import ModelBackend
-        # ModelBackend().authenticate()
-        plan = FlowPlan(stages=[self.stage])
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
         plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
         session = self.client.session
         session[SESSION_KEY_PLAN] = plan
diff --git a/passbook/stages/prompt/migrations/0002_auto_20200510_1648.py b/passbook/stages/prompt/migrations/0002_auto_20200510_1648.py
new file mode 100644
index 000000000..439e201f1
--- /dev/null
+++ b/passbook/stages/prompt/migrations/0002_auto_20200510_1648.py
@@ -0,0 +1,31 @@
+# Generated by Django 3.0.5 on 2020-05-10 16:48
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_stages_prompt", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="prompt",
+            options={"verbose_name": "Prompt", "verbose_name_plural": "Prompts"},
+        ),
+        migrations.AlterField(
+            model_name="prompt",
+            name="type",
+            field=models.CharField(
+                choices=[
+                    ("text", "Text"),
+                    ("e-mail", "Email"),
+                    ("password", "Password"),
+                    ("number", "Number"),
+                    ("hidden", "Hidden"),
+                ],
+                max_length=100,
+            ),
+        ),
+    ]
diff --git a/passbook/stages/prompt/tests.py b/passbook/stages/prompt/tests.py
index f94decf4a..3551a2e47 100644
--- a/passbook/stages/prompt/tests.py
+++ b/passbook/stages/prompt/tests.py
@@ -97,7 +97,7 @@ class TestPromptStage(TestCase):
 
     def test_render(self):
         """Test render of form, check if all prompts are rendered correctly"""
-        plan = FlowPlan(stages=[self.stage])
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
         session = self.client.session
         session[SESSION_KEY_PLAN] = plan
         session.save()
@@ -121,7 +121,7 @@ class TestPromptStage(TestCase):
 
     def test_valid_form_request(self):
         """Test a request with valid form data"""
-        plan = FlowPlan(stages=[self.stage])
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
         session = self.client.session
         session[SESSION_KEY_PLAN] = plan
         session.save()
diff --git a/passbook/stages/user_create/tests.py b/passbook/stages/user_create/tests.py
index d0f21ba88..ae0295822 100644
--- a/passbook/stages/user_create/tests.py
+++ b/passbook/stages/user_create/tests.py
@@ -34,7 +34,7 @@ class TestUserCreateStage(TestCase):
 
     def test_valid_create(self):
         """Test creation of user"""
-        plan = FlowPlan(stages=[self.stage])
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
         plan.context[PLAN_CONTEXT_PROMPT] = {
             "username": "test-user",
             "name": "name",
@@ -59,7 +59,7 @@ class TestUserCreateStage(TestCase):
 
     def test_without_data(self):
         """Test without data results in error"""
-        plan = FlowPlan(stages=[self.stage])
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
         session = self.client.session
         session[SESSION_KEY_PLAN] = plan
         session.save()
diff --git a/passbook/stages/user_login/tests.py b/passbook/stages/user_login/tests.py
index 83bb38b74..59b988d2b 100644
--- a/passbook/stages/user_login/tests.py
+++ b/passbook/stages/user_login/tests.py
@@ -29,7 +29,7 @@ class TestUserLoginStage(TestCase):
 
     def test_valid_password(self):
         """Test with a valid pending user and backend"""
-        plan = FlowPlan(stages=[self.stage])
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
         plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
         plan.context[
             PLAN_CONTEXT_AUTHENTICATION_BACKEND
@@ -48,7 +48,7 @@ class TestUserLoginStage(TestCase):
 
     def test_without_user(self):
         """Test a plan without any pending user, resulting in a denied"""
-        plan = FlowPlan(stages=[self.stage])
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
         session = self.client.session
         session[SESSION_KEY_PLAN] = plan
         session.save()
@@ -63,7 +63,7 @@ class TestUserLoginStage(TestCase):
 
     def test_without_backend(self):
         """Test a plan with pending user, without backend, resulting in a denied"""
-        plan = FlowPlan(stages=[self.stage])
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
         plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
         session = self.client.session
         session[SESSION_KEY_PLAN] = plan

From e989c617934e18bb047e7a91ef86e742632aca2e Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 20:15:56 +0200
Subject: [PATCH 45/80] core: reduce default nonce time to 30 minutes

---
 passbook/core/models.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/passbook/core/models.py b/passbook/core/models.py
index 7cb523113..a415fcc75 100644
--- a/passbook/core/models.py
+++ b/passbook/core/models.py
@@ -32,7 +32,7 @@ NATIVE_ENVIRONMENT = NativeEnvironment()
 
 def default_nonce_duration():
     """Default duration a Nonce is valid"""
-    return now() + timedelta(hours=4)
+    return now() + timedelta(minutes=30)
 
 
 class Group(ExportModelOperationsMixin("group"), UUIDModel):

From a67c53f46a4720fea7c0f1e8952f37900d3f7abf Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 20:16:58 +0200
Subject: [PATCH 46/80] stages/email: start rewriting templates, add template
 tags to embed CSS and images

---
 .../email/account_password_reset.html         |  77 -----
 passbook/core/templates/email/base.html       | 129 -------
 passbook/lib/templatetags/inline.py           |  20 --
 passbook/root/settings.py                     |   1 +
 passbook/stages/email/stage.py                |  37 +-
 .../email/static/stages/email/css/base.css    | 325 ++++++++++++++++++
 passbook/stages/email/tasks.py                |  15 +-
 .../email/for_email}/account_confirm.html     |   0
 .../stages/email/for_email/base.html          |  65 ++++
 .../email/for_email}/generic_email.html       |   0
 .../email/for_email/password_reset.html       |  41 +++
 .../stages/email/waiting_message.html         |   1 +
 .../stages/email/templatetags/__init__.py     |   0
 .../templatetags/passbook_stages_email.py     |  30 ++
 passbook/stages/email/utils.py                |  34 +-
 15 files changed, 499 insertions(+), 276 deletions(-)
 delete mode 100644 passbook/core/templates/email/account_password_reset.html
 delete mode 100644 passbook/core/templates/email/base.html
 delete mode 100644 passbook/lib/templatetags/inline.py
 create mode 100644 passbook/stages/email/static/stages/email/css/base.css
 rename passbook/{core/templates/email => stages/email/templates/stages/email/for_email}/account_confirm.html (100%)
 create mode 100644 passbook/stages/email/templates/stages/email/for_email/base.html
 rename passbook/{core/templates/email => stages/email/templates/stages/email/for_email}/generic_email.html (100%)
 create mode 100644 passbook/stages/email/templates/stages/email/for_email/password_reset.html
 create mode 100644 passbook/stages/email/templates/stages/email/waiting_message.html
 create mode 100644 passbook/stages/email/templatetags/__init__.py
 create mode 100644 passbook/stages/email/templatetags/passbook_stages_email.py

diff --git a/passbook/core/templates/email/account_password_reset.html b/passbook/core/templates/email/account_password_reset.html
deleted file mode 100644
index 827ab9716..000000000
--- a/passbook/core/templates/email/account_password_reset.html
+++ /dev/null
@@ -1,77 +0,0 @@
-{% extends "email/base.html" %}
-
-{% load utils %}
-{% load i18n %}
-
-{% block pre_header %}
-{% trans "Looks like you tried signing in a few too many times. Let's see if we can get you back into your account." %}
-{% endblock %}
-
-{% block content %}
-<!-- HERO -->
-<tr>
-  <td bgcolor="#7c72dc" align="center" style="padding: 0px 10px 0px 10px;">
-    <table border="0" cellpadding="0" cellspacing="0" width="600" class="wrapper">
-      <tr>
-        <td bgcolor="#ffffff" align="center" valign="top" style="padding: 40px 20px 20px 20px; border-radius: 4px 4px 0px 0px; color: #111111; font-family: 'Lato', Helvetica, Arial, sans-serif; font-size: 48px; font-weight: 400; letter-spacing: 4px; line-height: 48px;">
-          <h1 style="font-size: 48px; font-weight: 400; margin: 0;">{% trans 'Trouble signing in?' %}</h1>
-        </td>
-      </tr>
-    </table>
-  </td>
-</tr>
-<!-- COPY BLOCK -->
-<tr>
-  <td bgcolor="#f4f4f4" align="center" style="padding: 0px 10px 0px 10px;">
-    <table border="0" cellpadding="0" cellspacing="0" width="600" class="wrapper">
-      <!-- COPY -->
-      <tr>
-        <td bgcolor="#ffffff" align="left" style="padding: 20px 30px 40px 30px; color: #666666; font-family: 'Lato', Helvetica, Arial, sans-serif; font-size: 18px; font-weight: 400; line-height: 25px;">
-          <p style="margin: 0;">{% trans "Resetting your password is easy. Just press the button below and follow the instructions. We'll have you up and running in no time." %}</p>
-        </td>
-      </tr>
-      <!-- BULLETPROOF BUTTON -->
-      <tr>
-        <td bgcolor="#ffffff" align="left">
-          <table width="100%" border="0" cellspacing="0" cellpadding="0">
-            <tr>
-              <td bgcolor="#ffffff" align="center" style="padding: 20px 30px 60px 30px;">
-                <table border="0" cellspacing="0" cellpadding="0">
-                  <tr>
-                    <td align="center" style="border-radius: 3px;" bgcolor="#7c72dc"><a href="{{ url }}" target="_blank" style="font-size: 20px; font-family: Helvetica, Arial, sans-serif; color: #ffffff; text-decoration: none; color: #ffffff; text-decoration: none; padding: 15px 25px; border-radius: 2px; border: 1px solid #7c72dc; display: inline-block;">{% trans 'Reset Password' %}</a></td>
-                  </tr>
-                </table>
-              </td>
-            </tr>
-          </table>
-        </td>
-      </tr>
-    </table>
-  </td>
-</tr>
-<!-- COPY CALLOUT -->
-<tr>
-  <td bgcolor="#f4f4f4" align="center" style="padding: 0px 10px 0px 10px;">
-    <table border="0" cellpadding="0" cellspacing="0" width="600" class="wrapper">
-      <!-- HEADLINE -->
-      <tr>
-        <td bgcolor="#111111" align="left" style="padding: 40px 30px 20px 30px; color: #ffffff; font-family: 'Lato', Helvetica, Arial, sans-serif; font-size: 18px; font-weight: 400; line-height: 25px;">
-          <h2 style="font-size: 24px; font-weight: 400; margin: 0;">{% trans 'Want a more secure account?' %}</h2>
-        </td>
-      </tr>
-      <!-- COPY -->
-      <tr>
-        <td bgcolor="#111111" align="left" style="padding: 0px 30px 20px 30px; color: #666666; font-family: 'Lato', Helvetica, Arial, sans-serif; font-size: 18px; font-weight: 400; line-height: 25px;">
-          <p style="margin: 0;">{% trans 'We support two-factor authentication to help keep your information private.' %}</p>
-        </td>
-      </tr>
-      <!-- COPY -->
-      <tr>
-        <td bgcolor="#111111" align="left" style="padding: 0px 30px 40px 30px; border-radius: 0px 0px 4px 4px; color: #666666; font-family: 'Lato', Helvetica, Arial, sans-serif; font-size: 18px; font-weight: 400; line-height: 25px;">
-          <p style="margin: 0;"><a href="http://litmus.com" target="_blank" style="color: #7c72dc;">{% trans 'See how easy it is to get started' %}</a></p>
-        </td>
-      </tr>
-    </table>
-  </td>
-</tr>
-{% endblock %}
diff --git a/passbook/core/templates/email/base.html b/passbook/core/templates/email/base.html
deleted file mode 100644
index 86b82f8ae..000000000
--- a/passbook/core/templates/email/base.html
+++ /dev/null
@@ -1,129 +0,0 @@
-{% load inline %}
-{% load utils %}
-{% load static %}
-{% load i18n %}
-<!DOCTYPE html>
-<html>
-<head>
-    <title>passbook</title>
-    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1">
-    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
-    <style type="text/css">
-        /* CLIENT-SPECIFIC STYLES */
-        body, table, td, a {
-            -webkit-text-size-adjust: 100%;
-            -ms-text-size-adjust: 100%;
-        }
-
-        table, td {
-            mso-table-lspace: 0pt;
-            mso-table-rspace: 0pt;
-        }
-
-        img {
-            -ms-interpolation-mode: bicubic;
-        }
-
-        /* RESET STYLES */
-        img {
-            border: 0;
-            height: auto;
-            line-height: 100%;
-            outline: none;
-            text-decoration: none;
-        }
-
-        table {
-            border-collapse: collapse !important;
-        }
-
-        body {
-            height: 100% !important;
-            margin: 0 !important;
-            padding: 0 !important;
-            width: 100% !important;
-        }
-
-        /* iOS BLUE LINKS */
-        a[x-apple-data-detectors] {
-            color: inherit !important;
-            text-decoration: none !important;
-            font-size: inherit !important;
-            font-family: inherit !important;
-            font-weight: inherit !important;
-            line-height: inherit !important;
-        }
-
-        /* ANDROID CENTER FIX */
-        div[style*="margin: 16px 0;"] {
-            margin: 0 !important;
-        }
-    </style>
-    </head>
-
-    <body style="background-color: #1b2a32; margin: 0 !important; padding: 0 !important;">
-
-        <!-- HIDDEN PREHEADER TEXT -->
-        <div style="display: none; font-size: 1px; color: #fefefe; line-height: 1px; font-family: 'Metropolis', Helvetica, Arial, sans-serif; max-height: 0px; max-width: 0px; opacity: 0; overflow: hidden;">
-            {% block pre_header %}
-            {% endblock %}
-        </div>
-
-        <table border="0" cellpadding="0" cellspacing="0" width="100%">
-            <!-- LOGO -->
-            <tr>
-                <td bgcolor="#3625b7" align="center">
-                    <table border="0" cellpadding="0" cellspacing="0" width="480">
-                        <tr>
-                            <td align="center" valign="top" style="padding: 40px 10px 40px 10px;">
-                                <a href="" target="_blank">
-                                    <img alt="Logo" src="{% inline_static 'assets/dark.svg' %}" width="64" height="64"
-                                    style="display: block; width: 64px; max-width: 64px; min-width: 64px; font-family: 'Metropolis', Helvetica, Arial, sans-serif; color: #ffffff; font-size: 18px;"
-                                    border="0">
-                                </a>
-                            </td>
-                        </tr>
-                    </table>
-                </td>
-            </tr>
-            {% block content %}
-            {% endblock %}
-            <!-- SUPPORT CALLOUT -->
-            <!-- <tr>
-                <td bgcolor="#1b2a32" align="center" style="padding: 30px 10px 0px 10px;">
-                    <table border="0" cellpadding="0" cellspacing="0" width="480">
-                        HEADLINE
-                        <tr>
-                            <td bgcolor="#566572" align="center" style="padding: 30px 30px 30px 30px; border-radius: 4px 4px 4px 4px; color: #E9ECEF; font-family: 'Metropolis', Helvetica, Arial, sans-serif; font-size: 18px; font-weight: 400; line-height: 25px;">
-                                <h2 style="font-size: 20px; font-weight: 400; color: ##E9ECEF; margin: 0;">Need more help?</h2>
-                                <p style="margin: 0;"><a href="http://litmus.com" target="_blank" style="color: #3625b7;">We&rsquo;re
-                                    here, ready to talk</a></p>
-                            </td>
-                        </tr>
-                    </table>
-                </td>
-            </tr> -->
-            <!-- FOOTER -->
-            <tr>
-                <td bgcolor="#1b2a32" align="center" style="padding: 0px 10px 0px 10px;">
-                    <table border="0" cellpadding="0" cellspacing="0" width="480">
-                        <!-- NAVIGATION -->
-                        <tr>
-                            <td bgcolor="#1b2a32" align="left" style="padding: 30px 30px 30px 30px; color: #E9ECEF; font-family: 'Metropolis', Helvetica, Arial, sans-serif; font-size: 14px; font-weight: 400; line-height: 18px;">
-                                <p style="margin: 0;">
-                                </p>
-                            </td>
-                        </tr>
-                        <!-- ADDRESS -->
-                        <tr>
-                            <td bgcolor="#1b2a32" align="left" style="padding: 0px 30px 30px 30px; color: #E9ECEF; font-family: 'Metropolis', Helvetica, Arial, sans-serif; font-size: 14px; font-weight: 400; line-height: 18px;">
-                                <p style="margin: 0;"><a href="passbook">passbook</a></p>
-                            </td>
-                        </tr>
-                    </table>
-                </td>
-            </tr>
-        </table>
-    </body>
-</html>
diff --git a/passbook/lib/templatetags/inline.py b/passbook/lib/templatetags/inline.py
deleted file mode 100644
index 9e805e523..000000000
--- a/passbook/lib/templatetags/inline.py
+++ /dev/null
@@ -1,20 +0,0 @@
-"""passbook core inlining template tags"""
-import os
-
-from django import template
-from django.conf import settings
-
-register = template.Library()
-
-
-@register.simple_tag()
-def inline_static(path):
-    """Inline static asset. If file is binary, return b64 representation"""
-    prefix = "data:image/svg+xml;utf8,"
-    data = ""
-    full_path = settings.STATIC_ROOT + "/" + path
-    if os.path.exists(full_path):
-        if full_path.endswith(".svg"):
-            with open(full_path) as _file:
-                data = _file.read()
-    return prefix + data
diff --git a/passbook/root/settings.py b/passbook/root/settings.py
index c0ffdb0ba..b711f396b 100644
--- a/passbook/root/settings.py
+++ b/passbook/root/settings.py
@@ -75,6 +75,7 @@ INSTALLED_APPS = [
     "django.contrib.messages",
     "django.contrib.staticfiles",
     "django.contrib.postgres",
+    "django.contrib.humanize",
     "rest_framework",
     "drf_yasg",
     "guardian",
diff --git a/passbook/stages/email/stage.py b/passbook/stages/email/stage.py
index 129e57d4f..76cb97726 100644
--- a/passbook/stages/email/stage.py
+++ b/passbook/stages/email/stage.py
@@ -1,14 +1,17 @@
 """passbook multi-stage authentication engine"""
+from datetime import timedelta
+from urllib.parse import quote
+
 from django.contrib import messages
 from django.http import HttpRequest
 from django.shortcuts import reverse
+from django.utils.timezone import now
 from django.utils.translation import gettext as _
 from structlog import get_logger
 
 from passbook.core.models import Nonce
 from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER
 from passbook.flows.stage import AuthenticationStage
-from passbook.lib.config import CONFIG
 from passbook.stages.email.tasks import send_mails
 from passbook.stages.email.utils import TemplateEmailMessage
 
@@ -18,32 +21,40 @@ LOGGER = get_logger()
 class EmailStageView(AuthenticationStage):
     """E-Mail stage which sends E-Mail for verification"""
 
-    def get_context_data(self, **kwargs):
-        kwargs["show_password_forget_notice"] = CONFIG.y(
-            "passbook.password_reset.enabled"
-        )
-        return super().get_context_data(**kwargs)
+    template_name = "stages/email/waiting_message.html"
 
     def get(self, request, *args, **kwargs):
+        # TODO: Form to make sure email is only sent once
         pending_user = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
-        nonce = Nonce.objects.create(user=pending_user)
+        # TODO: Get expiry from Stage setting
+        valid_delta = timedelta(
+            minutes=31
+        )  # 31 because django timesince always rounds down
+        nonce = Nonce.objects.create(user=pending_user, expires=now() + valid_delta)
         # Send mail to user
         message = TemplateEmailMessage(
-            subject=_("Forgotten password"),
-            template_name="email/account_password_reset.html",
+            subject=_("passbook - Password Recovery"),
+            template_name="stages/email/for_email/password_reset.html",
             to=[pending_user.email],
             template_context={
                 "url": self.request.build_absolute_uri(
                     reverse(
-                        "passbook_core:auth-password-reset",
-                        kwargs={"nonce": nonce.uuid},
+                        "passbook_flows:flow-executor",
+                        kwargs={"flow_slug": self.executor.flow.slug},
                     )
-                )
+                    + "?token="
+                    + quote(nonce.uuid.hex)
+                ),
+                "user": pending_user,
+                "expires": nonce.expires,
             },
         )
         send_mails(self.executor.current_stage, message)
         messages.success(request, _("Check your E-Mails for a password reset link."))
-        return self.executor.cancel()
+        # We can't call stage_ok yet, as we're still waiting
+        # for the user to click the link in the email
+        # return self.executor.stage_ok()
+        return super().get(request, *args, **kwargs)
 
     def post(self, request: HttpRequest):
         """Just redirect to next stage"""
diff --git a/passbook/stages/email/static/stages/email/css/base.css b/passbook/stages/email/static/stages/email/css/base.css
new file mode 100644
index 000000000..6f624e138
--- /dev/null
+++ b/passbook/stages/email/static/stages/email/css/base.css
@@ -0,0 +1,325 @@
+/* -------------------------------------
+GLOBAL RESETS
+------------------------------------- */
+
+/*All the styling goes here*/
+
+img {
+    border: none;
+    -ms-interpolation-mode: bicubic;
+    max-width: 100%;
+}
+
+body {
+    background-color: #fafafa;
+    font-family: sans-serif;
+    -webkit-font-smoothing: antialiased;
+    font-size: 14px;
+    line-height: 1.4;
+    margin: 0;
+    padding: 0;
+    -ms-text-size-adjust: 100%;
+    -webkit-text-size-adjust: 100%;
+}
+
+table {
+    border-collapse: separate;
+    mso-table-lspace: 0pt;
+    mso-table-rspace: 0pt;
+    width: 100%; }
+    table td {
+        font-family: sans-serif;
+        font-size: 14px;
+        vertical-align: top;
+    }
+
+    /* -------------------------------------
+    BODY & CONTAINER
+    ------------------------------------- */
+
+    .body {
+        background-color: #fafafa;
+        width: 100%;
+    }
+
+    /* Set a max-width, and make it display as block so it will automatically stretch to that width, but will also shrink down on a phone or something */
+    .container {
+        display: block;
+        margin: 0 auto !important;
+        /* makes it centered */
+        max-width: 580px;
+        padding: 10px;
+        width: 580px;
+    }
+
+    /* This should also be a block element, so that it will fill 100% of the .container */
+    .content {
+        box-sizing: border-box;
+        display: block;
+        margin: 0 auto;
+        max-width: 580px;
+        padding: 10px;
+    }
+
+    /* -------------------------------------
+    HEADER, FOOTER, MAIN
+    ------------------------------------- */
+    .main {
+        background: #ffffff;
+        border-radius: 3px;
+        width: 100%;
+    }
+
+    .wrapper {
+        box-sizing: border-box;
+        padding: 20px;
+    }
+
+    .content-block {
+        padding-bottom: 10px;
+        padding-top: 10px;
+    }
+
+    .footer {
+        clear: both;
+        margin-top: 10px;
+        text-align: center;
+        width: 100%;
+    }
+    .footer td,
+    .footer p,
+    .footer span,
+    .footer a {
+        color: #999999;
+        font-size: 12px;
+        text-align: center;
+    }
+
+    /* -------------------------------------
+    TYPOGRAPHY
+    ------------------------------------- */
+    h1,
+    h2,
+    h3,
+    h4 {
+        color: #000000;
+        font-family: sans-serif;
+        font-weight: 400;
+        line-height: 1.4;
+        margin: 0;
+        margin-bottom: 30px;
+    }
+
+    h1 {
+        font-size: 35px;
+        font-weight: 300;
+        text-align: center;
+        text-transform: capitalize;
+    }
+
+    p,
+    ul,
+    ol {
+        font-family: sans-serif;
+        font-size: 14px;
+        font-weight: normal;
+        margin: 0;
+        margin-bottom: 15px;
+    }
+    p li,
+    ul li,
+    ol li {
+        list-style-position: inside;
+        margin-left: 5px;
+    }
+
+    a {
+        color: #06c;
+        border-radius: 3px;
+        text-decoration: underline;
+    }
+
+    /* -------------------------------------
+    BUTTONS
+    ------------------------------------- */
+    .btn {
+        box-sizing: border-box;
+        width: 100%; }
+        .btn > tbody > tr > td {
+            padding-bottom: 15px; }
+            .btn table {
+                width: auto;
+            }
+            .btn table td {
+                background-color: #ffffff;
+                border-radius: 5px;
+                text-align: center;
+            }
+            .btn a {
+                background-color: #ffffff;
+                border: solid 1px #06c;
+                border-radius: 5px;
+                box-sizing: border-box;
+                color: #06c;
+                cursor: pointer;
+                display: inline-block;
+                font-size: 14px;
+                font-weight: bold;
+                margin: 0;
+                padding: 12px 25px;
+                text-decoration: none;
+                text-transform: capitalize;
+            }
+
+            .btn-primary table td {
+                background-color: #06c;
+            }
+
+            .btn-primary a {
+                background-color: #06c;
+                border-color: #06c;
+                color: #ffffff;
+            }
+
+            /* -------------------------------------
+            OTHER STYLES THAT MIGHT BE USEFUL
+            ------------------------------------- */
+            .last {
+                margin-bottom: 0;
+            }
+
+            .first {
+                margin-top: 0;
+            }
+
+            .align-center {
+                text-align: center;
+            }
+
+            .align-right {
+                text-align: right;
+            }
+
+            .align-left {
+                text-align: left;
+            }
+
+            .clear {
+                clear: both;
+            }
+
+            .mt0 {
+                margin-top: 0;
+            }
+
+            .mb0 {
+                margin-bottom: 0;
+            }
+
+            .preheader {
+                color: transparent;
+                display: none;
+                height: 0;
+                max-height: 0;
+                max-width: 0;
+                opacity: 0;
+                overflow: hidden;
+                mso-hide: all;
+                visibility: hidden;
+                width: 0;
+            }
+
+            .powered-by a {
+                text-decoration: none;
+            }
+
+            hr {
+                border: 0;
+                border-bottom: 1px solid #fafafa;
+                margin: 20px 0;
+            }
+
+            /* -------------------------------------
+            RESPONSIVE AND MOBILE FRIENDLY STYLES
+            ------------------------------------- */
+            @media only screen and (max-width: 620px) {
+                table[class=body] h1 {
+                    font-size: 28px !important;
+                    margin-bottom: 10px !important;
+                }
+                table[class=body] p,
+                table[class=body] ul,
+                table[class=body] ol,
+                table[class=body] td,
+                table[class=body] span,
+                table[class=body] a {
+                    font-size: 16px !important;
+                }
+                table[class=body] .wrapper,
+                table[class=body] .article {
+                    padding: 10px !important;
+                }
+                table[class=body] .content {
+                    padding: 0 !important;
+                }
+                table[class=body] .container {
+                    padding: 0 !important;
+                    width: 100% !important;
+                }
+                table[class=body] .main {
+                    border-left-width: 0 !important;
+                    border-radius: 0 !important;
+                    border-right-width: 0 !important;
+                }
+                table[class=body] .btn table {
+                    width: 100% !important;
+                }
+                table[class=body] .btn a {
+                    width: 100% !important;
+                }
+                table[class=body] .img-responsive {
+                    height: auto !important;
+                    max-width: 100% !important;
+                    width: auto !important;
+                }
+            }
+
+            /* -------------------------------------
+            PRESERVE THESE STYLES IN THE HEAD
+            ------------------------------------- */
+            @media all {
+                .ExternalClass {
+                    width: 100%;
+                }
+                .ExternalClass,
+                .ExternalClass p,
+                .ExternalClass span,
+                .ExternalClass font,
+                .ExternalClass td,
+                .ExternalClass div {
+                    line-height: 100%;
+                }
+                .apple-link a {
+                    color: inherit !important;
+                    font-family: inherit !important;
+                    font-size: inherit !important;
+                    font-weight: inherit !important;
+                    line-height: inherit !important;
+                    text-decoration: none !important;
+                }
+                #MessageViewBody a {
+                    color: inherit;
+                    text-decoration: none;
+                    font-size: inherit;
+                    font-family: inherit;
+                    font-weight: inherit;
+                    line-height: inherit;
+                }
+                .btn-primary table td:hover {
+                    background-color: #34495e !important;
+                }
+                .btn-primary a:hover {
+                    background-color: #34495e !important;
+                    border-color: #34495e !important;
+                }
+            }
diff --git a/passbook/stages/email/tasks.py b/passbook/stages/email/tasks.py
index 265f69cb2..9ff45eb17 100644
--- a/passbook/stages/email/tasks.py
+++ b/passbook/stages/email/tasks.py
@@ -3,7 +3,7 @@ from smtplib import SMTPException
 from typing import Any, Dict, List
 
 from celery import group
-from django.core.mail import EmailMessage
+from django.core.mail import EmailMultiAlternatives
 from structlog import get_logger
 
 from passbook.root.celery import CELERY_APP
@@ -12,7 +12,7 @@ from passbook.stages.email.models import EmailStage
 LOGGER = get_logger()
 
 
-def send_mails(stage: EmailStage, *messages: List[EmailMessage]):
+def send_mails(stage: EmailStage, *messages: List[EmailMultiAlternatives]):
     """Wrapper to convert EmailMessage to dict and send it from worker"""
     tasks = []
     for message in messages:
@@ -22,7 +22,9 @@ def send_mails(stage: EmailStage, *messages: List[EmailMessage]):
     return promise
 
 
-@CELERY_APP.task(bind=True)
+@CELERY_APP.task(
+    bind=True, autoretry_for=(SMTPException, ConnectionError,), retry_backoff=True
+)
 def _send_mail_task(self, email_stage_pk: int, message: Dict[Any, Any]):
     """Send E-Mail according to EmailStage parameters from background worker.
     Automatically retries if message couldn't be sent."""
@@ -31,14 +33,11 @@ def _send_mail_task(self, email_stage_pk: int, message: Dict[Any, Any]):
     backend.open()
     # Since django's EmailMessage objects are not JSON serialisable,
     # we need to rebuild them from a dict
-    message_object = EmailMessage()
+    message_object = EmailMultiAlternatives()
     for key, value in message.items():
         setattr(message_object, key, value)
     message_object.from_email = stage.from_address
     LOGGER.debug("Sending mail", to=message_object.to)
-    try:
-        num_sent = stage.backend.send_messages([message_object])
-    except SMTPException as exc:
-        raise self.retry(exc=exc)
+    num_sent = stage.backend.send_messages([message_object])
     if num_sent != 1:
         raise self.retry()
diff --git a/passbook/core/templates/email/account_confirm.html b/passbook/stages/email/templates/stages/email/for_email/account_confirm.html
similarity index 100%
rename from passbook/core/templates/email/account_confirm.html
rename to passbook/stages/email/templates/stages/email/for_email/account_confirm.html
diff --git a/passbook/stages/email/templates/stages/email/for_email/base.html b/passbook/stages/email/templates/stages/email/for_email/base.html
new file mode 100644
index 000000000..8677d592a
--- /dev/null
+++ b/passbook/stages/email/templates/stages/email/for_email/base.html
@@ -0,0 +1,65 @@
+{% load passbook_stages_email %}
+{% load utils %}
+{% load static %}
+{% load i18n %}
+
+<!doctype html>
+<html>
+
+<head>
+    <meta name="viewport" content="width=device-width" />
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+    <title>Simple Transactional Email</title>
+    <style>{% inline_static_ascii "stages/email/css/base.css" %}</style>
+</head>
+
+<body class="">
+    <span class="preheader">
+        {% block pre_header %}
+        {% endblock %}
+    </span>
+    <table role="presentation" border="0" cellpadding="0" cellspacing="0" class="body">
+        <tr>
+            <td>&nbsp;</td>
+            <td class="container">
+                <div class="content">
+
+                    <!-- START CENTERED WHITE CONTAINER -->
+                    <table role="presentation" class="main">
+                        <img src="{% inline_static_binary "passbook/logo.svg" %}" alt="">
+                        <!-- START MAIN CONTENT AREA -->
+                        <tr>
+                            <td class="wrapper">
+                                <table role="presentation" border="0" cellpadding="0" cellspacing="0">
+                                    <tr>
+                                        {% block content %}
+                                        {% endblock %}
+                                    </tr>
+                                </table>
+                            </td>
+                        </tr>
+
+                        <!-- END MAIN CONTENT AREA -->
+                    </table>
+                    <!-- END CENTERED WHITE CONTAINER -->
+
+                    <!-- START FOOTER -->
+                    <div class="footer">
+                        <table role="presentation" border="0" cellpadding="0" cellspacing="0">
+                            <tr>
+                                <td class="content-block powered-by">
+                                    Powered by <a href="https://beryju.github.io/passbook/">passbook</a>.
+                                </td>
+                            </tr>
+                        </table>
+                    </div>
+                    <!-- END FOOTER -->
+
+                </div>
+            </td>
+            <td>&nbsp;</td>
+        </tr>
+    </table>
+</body>
+
+</html>
diff --git a/passbook/core/templates/email/generic_email.html b/passbook/stages/email/templates/stages/email/for_email/generic_email.html
similarity index 100%
rename from passbook/core/templates/email/generic_email.html
rename to passbook/stages/email/templates/stages/email/for_email/generic_email.html
diff --git a/passbook/stages/email/templates/stages/email/for_email/password_reset.html b/passbook/stages/email/templates/stages/email/for_email/password_reset.html
new file mode 100644
index 000000000..deb24fb61
--- /dev/null
+++ b/passbook/stages/email/templates/stages/email/for_email/password_reset.html
@@ -0,0 +1,41 @@
+{% extends "stages/email/for_email/base.html" %}
+
+{% load utils %}
+{% load i18n %}
+{% load humanize %}
+
+{% block content %}
+<td>
+  <h2>
+    {% blocktrans with username=user.username %}
+      Hi {{ username }},
+    {% endblocktrans %}
+  </h2>
+  <p>
+    {% blocktrans %}
+    You recently requested to change your password for you passbook account. Use the button below to set a new password.
+    {% endblocktrans %}
+  </p>
+  <table role="presentation" border="0" cellpadding="0" cellspacing="0" class="btn btn-primary">
+    <tbody>
+      <tr>
+        <td align="center">
+          <table role="presentation" border="0" cellpadding="0" cellspacing="0">
+            <tbody>
+              <tr>
+                <td> <a href="{{ url }}" target="_blank">{% trans 'Reset Password' %}</a> </td>
+              </tr>
+            </tbody>
+          </table>
+        </td>
+      </tr>
+    </tbody>
+  </table>
+  <p>
+    {% blocktrans with expires=expires|naturaltime %}
+    If you did not request a password change, please ignore this E-Mail. The link above is valid for {{ expires }}.
+    {% endblocktrans %}
+  </p>
+</td>
+
+{% endblock %}
diff --git a/passbook/stages/email/templates/stages/email/waiting_message.html b/passbook/stages/email/templates/stages/email/waiting_message.html
new file mode 100644
index 000000000..4a4ad8b1d
--- /dev/null
+++ b/passbook/stages/email/templates/stages/email/waiting_message.html
@@ -0,0 +1 @@
+check your emails mate
diff --git a/passbook/stages/email/templatetags/__init__.py b/passbook/stages/email/templatetags/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/passbook/stages/email/templatetags/passbook_stages_email.py b/passbook/stages/email/templatetags/passbook_stages_email.py
new file mode 100644
index 000000000..d39668eff
--- /dev/null
+++ b/passbook/stages/email/templatetags/passbook_stages_email.py
@@ -0,0 +1,30 @@
+"""passbook core inlining template tags"""
+import os
+from pathlib import Path
+from typing import Optional
+
+from django import template
+from django.contrib.staticfiles import finders
+
+register = template.Library()
+
+
+@register.simple_tag()
+def inline_static_ascii(path: str) -> Optional[str]:
+    """Inline static asset. Doesn't check file contents, plain text is assumed"""
+    result = finders.find(path)
+    if os.path.exists(result):
+        with open(result) as _file:
+            return _file.read()
+    return None
+
+
+@register.simple_tag()
+def inline_static_binary(path: str) -> Optional[str]:
+    """Inline static asset. Uses file extension for base64 block"""
+    result = finders.find(path)
+    suffix = Path(path).suffix
+    if os.path.exists(result):
+        with open(result) as _file:
+            return f"data:image/{suffix};base64," + _file.read()
+    return None
diff --git a/passbook/stages/email/utils.py b/passbook/stages/email/utils.py
index a94f4c5d6..e46f27d7d 100644
--- a/passbook/stages/email/utils.py
+++ b/passbook/stages/email/utils.py
@@ -8,34 +8,10 @@ class TemplateEmailMessage(EmailMultiAlternatives):
     """Wrapper around EmailMultiAlternatives with integrated template rendering"""
 
     # pylint: disable=too-many-arguments
-    def __init__(
-        self,
-        subject="",
-        body=None,
-        from_email=None,
-        to=None,
-        bcc=None,
-        connection=None,
-        attachments=None,
-        headers=None,
-        cc=None,
-        reply_to=None,
-        template_name=None,
-        template_context=None,
-    ):
+    def __init__(self, template_name=None, template_context=None, **kwargs):
         html_content = render_to_string(template_name, template_context)
-        if not body:
-            body = strip_tags(html_content)
-        super().__init__(
-            subject=subject,
-            body=body,
-            from_email=from_email,
-            to=to,
-            bcc=bcc,
-            connection=connection,
-            attachments=attachments,
-            headers=headers,
-            cc=cc,
-            reply_to=reply_to,
-        )
+        if "body" not in kwargs:
+            kwargs["body"] = strip_tags(html_content)
+        super().__init__(**kwargs)
+        self.content_subtype = "html"
         self.attach_alternative(html_content, "text/html")

From 206cf4967d045a483804d52b4a8747ce8fc3ae47 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 20:17:10 +0200
Subject: [PATCH 47/80] stages/identification: add more templates

---
 passbook/stages/email/stage.py                | 20 +++---
 passbook/stages/email/utils.py                |  1 -
 .../migrations/0004_auto_20200510_1648.py     | 23 +++++++
 passbook/stages/identification/models.py      |  3 +-
 .../stages/identification/login.html          |  1 +
 .../stages/identification/recovery.html       | 68 +++++++++++++++++++
 6 files changed, 105 insertions(+), 11 deletions(-)
 create mode 100644 passbook/stages/identification/migrations/0004_auto_20200510_1648.py
 create mode 100644 passbook/stages/identification/templates/stages/identification/login.html
 create mode 100644 passbook/stages/identification/templates/stages/identification/recovery.html

diff --git a/passbook/stages/email/stage.py b/passbook/stages/email/stage.py
index 76cb97726..10c2a0891 100644
--- a/passbook/stages/email/stage.py
+++ b/passbook/stages/email/stage.py
@@ -1,10 +1,10 @@
 """passbook multi-stage authentication engine"""
 from datetime import timedelta
-from urllib.parse import quote
 
 from django.contrib import messages
 from django.http import HttpRequest
 from django.shortcuts import reverse
+from django.utils.http import urlencode
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
 from structlog import get_logger
@@ -23,6 +23,15 @@ class EmailStageView(AuthenticationStage):
 
     template_name = "stages/email/waiting_message.html"
 
+    def get_full_url(self, **kwargs) -> str:
+        """Get full URL to be used in template"""
+        base_url = reverse(
+            "passbook_flows:flow-executor",
+            kwargs={"flow_slug": self.executor.flow.slug},
+        )
+        relative_url = f"{base_url}?{urlencode(kwargs)}"
+        return self.request.build_absolute_uri(relative_url)
+
     def get(self, request, *args, **kwargs):
         # TODO: Form to make sure email is only sent once
         pending_user = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
@@ -37,14 +46,7 @@ class EmailStageView(AuthenticationStage):
             template_name="stages/email/for_email/password_reset.html",
             to=[pending_user.email],
             template_context={
-                "url": self.request.build_absolute_uri(
-                    reverse(
-                        "passbook_flows:flow-executor",
-                        kwargs={"flow_slug": self.executor.flow.slug},
-                    )
-                    + "?token="
-                    + quote(nonce.uuid.hex)
-                ),
+                "url": self.get_full_url(token=nonce.pk.hex),
                 "user": pending_user,
                 "expires": nonce.expires,
             },
diff --git a/passbook/stages/email/utils.py b/passbook/stages/email/utils.py
index e46f27d7d..b26b9eab6 100644
--- a/passbook/stages/email/utils.py
+++ b/passbook/stages/email/utils.py
@@ -7,7 +7,6 @@ from django.utils.html import strip_tags
 class TemplateEmailMessage(EmailMultiAlternatives):
     """Wrapper around EmailMultiAlternatives with integrated template rendering"""
 
-    # pylint: disable=too-many-arguments
     def __init__(self, template_name=None, template_context=None, **kwargs):
         html_content = render_to_string(template_name, template_context)
         if "body" not in kwargs:
diff --git a/passbook/stages/identification/migrations/0004_auto_20200510_1648.py b/passbook/stages/identification/migrations/0004_auto_20200510_1648.py
new file mode 100644
index 000000000..9c081b969
--- /dev/null
+++ b/passbook/stages/identification/migrations/0004_auto_20200510_1648.py
@@ -0,0 +1,23 @@
+# Generated by Django 3.0.5 on 2020-05-10 16:48
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_stages_identification", "0003_auto_20200509_2025"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="identificationstage",
+            name="template",
+            field=models.TextField(
+                choices=[
+                    ("stages/identification/login.html", "Default Login"),
+                    ("stages/identification/recovery.html", "Default Recovery"),
+                ]
+            ),
+        ),
+    ]
diff --git a/passbook/stages/identification/models.py b/passbook/stages/identification/models.py
index 40616d0ac..d43b6b15c 100644
--- a/passbook/stages/identification/models.py
+++ b/passbook/stages/identification/models.py
@@ -16,7 +16,8 @@ class UserFields(models.TextChoices):
 class Templates(models.TextChoices):
     """Templates to be used for the stage"""
 
-    DEFAULT_LOGIN = "login/form.html"
+    DEFAULT_LOGIN = "stages/identification/login.html"
+    DEFAULT_RECOVERY = "stages/identification/recovery.html"
 
 
 class IdentificationStage(Stage):
diff --git a/passbook/stages/identification/templates/stages/identification/login.html b/passbook/stages/identification/templates/stages/identification/login.html
new file mode 100644
index 000000000..640765f1e
--- /dev/null
+++ b/passbook/stages/identification/templates/stages/identification/login.html
@@ -0,0 +1 @@
+{% extends 'login/form.html' %}
diff --git a/passbook/stages/identification/templates/stages/identification/recovery.html b/passbook/stages/identification/templates/stages/identification/recovery.html
new file mode 100644
index 000000000..1cf4c4838
--- /dev/null
+++ b/passbook/stages/identification/templates/stages/identification/recovery.html
@@ -0,0 +1,68 @@
+{% extends 'base/skeleton.html' %}
+
+{% load static %}
+{% load i18n %}
+
+{% block body %}
+<div class="pf-c-background-image">
+    <svg xmlns="http://www.w3.org/2000/svg" class="pf-c-background-image__filter" width="0" height="0">
+        <filter id="image_overlay">
+            <feColorMatrix type="matrix" values="1 0 0 0 0 1 0 0 0 0 1 0 0 0 0 0 0 0 1 0"></feColorMatrix>
+            <feComponentTransfer color-interpolation-filters="sRGB" result="duotone">
+                <feFuncR type="table" tableValues="0.086274509803922 0.43921568627451"></feFuncR>
+                <feFuncG type="table" tableValues="0.086274509803922 0.43921568627451"></feFuncG>
+                <feFuncB type="table" tableValues="0.086274509803922 0.43921568627451"></feFuncB>
+                <feFuncA type="table" tableValues="0 1"></feFuncA>
+            </feComponentTransfer>
+        </filter>
+    </svg>
+</div>
+{% include 'partials/messages.html' %}
+<div class="pf-c-login">
+    <div class="pf-c-login__container">
+        <header class="pf-c-login__header">
+            <img class="pf-c-brand" src="{% static 'passbook/logo.svg' %}" style="height: 60px;"
+                alt="passbook icon" />
+            <img class="pf-c-brand" src="{% static 'passbook/brand.svg' %}" style="height: 60px;"
+                alt="passbook branding" />
+        </header>
+        <main class="pf-c-login__main">
+            <header class="pf-c-login__main-header">
+                <h1 class="pf-c-title pf-m-3xl">
+                    {% trans 'Trouble Logging In?' %}
+                </h1>
+            </header>
+            <div class="pf-c-login__main-body">
+                {% block card %}
+                <form method="POST" class="pf-c-form">
+                    {% block above_form %}
+                    {% endblock %}
+
+                    {% include 'partials/form.html' %}
+
+                    {% block beneath_form %}
+                    {% endblock %}
+                    <div class="pf-c-form__group pf-m-action">
+                        <button class="pf-c-button pf-m-primary pf-m-block" type="submit">{% trans primary_action %}</button>
+                    </div>
+                </form>
+                {% endblock %}
+            </div>
+            <footer class="pf-c-login__main-footer">
+                {% if config.login.subtext %}
+                <p>{{ config.login.subtext }}</p>
+                {% endif %}
+            </footer>
+        </main>
+        <footer class="pf-c-login__footer">
+            <p></p>
+            <ul class="pf-c-list pf-m-inline">
+                <li>
+                    <a href="https://beryju.github.io/passbook/">{% trans 'Documentation' %}</a>
+                </li>
+                <!-- TODO: load config.passbook.footer.links -->
+            </ul>
+        </footer>
+    </div>
+</div>
+{% endblock %}

From d4f149bc02859cd2c3f6ceb557f5b7b9ffb2d3f4 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 20:50:27 +0200
Subject: [PATCH 48/80] stages/email: add form for sending email to prevent
 spam

stages/email: make token validity configurable
---
 passbook/flows/stage.py                       |  2 +-
 passbook/stages/email/api.py                  |  2 --
 passbook/stages/email/forms.py                | 12 ++++-----
 .../migrations/0002_auto_20200510_1844.py     | 22 ++++++++++++++++
 passbook/stages/email/models.py               |  7 +++---
 passbook/stages/email/stage.py                | 25 +++++++++----------
 .../stages/email/waiting_message.html         | 22 +++++++++++++++-
 passbook/stages/email/utils.py                |  3 ---
 8 files changed, 65 insertions(+), 30 deletions(-)
 create mode 100644 passbook/stages/email/migrations/0002_auto_20200510_1844.py

diff --git a/passbook/flows/stage.py b/passbook/flows/stage.py
index 804f9b325..17bc90adb 100644
--- a/passbook/flows/stage.py
+++ b/passbook/flows/stage.py
@@ -26,7 +26,7 @@ class AuthenticationStage(TemplateView):
 
     def get_context_data(self, **kwargs: Dict[str, Any]) -> Dict[str, Any]:
         kwargs["config"] = CONFIG.y("passbook")
-        kwargs["title"] = _("Log in to your account")
+        kwargs["title"] = self.executor.flow.name
         kwargs["primary_action"] = _("Log in")
         if PLAN_CONTEXT_PENDING_USER in self.executor.plan.context:
             kwargs["user"] = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
diff --git a/passbook/stages/email/api.py b/passbook/stages/email/api.py
index 14e6c9a3c..063a1020e 100644
--- a/passbook/stages/email/api.py
+++ b/passbook/stages/email/api.py
@@ -22,8 +22,6 @@ class EmailStageSerializer(ModelSerializer):
             "use_ssl",
             "timeout",
             "from_address",
-            "ssl_keyfile",
-            "ssl_certfile",
         ]
         extra_kwargs = {"password": {"write_only": True}}
 
diff --git a/passbook/stages/email/forms.py b/passbook/stages/email/forms.py
index ae93d428e..1ff829215 100644
--- a/passbook/stages/email/forms.py
+++ b/passbook/stages/email/forms.py
@@ -5,6 +5,12 @@ from django.utils.translation import gettext_lazy as _
 from passbook.stages.email.models import EmailStage
 
 
+class EmailStageSendForm(forms.Form):
+    """Form used when sending the e-mail to prevent multiple emails being sent"""
+
+    invalid = forms.CharField(widget=forms.HiddenInput, required=True)
+
+
 class EmailStageForm(forms.ModelForm):
     """Form to create/edit Dummy Stage"""
 
@@ -21,20 +27,14 @@ class EmailStageForm(forms.ModelForm):
             "use_ssl",
             "timeout",
             "from_address",
-            "ssl_keyfile",
-            "ssl_certfile",
         ]
         widgets = {
             "name": forms.TextInput(),
             "host": forms.TextInput(),
             "username": forms.TextInput(),
             "password": forms.TextInput(),
-            "ssl_keyfile": forms.TextInput(),
-            "ssl_certfile": forms.TextInput(),
         }
         labels = {
             "use_tls": _("Use TLS"),
             "use_ssl": _("Use SSL"),
-            "ssl_keyfile": _("SSL Keyfile (optional)"),
-            "ssl_certfile": _("SSL Certfile (optional)"),
         }
diff --git a/passbook/stages/email/migrations/0002_auto_20200510_1844.py b/passbook/stages/email/migrations/0002_auto_20200510_1844.py
new file mode 100644
index 000000000..c7126df7d
--- /dev/null
+++ b/passbook/stages/email/migrations/0002_auto_20200510_1844.py
@@ -0,0 +1,22 @@
+# Generated by Django 3.0.5 on 2020-05-10 18:44
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_stages_email", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.RemoveField(model_name="emailstage", name="ssl_certfile",),
+        migrations.RemoveField(model_name="emailstage", name="ssl_keyfile",),
+        migrations.AddField(
+            model_name="emailstage",
+            name="token_expiry",
+            field=models.IntegerField(
+                default=30, help_text="Time in minutes the token sent is valid."
+            ),
+        ),
+    ]
diff --git a/passbook/stages/email/models.py b/passbook/stages/email/models.py
index 57a104ed8..914c118ed 100644
--- a/passbook/stages/email/models.py
+++ b/passbook/stages/email/models.py
@@ -17,8 +17,9 @@ class EmailStage(Stage):
     use_ssl = models.BooleanField(default=False)
     timeout = models.IntegerField(default=10)
 
-    ssl_keyfile = models.TextField(default=None, blank=True, null=True)
-    ssl_certfile = models.TextField(default=None, blank=True, null=True)
+    token_expiry = models.IntegerField(
+        default=30, help_text=_("Time in minutes the token sent is valid.")
+    )
 
     from_address = models.EmailField(default="system@passbook.local")
 
@@ -36,8 +37,6 @@ class EmailStage(Stage):
             use_tls=self.use_tls,
             use_ssl=self.use_ssl,
             timeout=self.timeout,
-            ssl_certfile=self.ssl_certfile,
-            ssl_keyfile=self.ssl_keyfile,
         )
 
     def __str__(self):
diff --git a/passbook/stages/email/stage.py b/passbook/stages/email/stage.py
index 10c2a0891..c11ead4c3 100644
--- a/passbook/stages/email/stage.py
+++ b/passbook/stages/email/stage.py
@@ -1,26 +1,28 @@
 """passbook multi-stage authentication engine"""
 from datetime import timedelta
 
-from django.contrib import messages
-from django.http import HttpRequest
+from django.http import HttpResponse
 from django.shortcuts import reverse
 from django.utils.http import urlencode
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
+from django.views.generic import FormView
 from structlog import get_logger
 
 from passbook.core.models import Nonce
 from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER
 from passbook.flows.stage import AuthenticationStage
+from passbook.stages.email.forms import EmailStageSendForm
 from passbook.stages.email.tasks import send_mails
 from passbook.stages.email.utils import TemplateEmailMessage
 
 LOGGER = get_logger()
 
 
-class EmailStageView(AuthenticationStage):
+class EmailStageView(FormView, AuthenticationStage):
     """E-Mail stage which sends E-Mail for verification"""
 
+    form_class = EmailStageSendForm
     template_name = "stages/email/waiting_message.html"
 
     def get_full_url(self, **kwargs) -> str:
@@ -32,13 +34,11 @@ class EmailStageView(AuthenticationStage):
         relative_url = f"{base_url}?{urlencode(kwargs)}"
         return self.request.build_absolute_uri(relative_url)
 
-    def get(self, request, *args, **kwargs):
-        # TODO: Form to make sure email is only sent once
+    def form_invalid(self, form: EmailStageSendForm) -> HttpResponse:
         pending_user = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
-        # TODO: Get expiry from Stage setting
         valid_delta = timedelta(
-            minutes=31
-        )  # 31 because django timesince always rounds down
+            minutes=self.executor.current_stage.token_expiry + 1
+        )  # + 1 because django timesince always rounds down
         nonce = Nonce.objects.create(user=pending_user, expires=now() + valid_delta)
         # Send mail to user
         message = TemplateEmailMessage(
@@ -52,12 +52,11 @@ class EmailStageView(AuthenticationStage):
             },
         )
         send_mails(self.executor.current_stage, message)
-        messages.success(request, _("Check your E-Mails for a password reset link."))
         # We can't call stage_ok yet, as we're still waiting
         # for the user to click the link in the email
         # return self.executor.stage_ok()
-        return super().get(request, *args, **kwargs)
+        return super().form_invalid(form)
 
-    def post(self, request: HttpRequest):
-        """Just redirect to next stage"""
-        return self.executor.stage_ok()
+    # def post(self, request: HttpRequest):
+    #     """Just redirect to next stage"""
+    #     return self.executor.()
diff --git a/passbook/stages/email/templates/stages/email/waiting_message.html b/passbook/stages/email/templates/stages/email/waiting_message.html
index 4a4ad8b1d..bebfb7317 100644
--- a/passbook/stages/email/templates/stages/email/waiting_message.html
+++ b/passbook/stages/email/templates/stages/email/waiting_message.html
@@ -1 +1,21 @@
-check your emails mate
+{% extends 'login/base.html' %}
+
+{% load static %}
+{% load i18n %}
+
+{% block card %}
+<form method="POST" class="pf-c-form">
+    <p>
+        {% blocktrans %}
+        Check your E-Mails for a password reset link.
+        {% endblocktrans %}
+    </p>
+    {% csrf_token %}
+
+    {% block beneath_form %}
+    {% endblock %}
+    <div class="pf-c-form__group pf-m-action">
+        <button class="pf-c-button pf-m-primary pf-m-block" type="submit">{% trans "Send Recovery E-Mail." %}</button>
+    </div>
+</form>
+{% endblock %}
diff --git a/passbook/stages/email/utils.py b/passbook/stages/email/utils.py
index b26b9eab6..139b6af82 100644
--- a/passbook/stages/email/utils.py
+++ b/passbook/stages/email/utils.py
@@ -1,7 +1,6 @@
 """email utils"""
 from django.core.mail import EmailMultiAlternatives
 from django.template.loader import render_to_string
-from django.utils.html import strip_tags
 
 
 class TemplateEmailMessage(EmailMultiAlternatives):
@@ -9,8 +8,6 @@ class TemplateEmailMessage(EmailMultiAlternatives):
 
     def __init__(self, template_name=None, template_context=None, **kwargs):
         html_content = render_to_string(template_name, template_context)
-        if "body" not in kwargs:
-            kwargs["body"] = strip_tags(html_content)
         super().__init__(**kwargs)
         self.content_subtype = "html"
         self.attach_alternative(html_content, "text/html")

From 3219cffb52f2de0369c8bebe276185039b9370d8 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 21:00:04 +0200
Subject: [PATCH 49/80] stages/email: add logic to verify token

---
 passbook/stages/email/stage.py | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/passbook/stages/email/stage.py b/passbook/stages/email/stage.py
index c11ead4c3..b19bc02a5 100644
--- a/passbook/stages/email/stage.py
+++ b/passbook/stages/email/stage.py
@@ -1,8 +1,9 @@
 """passbook multi-stage authentication engine"""
 from datetime import timedelta
 
-from django.http import HttpResponse
-from django.shortcuts import reverse
+from django.contrib import messages
+from django.http import HttpRequest, HttpResponse
+from django.shortcuts import get_object_or_404, reverse
 from django.utils.http import urlencode
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
@@ -17,6 +18,7 @@ from passbook.stages.email.tasks import send_mails
 from passbook.stages.email.utils import TemplateEmailMessage
 
 LOGGER = get_logger()
+QS_KEY_TOKEN = "token"
 
 
 class EmailStageView(FormView, AuthenticationStage):
@@ -34,6 +36,15 @@ class EmailStageView(FormView, AuthenticationStage):
         relative_url = f"{base_url}?{urlencode(kwargs)}"
         return self.request.build_absolute_uri(relative_url)
 
+    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        if QS_KEY_TOKEN in request.GET:
+            nonce = get_object_or_404(Nonce, pk=request.GET[QS_KEY_TOKEN])
+            self.executor.plan.context[PLAN_CONTEXT_PENDING_USER] = nonce.user
+            nonce.delete()
+            messages.success(request, _("Successfully verified E-Mail."))
+            return self.executor.stage_ok()
+        return super().get(request, *args, **kwargs)
+
     def form_invalid(self, form: EmailStageSendForm) -> HttpResponse:
         pending_user = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
         valid_delta = timedelta(
@@ -46,7 +57,7 @@ class EmailStageView(FormView, AuthenticationStage):
             template_name="stages/email/for_email/password_reset.html",
             to=[pending_user.email],
             template_context={
-                "url": self.get_full_url(token=nonce.pk.hex),
+                "url": self.get_full_url(**{QS_KEY_TOKEN: nonce.pk.hex}),
                 "user": pending_user,
                 "expires": nonce.expires,
             },

From 6676e950115c678ff11dc493391d1f41194e96ee Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 21:43:22 +0200
Subject: [PATCH 50/80] stages/email: add tests, cleanup

---
 passbook/stages/email/forms.py                |  2 +-
 passbook/stages/email/models.py               |  7 +-
 passbook/stages/email/stage.py                |  5 --
 passbook/stages/email/tasks.py                |  5 +-
 .../stages/email/for_email/base.html          |  2 +-
 .../templatetags/passbook_stages_email.py     | 18 ++--
 passbook/stages/email/tests.py                | 88 +++++++++++++++++++
 7 files changed, 102 insertions(+), 25 deletions(-)
 create mode 100644 passbook/stages/email/tests.py

diff --git a/passbook/stages/email/forms.py b/passbook/stages/email/forms.py
index 1ff829215..bdd865fb1 100644
--- a/passbook/stages/email/forms.py
+++ b/passbook/stages/email/forms.py
@@ -12,7 +12,7 @@ class EmailStageSendForm(forms.Form):
 
 
 class EmailStageForm(forms.ModelForm):
-    """Form to create/edit Dummy Stage"""
+    """Form to create/edit E-Mail Stage"""
 
     class Meta:
 
diff --git a/passbook/stages/email/models.py b/passbook/stages/email/models.py
index 914c118ed..c5ec2e9e5 100644
--- a/passbook/stages/email/models.py
+++ b/passbook/stages/email/models.py
@@ -1,5 +1,6 @@
 """email stage models"""
-from django.core.mail.backends.smtp import EmailBackend
+from django.core.mail import get_connection
+from django.core.mail.backends.base import BaseEmailBackend
 from django.db import models
 from django.utils.translation import gettext as _
 
@@ -27,9 +28,9 @@ class EmailStage(Stage):
     form = "passbook.stages.email.forms.EmailStageForm"
 
     @property
-    def backend(self) -> EmailBackend:
+    def backend(self) -> BaseEmailBackend:
         """Get fully configured EMail Backend instance"""
-        return EmailBackend(
+        return get_connection(
             host=self.host,
             port=self.port,
             username=self.username,
diff --git a/passbook/stages/email/stage.py b/passbook/stages/email/stage.py
index b19bc02a5..0bb49e5b3 100644
--- a/passbook/stages/email/stage.py
+++ b/passbook/stages/email/stage.py
@@ -65,9 +65,4 @@ class EmailStageView(FormView, AuthenticationStage):
         send_mails(self.executor.current_stage, message)
         # We can't call stage_ok yet, as we're still waiting
         # for the user to click the link in the email
-        # return self.executor.stage_ok()
         return super().form_invalid(form)
-
-    # def post(self, request: HttpRequest):
-    #     """Just redirect to next stage"""
-    #     return self.executor.()
diff --git a/passbook/stages/email/tasks.py b/passbook/stages/email/tasks.py
index 9ff45eb17..750a5326e 100644
--- a/passbook/stages/email/tasks.py
+++ b/passbook/stages/email/tasks.py
@@ -25,6 +25,7 @@ def send_mails(stage: EmailStage, *messages: List[EmailMultiAlternatives]):
 @CELERY_APP.task(
     bind=True, autoretry_for=(SMTPException, ConnectionError,), retry_backoff=True
 )
+# pylint: disable=unused-argument
 def _send_mail_task(self, email_stage_pk: int, message: Dict[Any, Any]):
     """Send E-Mail according to EmailStage parameters from background worker.
     Automatically retries if message couldn't be sent."""
@@ -38,6 +39,4 @@ def _send_mail_task(self, email_stage_pk: int, message: Dict[Any, Any]):
         setattr(message_object, key, value)
     message_object.from_email = stage.from_address
     LOGGER.debug("Sending mail", to=message_object.to)
-    num_sent = stage.backend.send_messages([message_object])
-    if num_sent != 1:
-        raise self.retry()
+    stage.backend.send_messages([message_object])
diff --git a/passbook/stages/email/templates/stages/email/for_email/base.html b/passbook/stages/email/templates/stages/email/for_email/base.html
index 8677d592a..21f4f9db1 100644
--- a/passbook/stages/email/templates/stages/email/for_email/base.html
+++ b/passbook/stages/email/templates/stages/email/for_email/base.html
@@ -9,7 +9,7 @@
 <head>
     <meta name="viewport" content="width=device-width" />
     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
-    <title>Simple Transactional Email</title>
+    <title></title>
     <style>{% inline_static_ascii "stages/email/css/base.css" %}</style>
 </head>
 
diff --git a/passbook/stages/email/templatetags/passbook_stages_email.py b/passbook/stages/email/templatetags/passbook_stages_email.py
index d39668eff..48cd26949 100644
--- a/passbook/stages/email/templatetags/passbook_stages_email.py
+++ b/passbook/stages/email/templatetags/passbook_stages_email.py
@@ -1,7 +1,5 @@
 """passbook core inlining template tags"""
-import os
 from pathlib import Path
-from typing import Optional
 
 from django import template
 from django.contrib.staticfiles import finders
@@ -10,21 +8,17 @@ register = template.Library()
 
 
 @register.simple_tag()
-def inline_static_ascii(path: str) -> Optional[str]:
+def inline_static_ascii(path: str) -> str:
     """Inline static asset. Doesn't check file contents, plain text is assumed"""
     result = finders.find(path)
-    if os.path.exists(result):
-        with open(result) as _file:
-            return _file.read()
-    return None
+    with open(result) as _file:
+        return _file.read()
 
 
 @register.simple_tag()
-def inline_static_binary(path: str) -> Optional[str]:
+def inline_static_binary(path: str) -> str:
     """Inline static asset. Uses file extension for base64 block"""
     result = finders.find(path)
     suffix = Path(path).suffix
-    if os.path.exists(result):
-        with open(result) as _file:
-            return f"data:image/{suffix};base64," + _file.read()
-    return None
+    with open(result) as _file:
+        return f"data:image/{suffix};base64," + _file.read()
diff --git a/passbook/stages/email/tests.py b/passbook/stages/email/tests.py
new file mode 100644
index 000000000..345316c18
--- /dev/null
+++ b/passbook/stages/email/tests.py
@@ -0,0 +1,88 @@
+"""email tests"""
+from unittest.mock import MagicMock, patch
+
+from django.core import mail
+from django.shortcuts import reverse
+from django.test import Client, TestCase
+
+from passbook.core.models import Nonce, User
+from passbook.flows.models import Flow, FlowDesignation, FlowStageBinding
+from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
+from passbook.flows.views import SESSION_KEY_PLAN
+from passbook.stages.email.models import EmailStage
+from passbook.stages.email.stage import QS_KEY_TOKEN
+
+
+class TestEmailStage(TestCase):
+    """Email tests"""
+
+    def setUp(self):
+        super().setUp()
+        self.user = User.objects.create_user(
+            username="unittest", email="test@beryju.org"
+        )
+        self.client = Client()
+
+        self.flow = Flow.objects.create(
+            name="test-email",
+            slug="test-email",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+        self.stage = EmailStage.objects.create(name="email",)
+        FlowStageBinding.objects.create(flow=self.flow, stage=self.stage, order=2)
+
+    def test_rendering(self):
+        """Test with pending user"""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        url = reverse(
+            "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+        )
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 200)
+
+    def test_pending_user(self):
+        """Test with pending user"""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        url = reverse(
+            "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+        )
+        with self.settings(
+            EMAIL_BACKEND="django.core.mail.backends.locmem.EmailBackend"
+        ):
+            response = self.client.post(url)
+            self.assertEqual(response.status_code, 200)
+            self.assertEqual(len(mail.outbox), 1)
+            self.assertEqual(mail.outbox[0].subject, "passbook - Password Recovery")
+
+    def test_token(self):
+        """Test with token"""
+        # Make sure token exists
+        self.test_pending_user()
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        with patch("passbook.flows.views.FlowExecutorView.cancel", MagicMock()):
+            url = reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            )
+            token = Nonce.objects.get(user=self.user)
+            url += f"?{QS_KEY_TOKEN}={token.pk.hex}"
+            response = self.client.get(url)
+            self.assertEqual(response.status_code, 302)
+            self.assertEqual(response.url, reverse("passbook_core:overview"))
+
+            session = self.client.session
+            plan: FlowPlan = session[SESSION_KEY_PLAN]
+            self.assertEqual(plan.context[PLAN_CONTEXT_PENDING_USER], self.user)

From 631cf77f8963d879383b4f29307b5b640e5fec15 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 21:43:30 +0200
Subject: [PATCH 51/80] stages/captcha: add tests

---
 passbook/stages/captcha/tests.py | 48 ++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 passbook/stages/captcha/tests.py

diff --git a/passbook/stages/captcha/tests.py b/passbook/stages/captcha/tests.py
new file mode 100644
index 000000000..a97b57eb0
--- /dev/null
+++ b/passbook/stages/captcha/tests.py
@@ -0,0 +1,48 @@
+"""captcha tests"""
+from django.conf import settings
+from django.shortcuts import reverse
+from django.test import Client, TestCase
+
+from passbook.core.models import User
+from passbook.flows.models import Flow, FlowDesignation, FlowStageBinding
+from passbook.flows.planner import FlowPlan
+from passbook.flows.views import SESSION_KEY_PLAN
+from passbook.stages.captcha.models import CaptchaStage
+
+
+class TestCaptchaStage(TestCase):
+    """Captcha tests"""
+
+    def setUp(self):
+        super().setUp()
+        self.user = User.objects.create_user(
+            username="unittest", email="test@beryju.org"
+        )
+        self.client = Client()
+
+        self.flow = Flow.objects.create(
+            name="test-captcha",
+            slug="test-captcha",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+        self.stage = CaptchaStage.objects.create(
+            name="captcha",
+            public_key=settings.RECAPTCHA_PUBLIC_KEY,
+            private_key=settings.RECAPTCHA_PRIVATE_KEY,
+        )
+        FlowStageBinding.objects.create(flow=self.flow, stage=self.stage, order=2)
+
+    def test_valid(self):
+        """Test valid captcha"""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+        response = self.client.post(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            ),
+            {"g-recaptcha-response": "PASSED"},
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse("passbook_core:overview"))

From 5b2bf7519af83b823dfcad6696fcd0732419e825 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 10 May 2020 23:38:15 +0200
Subject: [PATCH 52/80] stages/user_create -> user_write: Stage can create and
 update existing users

---
 passbook/api/v2/urls.py                       |   4 +-
 .../flows/migrations/0002_default_flows.py    |   9 +-
 passbook/root/settings.py                     |   2 +-
 passbook/stages/user_create/api.py            |  24 ----
 passbook/stages/user_create/apps.py           |  10 --
 passbook/stages/user_create/forms.py          |  16 ---
 passbook/stages/user_create/models.py         |  19 ---
 passbook/stages/user_create/stage.py          |  39 -------
 passbook/stages/user_create/tests.py          |  73 ------------
 .../{user_create => user_write}/__init__.py   |   0
 passbook/stages/user_write/api.py             |  24 ++++
 passbook/stages/user_write/apps.py            |  10 ++
 passbook/stages/user_write/forms.py           |  16 +++
 .../migrations/0001_initial.py                |   8 +-
 .../migrations/__init__.py                    |   0
 passbook/stages/user_write/models.py          |  19 +++
 passbook/stages/user_write/stage.py           |  52 +++++++++
 passbook/stages/user_write/tests.py           | 110 ++++++++++++++++++
 18 files changed, 241 insertions(+), 194 deletions(-)
 delete mode 100644 passbook/stages/user_create/api.py
 delete mode 100644 passbook/stages/user_create/apps.py
 delete mode 100644 passbook/stages/user_create/forms.py
 delete mode 100644 passbook/stages/user_create/models.py
 delete mode 100644 passbook/stages/user_create/stage.py
 delete mode 100644 passbook/stages/user_create/tests.py
 rename passbook/stages/{user_create => user_write}/__init__.py (100%)
 create mode 100644 passbook/stages/user_write/api.py
 create mode 100644 passbook/stages/user_write/apps.py
 create mode 100644 passbook/stages/user_write/forms.py
 rename passbook/stages/{user_create => user_write}/migrations/0001_initial.py (80%)
 rename passbook/stages/{user_create => user_write}/migrations/__init__.py (100%)
 create mode 100644 passbook/stages/user_write/models.py
 create mode 100644 passbook/stages/user_write/stage.py
 create mode 100644 passbook/stages/user_write/tests.py

diff --git a/passbook/api/v2/urls.py b/passbook/api/v2/urls.py
index b06c3e45b..4b6370a62 100644
--- a/passbook/api/v2/urls.py
+++ b/passbook/api/v2/urls.py
@@ -37,8 +37,8 @@ from passbook.stages.identification.api import IdentificationStageViewSet
 from passbook.stages.otp.api import OTPStageViewSet
 from passbook.stages.password.api import PasswordStageViewSet
 from passbook.stages.prompt.api import PromptStageViewSet, PromptViewSet
-from passbook.stages.user_create.api import UserCreateStageViewSet
 from passbook.stages.user_login.api import UserLoginStageViewSet
+from passbook.stages.user_write.api import UserWriteStageViewSet
 
 LOGGER = get_logger()
 router = routers.DefaultRouter()
@@ -86,7 +86,7 @@ router.register("stages/otp", OTPStageViewSet)
 router.register("stages/password", PasswordStageViewSet)
 router.register("stages/prompt", PromptStageViewSet)
 router.register("stages/prompt/prompts", PromptViewSet)
-router.register("stages/user_create", UserCreateStageViewSet)
+router.register("stages/user_write", UserWriteStageViewSet)
 router.register("stages/user_login", UserLoginStageViewSet)
 
 router.register("flows", FlowViewSet)
diff --git a/passbook/flows/migrations/0002_default_flows.py b/passbook/flows/migrations/0002_default_flows.py
index 2db2f3af4..160c97544 100644
--- a/passbook/flows/migrations/0002_default_flows.py
+++ b/passbook/flows/migrations/0002_default_flows.py
@@ -37,22 +37,19 @@ def create_default_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
     if not UserLoginStage.objects.using(db_alias).exists():
         UserLoginStage.objects.using(db_alias).create(name="authentication")
 
-    ident_stage = IdentificationStage.objects.using(db_alias).first()
-    pw_stage = PasswordStage.objects.using(db_alias).first()
-    login_stage = UserLoginStage.objects.using(db_alias).first()
     flow = Flow.objects.using(db_alias).create(
         name="default-authentication-flow",
         slug="default-authentication-flow",
         designation=FlowDesignation.AUTHENTICATION,
     )
     FlowStageBinding.objects.using(db_alias).create(
-        flow=flow, stage=ident_stage, order=0,
+        flow=flow, stage=IdentificationStage.objects.using(db_alias).first(), order=0,
     )
     FlowStageBinding.objects.using(db_alias).create(
-        flow=flow, stage=pw_stage, order=1,
+        flow=flow, stage=PasswordStage.objects.using(db_alias).first(), order=1,
     )
     FlowStageBinding.objects.using(db_alias).create(
-        flow=flow, stage=login_stage, order=2,
+        flow=flow, stage=UserLoginStage.objects.using(db_alias).first(), order=2,
     )
 
 
diff --git a/passbook/root/settings.py b/passbook/root/settings.py
index b711f396b..8315e4003 100644
--- a/passbook/root/settings.py
+++ b/passbook/root/settings.py
@@ -108,8 +108,8 @@ INSTALLED_APPS = [
     "passbook.stages.email.apps.PassbookStageEmailConfig",
     "passbook.stages.prompt.apps.PassbookStagPromptConfig",
     "passbook.stages.identification.apps.PassbookStageIdentificationConfig",
-    "passbook.stages.user_create.apps.PassbookStageUserCreateConfig",
     "passbook.stages.user_login.apps.PassbookStageUserLoginConfig",
+    "passbook.stages.user_write.apps.PassbookStageUserWriteConfig",
     "passbook.stages.otp.apps.PassbookStageOTPConfig",
     "passbook.stages.password.apps.PassbookStagePasswordConfig",
     "passbook.static.apps.PassbookStaticConfig",
diff --git a/passbook/stages/user_create/api.py b/passbook/stages/user_create/api.py
deleted file mode 100644
index d95415eed..000000000
--- a/passbook/stages/user_create/api.py
+++ /dev/null
@@ -1,24 +0,0 @@
-"""User Create Stage API Views"""
-from rest_framework.serializers import ModelSerializer
-from rest_framework.viewsets import ModelViewSet
-
-from passbook.stages.user_create.models import UserCreateStage
-
-
-class UserCreateStageSerializer(ModelSerializer):
-    """UserCreateStage Serializer"""
-
-    class Meta:
-
-        model = UserCreateStage
-        fields = [
-            "pk",
-            "name",
-        ]
-
-
-class UserCreateStageViewSet(ModelViewSet):
-    """UserCreateStage Viewset"""
-
-    queryset = UserCreateStage.objects.all()
-    serializer_class = UserCreateStageSerializer
diff --git a/passbook/stages/user_create/apps.py b/passbook/stages/user_create/apps.py
deleted file mode 100644
index 27bb3b467..000000000
--- a/passbook/stages/user_create/apps.py
+++ /dev/null
@@ -1,10 +0,0 @@
-"""passbook create stage app config"""
-from django.apps import AppConfig
-
-
-class PassbookStageUserCreateConfig(AppConfig):
-    """passbook create stage config"""
-
-    name = "passbook.stages.user_create"
-    label = "passbook_stages_user_create"
-    verbose_name = "passbook Stages.User Create"
diff --git a/passbook/stages/user_create/forms.py b/passbook/stages/user_create/forms.py
deleted file mode 100644
index edf5bb784..000000000
--- a/passbook/stages/user_create/forms.py
+++ /dev/null
@@ -1,16 +0,0 @@
-"""passbook flows create forms"""
-from django import forms
-
-from passbook.stages.user_create.models import UserCreateStage
-
-
-class UserCreateStageForm(forms.ModelForm):
-    """Form to create/edit UserCreateStage instances"""
-
-    class Meta:
-
-        model = UserCreateStage
-        fields = ["name"]
-        widgets = {
-            "name": forms.TextInput(),
-        }
diff --git a/passbook/stages/user_create/models.py b/passbook/stages/user_create/models.py
deleted file mode 100644
index f0b48a97b..000000000
--- a/passbook/stages/user_create/models.py
+++ /dev/null
@@ -1,19 +0,0 @@
-"""create stage models"""
-from django.utils.translation import gettext_lazy as _
-
-from passbook.flows.models import Stage
-
-
-class UserCreateStage(Stage):
-    """Create stage, create a user from saved data."""
-
-    type = "passbook.stages.user_create.stage.UserCreateStageView"
-    form = "passbook.stages.user_create.forms.UserCreateStageForm"
-
-    def __str__(self):
-        return f"User Create Stage {self.name}"
-
-    class Meta:
-
-        verbose_name = _("User Create Stage")
-        verbose_name_plural = _("User Create Stages")
diff --git a/passbook/stages/user_create/stage.py b/passbook/stages/user_create/stage.py
deleted file mode 100644
index 122324683..000000000
--- a/passbook/stages/user_create/stage.py
+++ /dev/null
@@ -1,39 +0,0 @@
-"""Create stage logic"""
-from django.contrib import messages
-from django.contrib.auth.backends import ModelBackend
-from django.http import HttpRequest, HttpResponse
-from django.utils.translation import gettext as _
-from structlog import get_logger
-
-from passbook.core.models import User
-from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER
-from passbook.flows.stage import AuthenticationStage
-from passbook.lib.utils.reflection import class_to_path
-from passbook.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
-from passbook.stages.prompt.stage import PLAN_CONTEXT_PROMPT
-
-LOGGER = get_logger()
-
-
-class UserCreateStageView(AuthenticationStage):
-    """Finalise Enrollment flow by creating a user object."""
-
-    def get(self, request: HttpRequest) -> HttpResponse:
-        if PLAN_CONTEXT_PROMPT not in self.executor.plan.context:
-            message = _("No Pending data.")
-            messages.error(request, message)
-            LOGGER.debug(message)
-            return self.executor.stage_invalid()
-        data = self.executor.plan.context[PLAN_CONTEXT_PROMPT]
-        user = User.objects.create_user(**data)
-        # Set created user as pending_user, so this can be chained with user_login
-        self.executor.plan.context[PLAN_CONTEXT_PENDING_USER] = user
-        self.executor.plan.context[PLAN_CONTEXT_AUTHENTICATION_BACKEND] = class_to_path(
-            ModelBackend
-        )
-        LOGGER.debug(
-            "Created user",
-            user=self.executor.plan.context[PLAN_CONTEXT_PENDING_USER],
-            flow_slug=self.executor.flow.slug,
-        )
-        return self.executor.stage_ok()
diff --git a/passbook/stages/user_create/tests.py b/passbook/stages/user_create/tests.py
deleted file mode 100644
index ae0295822..000000000
--- a/passbook/stages/user_create/tests.py
+++ /dev/null
@@ -1,73 +0,0 @@
-"""create tests"""
-import string
-from random import SystemRandom
-
-from django.shortcuts import reverse
-from django.test import Client, TestCase
-
-from passbook.core.models import User
-from passbook.flows.models import Flow, FlowDesignation, FlowStageBinding
-from passbook.flows.planner import FlowPlan
-from passbook.flows.views import SESSION_KEY_PLAN
-from passbook.stages.prompt.stage import PLAN_CONTEXT_PROMPT
-from passbook.stages.user_create.models import UserCreateStage
-
-
-class TestUserCreateStage(TestCase):
-    """Create tests"""
-
-    def setUp(self):
-        super().setUp()
-        self.client = Client()
-
-        self.password = "".join(
-            SystemRandom().choice(string.ascii_uppercase + string.digits)
-            for _ in range(8)
-        )
-        self.flow = Flow.objects.create(
-            name="test-create",
-            slug="test-create",
-            designation=FlowDesignation.AUTHENTICATION,
-        )
-        self.stage = UserCreateStage.objects.create(name="create")
-        FlowStageBinding.objects.create(flow=self.flow, stage=self.stage, order=2)
-
-    def test_valid_create(self):
-        """Test creation of user"""
-        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
-        plan.context[PLAN_CONTEXT_PROMPT] = {
-            "username": "test-user",
-            "name": "name",
-            "email": "test@beryju.org",
-            "password": self.password,
-        }
-        session = self.client.session
-        session[SESSION_KEY_PLAN] = plan
-        session.save()
-
-        response = self.client.get(
-            reverse(
-                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
-            )
-        )
-        self.assertEqual(response.status_code, 302)
-        self.assertTrue(
-            User.objects.filter(
-                username=plan.context[PLAN_CONTEXT_PROMPT]["username"]
-            ).exists()
-        )
-
-    def test_without_data(self):
-        """Test without data results in error"""
-        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
-        session = self.client.session
-        session[SESSION_KEY_PLAN] = plan
-        session.save()
-
-        response = self.client.get(
-            reverse(
-                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
-            )
-        )
-        self.assertEqual(response.status_code, 302)
-        self.assertEqual(response.url, reverse("passbook_flows:denied"))
diff --git a/passbook/stages/user_create/__init__.py b/passbook/stages/user_write/__init__.py
similarity index 100%
rename from passbook/stages/user_create/__init__.py
rename to passbook/stages/user_write/__init__.py
diff --git a/passbook/stages/user_write/api.py b/passbook/stages/user_write/api.py
new file mode 100644
index 000000000..8e32a36ae
--- /dev/null
+++ b/passbook/stages/user_write/api.py
@@ -0,0 +1,24 @@
+"""User Write Stage API Views"""
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import ModelViewSet
+
+from passbook.stages.user_write.models import UserWriteStage
+
+
+class UserWriteStageSerializer(ModelSerializer):
+    """UserWriteStage Serializer"""
+
+    class Meta:
+
+        model = UserWriteStage
+        fields = [
+            "pk",
+            "name",
+        ]
+
+
+class UserWriteStageViewSet(ModelViewSet):
+    """UserWriteStage Viewset"""
+
+    queryset = UserWriteStage.objects.all()
+    serializer_class = UserWriteStageSerializer
diff --git a/passbook/stages/user_write/apps.py b/passbook/stages/user_write/apps.py
new file mode 100644
index 000000000..f2dceb575
--- /dev/null
+++ b/passbook/stages/user_write/apps.py
@@ -0,0 +1,10 @@
+"""passbook write stage app config"""
+from django.apps import AppConfig
+
+
+class PassbookStageUserWriteConfig(AppConfig):
+    """passbook write stage config"""
+
+    name = "passbook.stages.user_write"
+    label = "passbook_stages_user_write"
+    verbose_name = "passbook Stages.User Write"
diff --git a/passbook/stages/user_write/forms.py b/passbook/stages/user_write/forms.py
new file mode 100644
index 000000000..f4e00d8ae
--- /dev/null
+++ b/passbook/stages/user_write/forms.py
@@ -0,0 +1,16 @@
+"""passbook flows write forms"""
+from django import forms
+
+from passbook.stages.user_write.models import UserWriteStage
+
+
+class UserWriteStageForm(forms.ModelForm):
+    """Form to write/edit UserWriteStage instances"""
+
+    class Meta:
+
+        model = UserWriteStage
+        fields = ["name"]
+        widgets = {
+            "name": forms.TextInput(),
+        }
diff --git a/passbook/stages/user_create/migrations/0001_initial.py b/passbook/stages/user_write/migrations/0001_initial.py
similarity index 80%
rename from passbook/stages/user_create/migrations/0001_initial.py
rename to passbook/stages/user_write/migrations/0001_initial.py
index 35f3d418f..177866967 100644
--- a/passbook/stages/user_create/migrations/0001_initial.py
+++ b/passbook/stages/user_write/migrations/0001_initial.py
@@ -1,4 +1,4 @@
-# Generated by Django 3.0.5 on 2020-05-10 14:26
+# Generated by Django 3.0.5 on 2020-05-10 21:21
 
 import django.db.models.deletion
 from django.db import migrations, models
@@ -14,7 +14,7 @@ class Migration(migrations.Migration):
 
     operations = [
         migrations.CreateModel(
-            name="UserCreateStage",
+            name="UserWriteStage",
             fields=[
                 (
                     "stage_ptr",
@@ -29,8 +29,8 @@ class Migration(migrations.Migration):
                 ),
             ],
             options={
-                "verbose_name": "User Create Stage",
-                "verbose_name_plural": "User Create Stages",
+                "verbose_name": "User Write Stage",
+                "verbose_name_plural": "User Write Stages",
             },
             bases=("passbook_flows.stage",),
         ),
diff --git a/passbook/stages/user_create/migrations/__init__.py b/passbook/stages/user_write/migrations/__init__.py
similarity index 100%
rename from passbook/stages/user_create/migrations/__init__.py
rename to passbook/stages/user_write/migrations/__init__.py
diff --git a/passbook/stages/user_write/models.py b/passbook/stages/user_write/models.py
new file mode 100644
index 000000000..078b4e174
--- /dev/null
+++ b/passbook/stages/user_write/models.py
@@ -0,0 +1,19 @@
+"""write stage models"""
+from django.utils.translation import gettext_lazy as _
+
+from passbook.flows.models import Stage
+
+
+class UserWriteStage(Stage):
+    """Write stage, write a user from saved data."""
+
+    type = "passbook.stages.user_write.stage.UserWriteStageView"
+    form = "passbook.stages.user_write.forms.UserWriteStageForm"
+
+    def __str__(self):
+        return f"User Write Stage {self.name}"
+
+    class Meta:
+
+        verbose_name = _("User Write Stage")
+        verbose_name_plural = _("User Write Stages")
diff --git a/passbook/stages/user_write/stage.py b/passbook/stages/user_write/stage.py
new file mode 100644
index 000000000..20c689064
--- /dev/null
+++ b/passbook/stages/user_write/stage.py
@@ -0,0 +1,52 @@
+"""Write stage logic"""
+from django.contrib import messages
+from django.contrib.auth.backends import ModelBackend
+from django.http import HttpRequest, HttpResponse
+from django.utils.translation import gettext as _
+from structlog import get_logger
+
+from passbook.core.models import User
+from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER
+from passbook.flows.stage import AuthenticationStage
+from passbook.lib.utils.reflection import class_to_path
+from passbook.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
+from passbook.stages.prompt.stage import PLAN_CONTEXT_PROMPT
+
+LOGGER = get_logger()
+
+
+class UserWriteStageView(AuthenticationStage):
+    """Finalise Enrollment flow by creating a user object."""
+
+    def get(self, request: HttpRequest) -> HttpResponse:
+        if PLAN_CONTEXT_PROMPT not in self.executor.plan.context:
+            message = _("No Pending data.")
+            messages.error(request, message)
+            LOGGER.debug(message)
+            return self.executor.stage_invalid()
+        data = self.executor.plan.context[PLAN_CONTEXT_PROMPT]
+        if PLAN_CONTEXT_PENDING_USER in self.executor.plan.context:
+            user = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
+            for key, value in data.items():
+                setter_name = f"set_{key}"
+                if hasattr(user, setter_name):
+                    setter = getattr(user, setter_name)
+                    if callable(setter):
+                        setter(value)
+                else:
+                    setattr(user, key, value)
+            user.save()
+            LOGGER.debug(
+                "Updated existing user", user=user, flow_slug=self.executor.flow.slug,
+            )
+        else:
+            user = User.objects.create_user(**data)
+            # Set created user as pending_user, so this can be chained with user_login
+            self.executor.plan.context[PLAN_CONTEXT_PENDING_USER] = user
+            self.executor.plan.context[
+                PLAN_CONTEXT_AUTHENTICATION_BACKEND
+            ] = class_to_path(ModelBackend)
+            LOGGER.debug(
+                "Created new user", user=user, flow_slug=self.executor.flow.slug,
+            )
+        return self.executor.stage_ok()
diff --git a/passbook/stages/user_write/tests.py b/passbook/stages/user_write/tests.py
new file mode 100644
index 000000000..5bad06809
--- /dev/null
+++ b/passbook/stages/user_write/tests.py
@@ -0,0 +1,110 @@
+"""write tests"""
+import string
+from random import SystemRandom
+
+from django.shortcuts import reverse
+from django.test import Client, TestCase
+
+from passbook.core.models import User
+from passbook.flows.models import Flow, FlowDesignation, FlowStageBinding
+from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
+from passbook.flows.views import SESSION_KEY_PLAN
+from passbook.stages.prompt.stage import PLAN_CONTEXT_PROMPT
+from passbook.stages.user_write.forms import UserWriteStageForm
+from passbook.stages.user_write.models import UserWriteStage
+
+
+class TestUserWriteStage(TestCase):
+    """Write tests"""
+
+    def setUp(self):
+        super().setUp()
+        self.client = Client()
+
+        self.flow = Flow.objects.create(
+            name="test-write",
+            slug="test-write",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+        self.stage = UserWriteStage.objects.create(name="write")
+        FlowStageBinding.objects.create(flow=self.flow, stage=self.stage, order=2)
+
+    def test_user_create(self):
+        """Test creation of user"""
+        password = "".join(
+            SystemRandom().choice(string.ascii_uppercase + string.digits)
+            for _ in range(8)
+        )
+
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
+        plan.context[PLAN_CONTEXT_PROMPT] = {
+            "username": "test-user",
+            "name": "name",
+            "email": "test@beryju.org",
+            "password": password,
+        }
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.get(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            )
+        )
+        self.assertEqual(response.status_code, 302)
+        user_qs = User.objects.filter(
+            username=plan.context[PLAN_CONTEXT_PROMPT]["username"]
+        )
+        self.assertTrue(user_qs.exists())
+        self.assertTrue(user_qs.first().check_password(password))
+
+    def test_user_update(self):
+        """Test update of existing user"""
+        new_password = "".join(
+            SystemRandom().choice(string.ascii_uppercase + string.digits)
+            for _ in range(8)
+        )
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = User.objects.create(
+            username="unittest", email="test@beryju.org"
+        )
+        plan.context[PLAN_CONTEXT_PROMPT] = {
+            "username": "test-user-new",
+            "password": new_password,
+        }
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.get(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            )
+        )
+        self.assertEqual(response.status_code, 302)
+        user_qs = User.objects.filter(
+            username=plan.context[PLAN_CONTEXT_PROMPT]["username"]
+        )
+        self.assertTrue(user_qs.exists())
+        self.assertTrue(user_qs.first().check_password(new_password))
+
+    def test_without_data(self):
+        """Test without data results in error"""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.get(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            )
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse("passbook_flows:denied"))
+
+    def test_form(self):
+        """Test Form"""
+        data = {"name": "test"}
+        self.assertEqual(UserWriteStageForm(data).is_valid(), True)

From 69120da45c589aaa6e0b3c97ff825ebdca7735c6 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 11 May 2020 00:49:48 +0200
Subject: [PATCH 53/80] core: remove redundant views/forms

---
 passbook/admin/views/overview.py              |  2 +-
 passbook/admin/views/users.py                 |  3 +-
 passbook/core/forms/users.py                  | 27 ------------
 passbook/core/models.py                       |  5 +--
 .../core/templates/login/form_with_user.html  |  2 +-
 passbook/core/tests/test_views_user.py        | 19 --------
 passbook/core/urls.py                         | 22 ----------
 passbook/core/views/authentication.py         | 25 ++---------
 passbook/core/views/user.py                   | 43 +++----------------
 passbook/flows/urls.py                        | 29 ++++++++++++-
 passbook/root/settings.py                     |  2 +-
 passbook/root/urls.py                         |  2 +-
 12 files changed, 43 insertions(+), 138 deletions(-)

diff --git a/passbook/admin/views/overview.py b/passbook/admin/views/overview.py
index 9248eac5b..c263007dc 100644
--- a/passbook/admin/views/overview.py
+++ b/passbook/admin/views/overview.py
@@ -19,7 +19,7 @@ class AdministrationOverviewView(AdminRequiredMixin, TemplateView):
         """Handle post (clear cache from modal)"""
         if "clear" in self.request.POST:
             cache.clear()
-            return redirect(reverse("passbook_core:auth-login"))
+            return redirect(reverse("passbook_flows:default-auth"))
         return self.get(*args, **kwargs)
 
     def get_context_data(self, **kwargs):
diff --git a/passbook/admin/views/users.py b/passbook/admin/views/users.py
index 257ad955a..618bbf907 100644
--- a/passbook/admin/views/users.py
+++ b/passbook/admin/views/users.py
@@ -94,9 +94,10 @@ class UserPasswordResetView(LoginRequiredMixin, PermissionRequiredMixin, DetailV
     def get(self, request, *args, **kwargs):
         """Create nonce for user and return link"""
         super().get(request, *args, **kwargs)
+        # TODO: create plan for user, get token
         nonce = Nonce.objects.create(user=self.object)
         link = request.build_absolute_uri(
-            reverse("passbook_core:auth-password-reset", kwargs={"nonce": nonce.uuid})
+            reverse("passbook_flows:default-recovery", kwargs={"nonce": nonce.uuid})
         )
         messages.success(
             request, _("Password reset link: <pre>%(link)s</pre>" % {"link": link})
diff --git a/passbook/core/forms/users.py b/passbook/core/forms/users.py
index b989eff9a..f6b725cda 100644
--- a/passbook/core/forms/users.py
+++ b/passbook/core/forms/users.py
@@ -1,8 +1,6 @@
 """passbook core user forms"""
 
 from django import forms
-from django.forms import ValidationError
-from django.utils.translation import gettext_lazy as _
 
 from passbook.core.models import User
 
@@ -15,28 +13,3 @@ class UserDetailForm(forms.ModelForm):
         model = User
         fields = ["username", "name", "email"]
         widgets = {"name": forms.TextInput}
-
-
-class PasswordChangeForm(forms.Form):
-    """Form to update password"""
-
-    password = forms.CharField(
-        label=_("Password"),
-        widget=forms.PasswordInput(
-            attrs={"placeholder": _("New Password"), "autocomplete": "new-password"}
-        ),
-    )
-    password_repeat = forms.CharField(
-        label=_("Repeat Password"),
-        widget=forms.PasswordInput(
-            attrs={"placeholder": _("Repeat Password"), "autocomplete": "new-password"}
-        ),
-    )
-
-    def clean_password_repeat(self):
-        """Check if Password adheres to filter and if passwords matche"""
-        password = self.cleaned_data.get("password")
-        password_repeat = self.cleaned_data.get("password_repeat")
-        if password != password_repeat:
-            raise ValidationError(_("Passwords don't match"))
-        return self.cleaned_data.get("password_repeat")
diff --git a/passbook/core/models.py b/passbook/core/models.py
index a415fcc75..4894829fd 100644
--- a/passbook/core/models.py
+++ b/passbook/core/models.py
@@ -208,9 +208,8 @@ class Invitation(ExportModelOperationsMixin("invitation"), UUIDModel):
     @property
     def link(self):
         """Get link to use invitation"""
-        return (
-            reverse_lazy("passbook_core:auth-sign-up") + f"?invitation={self.uuid.hex}"
-        )
+        qs = f"?invitation={self.uuid.hex}"
+        return reverse_lazy("passbook_flows:default-enrollment") + qs
 
     def __str__(self):
         return f"Invitation {self.uuid.hex} created by {self.created_by}"
diff --git a/passbook/core/templates/login/form_with_user.html b/passbook/core/templates/login/form_with_user.html
index 17164bcf0..b1ac95753 100644
--- a/passbook/core/templates/login/form_with_user.html
+++ b/passbook/core/templates/login/form_with_user.html
@@ -37,7 +37,7 @@
             {{ user.username }}
         </div>
         <div class="right">
-            <a href="{% url 'passbook_core:auth-login' %}">{% trans 'Not you?' %}</a>
+            <a href="{% url 'passbook_flows:default-auth' %}">{% trans 'Not you?' %}</a>
         </div>
     </div>
 </div>
diff --git a/passbook/core/tests/test_views_user.py b/passbook/core/tests/test_views_user.py
index baaef4b74..1a49dff3f 100644
--- a/passbook/core/tests/test_views_user.py
+++ b/passbook/core/tests/test_views_user.py
@@ -5,7 +5,6 @@ from random import SystemRandom
 from django.shortcuts import reverse
 from django.test import TestCase
 
-from passbook.core.forms.users import PasswordChangeForm
 from passbook.core.models import User
 
 
@@ -37,21 +36,3 @@ class TestUserViews(TestCase):
         )
         self.assertEqual(User.objects.filter(username="unittest user").exists(), False)
         self.setUp()
-
-    def test_user_change_password(self):
-        """Test UserChangePasswordView"""
-        form_data = {"password": "test2", "password_repeat": "test2"}
-        form = PasswordChangeForm(data=form_data)
-        self.assertTrue(form.is_valid())
-        self.assertEqual(
-            self.client.get(reverse("passbook_core:user-change-password")).status_code,
-            200,
-        )
-        self.assertEqual(
-            self.client.post(
-                reverse("passbook_core:user-change-password"), data=form_data
-            ).status_code,
-            302,
-        )
-        self.user.refresh_from_db()
-        self.assertTrue(self.user.check_password("test2"))
diff --git a/passbook/core/urls.py b/passbook/core/urls.py
index f891325f3..de000d3a0 100644
--- a/passbook/core/urls.py
+++ b/passbook/core/urls.py
@@ -2,35 +2,13 @@
 from django.urls import path
 
 from passbook.core.views import authentication, overview, user
-from passbook.flows.models import FlowDesignation
-from passbook.flows.views import ToDefaultFlow
 
 urlpatterns = [
     # Authentication views
-    path(
-        "auth/login/",
-        ToDefaultFlow.as_view(designation=FlowDesignation.AUTHENTICATION),
-        name="auth-login",
-    ),
     path("auth/logout/", authentication.LogoutView.as_view(), name="auth-logout"),
-    path(
-        "auth/sign_up/",
-        ToDefaultFlow.as_view(designation=FlowDesignation.ENROLLMENT),
-        name="auth-sign-up",
-    ),
-    path(
-        "auth/password/reset/<uuid:nonce_uuid>/",
-        authentication.PasswordResetView.as_view(),
-        name="auth-password-reset",
-    ),
     # User views
     path("-/user/", user.UserSettingsView.as_view(), name="user-settings"),
     path("-/user/delete/", user.UserDeleteView.as_view(), name="user-delete"),
-    path(
-        "-/user/change_password/",
-        user.UserChangePasswordView.as_view(),
-        name="user-change-password",
-    ),
     # Overview
     path("", overview.OverviewView.as_view(), name="overview"),
 ]
diff --git a/passbook/core/views/authentication.py b/passbook/core/views/authentication.py
index 993b2a205..dea3ab1b4 100644
--- a/passbook/core/views/authentication.py
+++ b/passbook/core/views/authentication.py
@@ -1,15 +1,13 @@
 """passbook core authentication views"""
 from django.contrib import messages
-from django.contrib.auth import login, logout
+from django.contrib.auth import logout
 from django.contrib.auth.mixins import LoginRequiredMixin
 from django.http import HttpRequest, HttpResponse
-from django.shortcuts import get_object_or_404, redirect, reverse
+from django.shortcuts import redirect, reverse
 from django.utils.translation import ugettext as _
 from django.views import View
 from structlog import get_logger
 
-from passbook.core.models import Nonce
-
 LOGGER = get_logger()
 
 
@@ -20,21 +18,4 @@ class LogoutView(LoginRequiredMixin, View):
         """Log current user out"""
         logout(request)
         messages.success(request, _("You've successfully been logged out."))
-        return redirect(reverse("passbook_core:auth-login"))
-
-
-class PasswordResetView(View):
-    """Temporarily authenticate User and allow them to reset their password"""
-
-    def get(self, request: HttpRequest, nonce_uuid: str) -> HttpResponse:
-        """Authenticate user with nonce and redirect to password change view"""
-        # 3. (Optional) Trap user in password change view
-        nonce = get_object_or_404(Nonce, uuid=nonce_uuid)
-        # Workaround: hardcoded reference to ModelBackend, needs testing
-        nonce.user.backend = "django.contrib.auth.backends.ModelBackend"
-        login(request, nonce.user)
-        nonce.delete()
-        messages.success(
-            request, _(("Temporarily authenticated, please change your password")),
-        )
-        return redirect("passbook_core:user-change-password")
+        return redirect(reverse("passbook_flows:default-auth"))
diff --git a/passbook/core/views/user.py b/passbook/core/views/user.py
index 215efb2f5..946819fb9 100644
--- a/passbook/core/views/user.py
+++ b/passbook/core/views/user.py
@@ -1,16 +1,14 @@
 """passbook core user views"""
 from django.contrib import messages
-from django.contrib.auth import logout, update_session_auth_hash
+from django.contrib.auth import logout
 from django.contrib.auth.mixins import LoginRequiredMixin
 from django.contrib.messages.views import SuccessMessageMixin
-from django.forms.utils import ErrorList
-from django.shortcuts import redirect, reverse
+from django.shortcuts import reverse
 from django.urls import reverse_lazy
 from django.utils.translation import gettext as _
-from django.views.generic import DeleteView, FormView, UpdateView
+from django.views.generic import DeleteView, UpdateView
 
-from passbook.core.forms.users import PasswordChangeForm, UserDetailForm
-from passbook.lib.config import CONFIG
+from passbook.core.forms.users import UserDetailForm
 
 
 class UserSettingsView(SuccessMessageMixin, LoginRequiredMixin, UpdateView):
@@ -37,35 +35,4 @@ class UserDeleteView(LoginRequiredMixin, DeleteView):
     def get_success_url(self):
         messages.success(self.request, _("Successfully deleted user."))
         logout(self.request)
-        return reverse("passbook_core:auth-login")
-
-
-class UserChangePasswordView(LoginRequiredMixin, FormView):
-    """View for users to update their password"""
-
-    form_class = PasswordChangeForm
-    template_name = "login/form_with_user.html"
-
-    def form_valid(self, form: PasswordChangeForm):
-        # TODO: Rewrite to flow
-        try:
-            # user.set_password checks against Policies so we don't need to manually do it here
-            self.request.user.set_password(form.cleaned_data.get("password"))
-            self.request.user.save()
-            update_session_auth_hash(self.request, self.request.user)
-            messages.success(self.request, _("Successfully changed password"))
-        except ValueError:
-            # Manually inject error into form
-            # pylint: disable=protected-access
-            errors = form._errors.setdefault("password_repeat", ErrorList(""))
-            # pylint: disable=protected-access
-            errors = form._errors.setdefault("password", ErrorList())
-            errors.append("foo")
-            return self.form_invalid(form)
-        return redirect("passbook_core:overview")
-
-    def get_context_data(self, **kwargs):
-        kwargs["config"] = CONFIG.y("passbook")
-        kwargs["title"] = _("Change Password")
-        kwargs["primary_action"] = _("Change")
-        return super().get_context_data(**kwargs)
+        return reverse("passbook_flows:default-auth")
diff --git a/passbook/flows/urls.py b/passbook/flows/urls.py
index 038e21d8b..48a1659ff 100644
--- a/passbook/flows/urls.py
+++ b/passbook/flows/urls.py
@@ -1,9 +1,34 @@
 """flow urls"""
 from django.urls import path
 
-from passbook.flows.views import FlowExecutorView, FlowPermissionDeniedView
+from passbook.flows.models import FlowDesignation
+from passbook.flows.views import (
+    FlowExecutorView,
+    FlowPermissionDeniedView,
+    ToDefaultFlow,
+)
 
 urlpatterns = [
-    path("denied/", FlowPermissionDeniedView.as_view(), name="denied"),
+    path("-/denied/", FlowPermissionDeniedView.as_view(), name="denied"),
+    path(
+        "-/default/auth/",
+        ToDefaultFlow.as_view(designation=FlowDesignation.AUTHENTICATION),
+        name="default-auth",
+    ),
+    path(
+        "-/default/recovery/",
+        ToDefaultFlow.as_view(designation=FlowDesignation.RECOVERY),
+        name="default-recovery",
+    ),
+    path(
+        "-/default/enrollment/",
+        ToDefaultFlow.as_view(designation=FlowDesignation.ENROLLMENT),
+        name="default-enrollment",
+    ),
+    path(
+        "-/default/password_change/",
+        ToDefaultFlow.as_view(designation=FlowDesignation.PASSWORD_CHANGE),
+        name="default-password-change",
+    ),
     path("<slug:flow_slug>/", FlowExecutorView.as_view(), name="flow-executor"),
 ]
diff --git a/passbook/root/settings.py b/passbook/root/settings.py
index 8315e4003..ccb5afdff 100644
--- a/passbook/root/settings.py
+++ b/passbook/root/settings.py
@@ -44,7 +44,7 @@ INTERNAL_IPS = ["127.0.0.1"]
 ALLOWED_HOSTS = ["*"]
 SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
 
-LOGIN_URL = "passbook_core:auth-login"
+LOGIN_URL = "passbook_flows:default-auth"
 # CSRF_FAILURE_VIEW = 'passbook.core.views.errors.CSRFErrorView.as_view'
 
 # Custom user model
diff --git a/passbook/root/urls.py b/passbook/root/urls.py
index 8f3d09b83..73adb5531 100644
--- a/passbook/root/urls.py
+++ b/passbook/root/urls.py
@@ -11,7 +11,7 @@ from passbook.root.monitoring import MetricsView
 
 LOGGER = get_logger()
 admin.autodiscover()
-admin.site.login = RedirectView.as_view(pattern_name="passbook_core:auth-login")
+admin.site.login = RedirectView.as_view(pattern_name="passbook_flows:default-auth")
 
 handler400 = error.BadRequestView.as_view()
 handler403 = error.ForbiddenView.as_view()

From 9dec13c22503fac98dcdb719b8e38e893d9e68a9 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 11 May 2020 01:12:14 +0200
Subject: [PATCH 54/80] stages/user_logout: add logout stage

---
 passbook/api/v2/urls.py                       |  4 +-
 passbook/root/settings.py                     |  1 +
 passbook/stages/user_logout/__init__.py       |  0
 passbook/stages/user_logout/api.py            | 24 +++++++++
 passbook/stages/user_logout/apps.py           | 10 ++++
 passbook/stages/user_logout/forms.py          | 16 ++++++
 .../user_logout/migrations/0001_initial.py    | 37 +++++++++++++
 .../stages/user_logout/migrations/__init__.py |  0
 passbook/stages/user_logout/models.py         | 19 +++++++
 passbook/stages/user_logout/stage.py          | 22 ++++++++
 passbook/stages/user_logout/tests.py          | 52 +++++++++++++++++++
 11 files changed, 184 insertions(+), 1 deletion(-)
 create mode 100644 passbook/stages/user_logout/__init__.py
 create mode 100644 passbook/stages/user_logout/api.py
 create mode 100644 passbook/stages/user_logout/apps.py
 create mode 100644 passbook/stages/user_logout/forms.py
 create mode 100644 passbook/stages/user_logout/migrations/0001_initial.py
 create mode 100644 passbook/stages/user_logout/migrations/__init__.py
 create mode 100644 passbook/stages/user_logout/models.py
 create mode 100644 passbook/stages/user_logout/stage.py
 create mode 100644 passbook/stages/user_logout/tests.py

diff --git a/passbook/api/v2/urls.py b/passbook/api/v2/urls.py
index 4b6370a62..84dc92d77 100644
--- a/passbook/api/v2/urls.py
+++ b/passbook/api/v2/urls.py
@@ -38,6 +38,7 @@ from passbook.stages.otp.api import OTPStageViewSet
 from passbook.stages.password.api import PasswordStageViewSet
 from passbook.stages.prompt.api import PromptStageViewSet, PromptViewSet
 from passbook.stages.user_login.api import UserLoginStageViewSet
+from passbook.stages.user_logout.api import UserLogoutStageViewSet
 from passbook.stages.user_write.api import UserWriteStageViewSet
 
 LOGGER = get_logger()
@@ -86,8 +87,9 @@ router.register("stages/otp", OTPStageViewSet)
 router.register("stages/password", PasswordStageViewSet)
 router.register("stages/prompt", PromptStageViewSet)
 router.register("stages/prompt/prompts", PromptViewSet)
-router.register("stages/user_write", UserWriteStageViewSet)
 router.register("stages/user_login", UserLoginStageViewSet)
+router.register("stages/user_logout", UserLogoutStageViewSet)
+router.register("stages/user_write", UserWriteStageViewSet)
 
 router.register("flows", FlowViewSet)
 router.register("flows/bindings", FlowStageBindingViewSet)
diff --git a/passbook/root/settings.py b/passbook/root/settings.py
index ccb5afdff..7abd08760 100644
--- a/passbook/root/settings.py
+++ b/passbook/root/settings.py
@@ -109,6 +109,7 @@ INSTALLED_APPS = [
     "passbook.stages.prompt.apps.PassbookStagPromptConfig",
     "passbook.stages.identification.apps.PassbookStageIdentificationConfig",
     "passbook.stages.user_login.apps.PassbookStageUserLoginConfig",
+    "passbook.stages.user_logout.apps.PassbookStageUserLogoutConfig",
     "passbook.stages.user_write.apps.PassbookStageUserWriteConfig",
     "passbook.stages.otp.apps.PassbookStageOTPConfig",
     "passbook.stages.password.apps.PassbookStagePasswordConfig",
diff --git a/passbook/stages/user_logout/__init__.py b/passbook/stages/user_logout/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/passbook/stages/user_logout/api.py b/passbook/stages/user_logout/api.py
new file mode 100644
index 000000000..4200a36d9
--- /dev/null
+++ b/passbook/stages/user_logout/api.py
@@ -0,0 +1,24 @@
+"""Logout Stage API Views"""
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import ModelViewSet
+
+from passbook.stages.user_logout.models import UserLogoutStage
+
+
+class UserLogoutStageSerializer(ModelSerializer):
+    """UserLogoutStage Serializer"""
+
+    class Meta:
+
+        model = UserLogoutStage
+        fields = [
+            "pk",
+            "name",
+        ]
+
+
+class UserLogoutStageViewSet(ModelViewSet):
+    """UserLogoutStage Viewset"""
+
+    queryset = UserLogoutStage.objects.all()
+    serializer_class = UserLogoutStageSerializer
diff --git a/passbook/stages/user_logout/apps.py b/passbook/stages/user_logout/apps.py
new file mode 100644
index 000000000..7d7c0ee80
--- /dev/null
+++ b/passbook/stages/user_logout/apps.py
@@ -0,0 +1,10 @@
+"""passbook logout stage app config"""
+from django.apps import AppConfig
+
+
+class PassbookStageUserLogoutConfig(AppConfig):
+    """passbook logout stage config"""
+
+    name = "passbook.stages.user_logout"
+    label = "passbook_stages_user_logout"
+    verbose_name = "passbook Stages.User Logout"
diff --git a/passbook/stages/user_logout/forms.py b/passbook/stages/user_logout/forms.py
new file mode 100644
index 000000000..a2e879835
--- /dev/null
+++ b/passbook/stages/user_logout/forms.py
@@ -0,0 +1,16 @@
+"""passbook flows logout forms"""
+from django import forms
+
+from passbook.stages.user_logout.models import UserLogoutStage
+
+
+class UserLogoutStageForm(forms.ModelForm):
+    """Form to create/edit UserLogoutStage instances"""
+
+    class Meta:
+
+        model = UserLogoutStage
+        fields = ["name"]
+        widgets = {
+            "name": forms.TextInput(),
+        }
diff --git a/passbook/stages/user_logout/migrations/0001_initial.py b/passbook/stages/user_logout/migrations/0001_initial.py
new file mode 100644
index 000000000..53456156e
--- /dev/null
+++ b/passbook/stages/user_logout/migrations/0001_initial.py
@@ -0,0 +1,37 @@
+# Generated by Django 3.0.5 on 2020-05-10 22:56
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("passbook_flows", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="UserLogoutStage",
+            fields=[
+                (
+                    "stage_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="passbook_flows.Stage",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "User Logout Stage",
+                "verbose_name_plural": "User Logout Stages",
+            },
+            bases=("passbook_flows.stage",),
+        ),
+    ]
diff --git a/passbook/stages/user_logout/migrations/__init__.py b/passbook/stages/user_logout/migrations/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/passbook/stages/user_logout/models.py b/passbook/stages/user_logout/models.py
new file mode 100644
index 000000000..55a03983b
--- /dev/null
+++ b/passbook/stages/user_logout/models.py
@@ -0,0 +1,19 @@
+"""logout stage models"""
+from django.utils.translation import gettext_lazy as _
+
+from passbook.flows.models import Stage
+
+
+class UserLogoutStage(Stage):
+    """Logout stage, allows a user to identify themselves to authenticate."""
+
+    type = "passbook.stages.user_logout.stage.UserLogoutStageView"
+    form = "passbook.stages.user_logout.forms.UserLogoutStageForm"
+
+    def __str__(self):
+        return f"User Logout Stage {self.name}"
+
+    class Meta:
+
+        verbose_name = _("User Logout Stage")
+        verbose_name_plural = _("User Logout Stages")
diff --git a/passbook/stages/user_logout/stage.py b/passbook/stages/user_logout/stage.py
new file mode 100644
index 000000000..ef360b3ed
--- /dev/null
+++ b/passbook/stages/user_logout/stage.py
@@ -0,0 +1,22 @@
+"""Logout stage logic"""
+from django.contrib.auth import logout
+from django.http import HttpRequest, HttpResponse
+from structlog import get_logger
+
+from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER
+from passbook.flows.stage import AuthenticationStage
+
+LOGGER = get_logger()
+
+
+class UserLogoutStageView(AuthenticationStage):
+    """Finalise Authentication flow by logging the user in"""
+
+    def get(self, request: HttpRequest) -> HttpResponse:
+        logout(self.request)
+        LOGGER.debug(
+            "Logged out",
+            user=self.executor.plan.context[PLAN_CONTEXT_PENDING_USER],
+            flow_slug=self.executor.flow.slug,
+        )
+        return self.executor.stage_ok()
diff --git a/passbook/stages/user_logout/tests.py b/passbook/stages/user_logout/tests.py
new file mode 100644
index 000000000..6f5a309e4
--- /dev/null
+++ b/passbook/stages/user_logout/tests.py
@@ -0,0 +1,52 @@
+"""logout tests"""
+from django.shortcuts import reverse
+from django.test import Client, TestCase
+
+from passbook.core.models import User
+from passbook.flows.models import Flow, FlowDesignation, FlowStageBinding
+from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
+from passbook.flows.views import SESSION_KEY_PLAN
+from passbook.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
+from passbook.stages.user_logout.forms import UserLogoutStageForm
+from passbook.stages.user_logout.models import UserLogoutStage
+
+
+class TestUserLogoutStage(TestCase):
+    """Logout tests"""
+
+    def setUp(self):
+        super().setUp()
+        self.user = User.objects.create(username="unittest", email="test@beryju.org")
+        self.client = Client()
+
+        self.flow = Flow.objects.create(
+            name="test-logout",
+            slug="test-logout",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+        self.stage = UserLogoutStage.objects.create(name="logout")
+        FlowStageBinding.objects.create(flow=self.flow, stage=self.stage, order=2)
+
+    def test_valid_password(self):
+        """Test with a valid pending user and backend"""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
+        plan.context[
+            PLAN_CONTEXT_AUTHENTICATION_BACKEND
+        ] = "django.contrib.auth.backends.ModelBackend"
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.get(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            )
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse("passbook_core:overview"))
+
+    def test_form(self):
+        """Test Form"""
+        data = {"name": "test"}
+        self.assertEqual(UserLogoutStageForm(data).is_valid(), True)

From e12780f78ff25fffa2ed4c32d1535d20bb76e178 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 11 May 2020 01:12:57 +0200
Subject: [PATCH 55/80] flows: add invalidation designation, use as default
 logout action

---
 passbook/core/templates/base/page.html        |  2 +-
 .../core/tests/test_views_authentication.py   | 45 -------------------
 passbook/core/urls.py                         |  4 +-
 passbook/core/views/authentication.py         | 21 ---------
 .../flows/migrations/0002_default_flows.py    | 45 +++++++++++++++++--
 .../migrations/0004_auto_20200510_2310.py     | 18 ++++++++
 passbook/flows/models.py                      |  1 +
 passbook/flows/urls.py                        |  5 +++
 .../templates/oauth2_provider/authorize.html  |  2 +-
 .../templates/oidc_provider/authorize.html    |  2 +-
 .../templates/saml/idp/autosubmit_form.html   |  2 +-
 .../saml/templates/saml/idp/login.html        |  2 +-
 passbook/root/urls.py                         |  3 ++
 13 files changed, 75 insertions(+), 77 deletions(-)
 delete mode 100644 passbook/core/tests/test_views_authentication.py
 delete mode 100644 passbook/core/views/authentication.py
 create mode 100644 passbook/flows/migrations/0004_auto_20200510_2310.py

diff --git a/passbook/core/templates/base/page.html b/passbook/core/templates/base/page.html
index 3d6b6702d..27a793e28 100644
--- a/passbook/core/templates/base/page.html
+++ b/passbook/core/templates/base/page.html
@@ -40,7 +40,7 @@
         </div>
         <div class="pf-c-page__header-tools">
             <div class="pf-c-page__header-tools-group pf-m-icons">
-                <a href="{% url 'passbook_core:auth-logout' %}" class="pf-c-button pf-m-plain" type="button">
+                <a href="{% url 'passbook_flows:default-invalidation' %}" class="pf-c-button pf-m-plain" type="button">
                     <i class="fas fa-sign-out-alt" aria-hidden="true"></i>
                 </a>
             </div>
diff --git a/passbook/core/tests/test_views_authentication.py b/passbook/core/tests/test_views_authentication.py
deleted file mode 100644
index 8cc9f1769..000000000
--- a/passbook/core/tests/test_views_authentication.py
+++ /dev/null
@@ -1,45 +0,0 @@
-"""passbook Core Account Test"""
-import string
-from random import SystemRandom
-
-from django.test import TestCase
-from django.urls import reverse
-
-from passbook.core.models import User
-
-
-class TestAuthenticationViews(TestCase):
-    """passbook Core Account Test"""
-
-    def setUp(self):
-        super().setUp()
-        self.sign_up_data = {
-            "name": "Test",
-            "username": "beryjuorg",
-            "email": "unittest@passbook.beryju.org",
-            "password": "B3ryju0rg!",
-            "password_repeat": "B3ryju0rg!",
-        }
-        self.login_data = {
-            "uid_field": "unittest@example.com",
-        }
-        self.user = User.objects.create_superuser(
-            username="unittest user",
-            email="unittest@example.com",
-            password="".join(
-                SystemRandom().choice(string.ascii_uppercase + string.digits)
-                for _ in range(8)
-            ),
-        )
-
-    def test_logout_view(self):
-        """Test account.logout view"""
-        self.client.force_login(self.user)
-        response = self.client.get(reverse("passbook_core:auth-logout"))
-        self.assertEqual(response.status_code, 302)
-
-    def test_sign_up_view_auth(self):
-        """Test account.sign_up view (Authenticated)"""
-        self.client.force_login(self.user)
-        response = self.client.get(reverse("passbook_core:auth-logout"))
-        self.assertEqual(response.status_code, 302)
diff --git a/passbook/core/urls.py b/passbook/core/urls.py
index de000d3a0..b4d7bd5fa 100644
--- a/passbook/core/urls.py
+++ b/passbook/core/urls.py
@@ -1,11 +1,9 @@
 """passbook URL Configuration"""
 from django.urls import path
 
-from passbook.core.views import authentication, overview, user
+from passbook.core.views import overview, user
 
 urlpatterns = [
-    # Authentication views
-    path("auth/logout/", authentication.LogoutView.as_view(), name="auth-logout"),
     # User views
     path("-/user/", user.UserSettingsView.as_view(), name="user-settings"),
     path("-/user/delete/", user.UserDeleteView.as_view(), name="user-delete"),
diff --git a/passbook/core/views/authentication.py b/passbook/core/views/authentication.py
deleted file mode 100644
index dea3ab1b4..000000000
--- a/passbook/core/views/authentication.py
+++ /dev/null
@@ -1,21 +0,0 @@
-"""passbook core authentication views"""
-from django.contrib import messages
-from django.contrib.auth import logout
-from django.contrib.auth.mixins import LoginRequiredMixin
-from django.http import HttpRequest, HttpResponse
-from django.shortcuts import redirect, reverse
-from django.utils.translation import ugettext as _
-from django.views import View
-from structlog import get_logger
-
-LOGGER = get_logger()
-
-
-class LogoutView(LoginRequiredMixin, View):
-    """Log current user out"""
-
-    def dispatch(self, request: HttpRequest) -> HttpResponse:
-        """Log current user out"""
-        logout(request)
-        messages.success(request, _("You've successfully been logged out."))
-        return redirect(reverse("passbook_flows:default-auth"))
diff --git a/passbook/flows/migrations/0002_default_flows.py b/passbook/flows/migrations/0002_default_flows.py
index 160c97544..e146b2532 100644
--- a/passbook/flows/migrations/0002_default_flows.py
+++ b/passbook/flows/migrations/0002_default_flows.py
@@ -8,7 +8,9 @@ from passbook.flows.models import FlowDesignation
 from passbook.stages.identification.models import Templates, UserFields
 
 
-def create_default_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+def create_default_authentication_flow(
+    apps: Apps, schema_editor: BaseDatabaseSchemaEditor
+):
     Flow = apps.get_model("passbook_flows", "Flow")
     FlowStageBinding = apps.get_model("passbook_flows", "FlowStageBinding")
     PasswordStage = apps.get_model("passbook_stages_password", "PasswordStage")
@@ -18,7 +20,11 @@ def create_default_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
     )
     db_alias = schema_editor.connection.alias
 
-    if Flow.objects.using(db_alias).all().exists():
+    if (
+        Flow.objects.using(db_alias)
+        .filter(designation=FlowDesignation.AUTHENTICATION)
+        .exists()
+    ):
         # Only create default flow when none exist
         return
 
@@ -53,13 +59,46 @@ def create_default_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
     )
 
 
+def create_default_invalidation_flow(
+    apps: Apps, schema_editor: BaseDatabaseSchemaEditor
+):
+    Flow = apps.get_model("passbook_flows", "Flow")
+    FlowStageBinding = apps.get_model("passbook_flows", "FlowStageBinding")
+    UserLogoutStage = apps.get_model("passbook_stages_user_logout", "UserLogoutStage")
+    db_alias = schema_editor.connection.alias
+
+    if (
+        Flow.objects.using(db_alias)
+        .filter(designation=FlowDesignation.INVALIDATION)
+        .exists()
+    ):
+        # Only create default flow when none exist
+        return
+
+    if not UserLogoutStage.objects.using(db_alias).exists():
+        UserLogoutStage.objects.using(db_alias).create(name="authentication")
+
+    flow = Flow.objects.using(db_alias).create(
+        name="default-invalidation-flow",
+        slug="default-invalidation-flow",
+        designation=FlowDesignation.INVALIDATION,
+    )
+    FlowStageBinding.objects.using(db_alias).create(
+        flow=flow, stage=UserLogoutStage.objects.using(db_alias).first(), order=0,
+    )
+
+
 class Migration(migrations.Migration):
 
     dependencies = [
         ("passbook_flows", "0001_initial"),
         ("passbook_stages_user_login", "0001_initial"),
+        ("passbook_stages_user_logout", "0001_initial"),
         ("passbook_stages_password", "0001_initial"),
         ("passbook_stages_identification", "0001_initial"),
     ]
 
-    operations = [migrations.RunPython(create_default_flow)]
+    operations = [
+        migrations.RunPython(create_default_authentication_flow),
+        migrations.RunPython(create_default_invalidation_flow),
+    ]
diff --git a/passbook/flows/migrations/0004_auto_20200510_2310.py b/passbook/flows/migrations/0004_auto_20200510_2310.py
new file mode 100644
index 000000000..9b013bb5e
--- /dev/null
+++ b/passbook/flows/migrations/0004_auto_20200510_2310.py
@@ -0,0 +1,18 @@
+# Generated by Django 3.0.5 on 2020-05-10 23:10
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_flows', '0003_auto_20200509_1258'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='flow',
+            name='designation',
+            field=models.CharField(choices=[('authentication', 'Authentication'), ('enrollment', 'Enrollment'), ('recovery', 'Recovery'), ('password_change', 'Password Change'), ('invalidation', 'Invalidation')], max_length=100),
+        ),
+    ]
diff --git a/passbook/flows/models.py b/passbook/flows/models.py
index d24df11f5..c82ab6e19 100644
--- a/passbook/flows/models.py
+++ b/passbook/flows/models.py
@@ -18,6 +18,7 @@ class FlowDesignation(models.TextChoices):
     ENROLLMENT = "enrollment"
     RECOVERY = "recovery"
     PASSWORD_CHANGE = "password_change"  # nosec # noqa
+    INVALIDATION = "invalidation"
 
 
 class Stage(UUIDModel):
diff --git a/passbook/flows/urls.py b/passbook/flows/urls.py
index 48a1659ff..44b7cde00 100644
--- a/passbook/flows/urls.py
+++ b/passbook/flows/urls.py
@@ -15,6 +15,11 @@ urlpatterns = [
         ToDefaultFlow.as_view(designation=FlowDesignation.AUTHENTICATION),
         name="default-auth",
     ),
+    path(
+        "-/default/invalidation/",
+        ToDefaultFlow.as_view(designation=FlowDesignation.INVALIDATION),
+        name="default-invalidation",
+    ),
     path(
         "-/default/recovery/",
         ToDefaultFlow.as_view(designation=FlowDesignation.RECOVERY),
diff --git a/passbook/providers/oauth/templates/oauth2_provider/authorize.html b/passbook/providers/oauth/templates/oauth2_provider/authorize.html
index f9ca84bf8..b80a05ea8 100644
--- a/passbook/providers/oauth/templates/oauth2_provider/authorize.html
+++ b/passbook/providers/oauth/templates/oauth2_provider/authorize.html
@@ -37,7 +37,7 @@
                 {% blocktrans with user=user %}
                 You are logged in as {{ user }}. Not you?
                 {% endblocktrans %}
-                <a href="{% url 'passbook_core:auth-logout' %}">{% trans 'Logout' %}</a>
+                <a href="{% url 'passbook_flows:default-invalidation' %}">{% trans 'Logout' %}</a>
             </p>
         </div>
         <div class="pf-c-form__group pf-m-action">
diff --git a/passbook/providers/oidc/templates/oidc_provider/authorize.html b/passbook/providers/oidc/templates/oidc_provider/authorize.html
index 6438d8a92..5a1fa1780 100644
--- a/passbook/providers/oidc/templates/oidc_provider/authorize.html
+++ b/passbook/providers/oidc/templates/oidc_provider/authorize.html
@@ -38,7 +38,7 @@
                 {% blocktrans with user=user %}
                 You are logged in as {{ user }}. Not you?
                 {% endblocktrans %}
-                <a href="{% url 'passbook_core:auth-logout' %}">{% trans 'Logout' %}</a>
+                <a href="{% url 'passbook_flows:default-invalidation' %}">{% trans 'Logout' %}</a>
             </p>
         </div>
         <div class="pf-c-form__group pf-m-action">
diff --git a/passbook/providers/saml/templates/saml/idp/autosubmit_form.html b/passbook/providers/saml/templates/saml/idp/autosubmit_form.html
index 54a198770..b43f243db 100644
--- a/passbook/providers/saml/templates/saml/idp/autosubmit_form.html
+++ b/passbook/providers/saml/templates/saml/idp/autosubmit_form.html
@@ -18,7 +18,7 @@
             {% blocktrans with user=user %}
             You are logged in as {{ user }}.
             {% endblocktrans %}
-            <a href="{% url 'passbook_core:auth-logout' %}">{% trans 'Not you?' %}</a>
+            <a href="{% url 'passbook_flows:default-invalidation' %}">{% trans 'Not you?' %}</a>
         </p>
         <input class="btn btn-primary btn-block btn-lg" type="submit" value="{% trans 'Continue' %}" />
     </div>
diff --git a/passbook/providers/saml/templates/saml/idp/login.html b/passbook/providers/saml/templates/saml/idp/login.html
index 1126d5bda..d4257cab7 100644
--- a/passbook/providers/saml/templates/saml/idp/login.html
+++ b/passbook/providers/saml/templates/saml/idp/login.html
@@ -16,7 +16,7 @@
             {% blocktrans with user=user %}
             You are logged in as {{ user }}.
             {% endblocktrans %}
-            <a href="{% url 'passbook_core:auth-logout' %}">{% trans 'Not you?' %}</a>
+            <a href="{% url 'passbook_flows:default-invalidation' %}">{% trans 'Not you?' %}</a>
         </p>
     </div>
     <div class="pf-c-form__group pf-m-action">
diff --git a/passbook/root/urls.py b/passbook/root/urls.py
index 73adb5531..a418d097c 100644
--- a/passbook/root/urls.py
+++ b/passbook/root/urls.py
@@ -12,6 +12,9 @@ from passbook.root.monitoring import MetricsView
 LOGGER = get_logger()
 admin.autodiscover()
 admin.site.login = RedirectView.as_view(pattern_name="passbook_flows:default-auth")
+admin.site.logout = RedirectView.as_view(
+    pattern_name="passbook_flows:default-invalidate"
+)
 
 handler400 = error.BadRequestView.as_view()
 handler403 = error.ForbiddenView.as_view()

From 10cb412532ea878f0d8cb3b9c32ef2e9108d463b Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 11 May 2020 09:08:15 +0200
Subject: [PATCH 56/80] flows: fix linting of migrations

---
 .../flows/migrations/0004_auto_20200510_2310.py | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/passbook/flows/migrations/0004_auto_20200510_2310.py b/passbook/flows/migrations/0004_auto_20200510_2310.py
index 9b013bb5e..61a3cac3a 100644
--- a/passbook/flows/migrations/0004_auto_20200510_2310.py
+++ b/passbook/flows/migrations/0004_auto_20200510_2310.py
@@ -6,13 +6,22 @@ from django.db import migrations, models
 class Migration(migrations.Migration):
 
     dependencies = [
-        ('passbook_flows', '0003_auto_20200509_1258'),
+        ("passbook_flows", "0003_auto_20200509_1258"),
     ]
 
     operations = [
         migrations.AlterField(
-            model_name='flow',
-            name='designation',
-            field=models.CharField(choices=[('authentication', 'Authentication'), ('enrollment', 'Enrollment'), ('recovery', 'Recovery'), ('password_change', 'Password Change'), ('invalidation', 'Invalidation')], max_length=100),
+            model_name="flow",
+            name="designation",
+            field=models.CharField(
+                choices=[
+                    ("authentication", "Authentication"),
+                    ("enrollment", "Enrollment"),
+                    ("recovery", "Recovery"),
+                    ("password_change", "Password Change"),
+                    ("invalidation", "Invalidation"),
+                ],
+                max_length=100,
+            ),
         ),
     ]

From 6fd19c0a379ae04f83ccecba1dc05cb5efbe29b8 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 11 May 2020 11:39:58 +0200
Subject: [PATCH 57/80] flows: add caching of plan, add planner unittests

---
 passbook/flows/planner.py            | 25 +++++++--
 passbook/flows/tests/__init__.py     |  0
 passbook/flows/tests/test_planner.py | 82 ++++++++++++++++++++++++++++
 3 files changed, 103 insertions(+), 4 deletions(-)
 create mode 100644 passbook/flows/tests/__init__.py
 create mode 100644 passbook/flows/tests/test_planner.py

diff --git a/passbook/flows/planner.py b/passbook/flows/planner.py
index 5ed272888..a2e654bf7 100644
--- a/passbook/flows/planner.py
+++ b/passbook/flows/planner.py
@@ -1,11 +1,13 @@
 """Flows Planner"""
 from dataclasses import dataclass, field
 from time import time
-from typing import Any, Dict, List, Tuple
+from typing import Any, Dict, List, Optional, Tuple
 
+from django.core.cache import cache
 from django.http import HttpRequest
 from structlog import get_logger
 
+from passbook.core.models import User
 from passbook.flows.exceptions import EmptyFlowException, FlowNonApplicableException
 from passbook.flows.models import Flow, Stage
 from passbook.policies.engine import PolicyEngine
@@ -16,6 +18,14 @@ PLAN_CONTEXT_PENDING_USER = "pending_user"
 PLAN_CONTEXT_SSO = "is_sso"
 
 
+def cache_key(flow: Flow, user: Optional[User] = None) -> str:
+    """Generate Cache key for flow"""
+    prefix = f"flow_{flow.pk}"
+    if user:
+        prefix += f"#{user.pk}"
+    return prefix
+
+
 @dataclass
 class FlowPlan:
     """This data-class is the output of a FlowPlanner. It holds a flat list
@@ -34,9 +44,11 @@ class FlowPlanner:
     """Execute all policies to plan out a flat list of all Stages
     that should be applied."""
 
+    use_cache: bool
     flow: Flow
 
     def __init__(self, flow: Flow):
+        self.use_cache = True
         self.flow = flow
 
     def _check_flow_root_policies(self, request: HttpRequest) -> Tuple[bool, List[str]]:
@@ -48,13 +60,17 @@ class FlowPlanner:
         """Check each of the flows' policies, check policies for each stage with PolicyBinding
         and return ordered list"""
         LOGGER.debug("f(plan): Starting planning process", flow=self.flow)
-        start_time = time()
-        plan = FlowPlan(flow_pk=self.flow.pk.hex)
         # First off, check the flow's direct policy bindings
         # to make sure the user even has access to the flow
         root_passing, root_passing_messages = self._check_flow_root_policies(request)
         if not root_passing:
             raise FlowNonApplicableException(root_passing_messages)
+        cached_plan = cache.get(cache_key(self.flow, request.user), None)
+        if cached_plan and self.use_cache:
+            LOGGER.debug("f(plan): Taking plan from cache", flow=self.flow)
+            return cached_plan
+        start_time = time()
+        plan = FlowPlan(flow_pk=self.flow.pk.hex)
         # Check Flow policies
         for stage in (
             self.flow.stages.order_by("flowstagebinding__order")
@@ -66,7 +82,7 @@ class FlowPlanner:
             engine.build()
             passing, _ = engine.result
             if passing:
-                LOGGER.debug("f(plan): Stage passing", stage=stage)
+                LOGGER.debug("f(plan): Stage passing", stage=stage, flow=self.flow)
                 plan.stages.append(stage)
         end_time = time()
         LOGGER.debug(
@@ -74,6 +90,7 @@ class FlowPlanner:
             flow=self.flow,
             duration_s=end_time - start_time,
         )
+        cache.set(cache_key(self.flow, request.user), plan)
         if not plan.stages:
             raise EmptyFlowException()
         return plan
diff --git a/passbook/flows/tests/__init__.py b/passbook/flows/tests/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/passbook/flows/tests/test_planner.py b/passbook/flows/tests/test_planner.py
new file mode 100644
index 000000000..79c0b6bdb
--- /dev/null
+++ b/passbook/flows/tests/test_planner.py
@@ -0,0 +1,82 @@
+"""flow planner tests"""
+from unittest.mock import MagicMock, patch
+
+from django.shortcuts import reverse
+from django.test import RequestFactory, TestCase
+from guardian.shortcuts import get_anonymous_user
+
+from passbook.flows.exceptions import EmptyFlowException, FlowNonApplicableException
+from passbook.flows.models import Flow, FlowDesignation, FlowStageBinding
+from passbook.flows.planner import FlowPlanner
+from passbook.stages.dummy.models import DummyStage
+
+POLICY_RESULT_MOCK = MagicMock(return_value=(False, [""],))
+TIME_NOW_MOCK = MagicMock(return_value=3)
+
+
+class TestFlowPlanner(TestCase):
+    """Test planner logic"""
+
+    def setUp(self):
+        self.request_factory = RequestFactory()
+
+    def test_empty_plan(self):
+        """Test that empty plan raises exception"""
+        flow = Flow.objects.create(
+            name="test-empty",
+            slug="test-empty",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+        request = self.request_factory.get(
+            reverse("passbook_flows:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
+        request.user = get_anonymous_user()
+
+        with self.assertRaises(EmptyFlowException):
+            planner = FlowPlanner(flow)
+            planner.plan(request)
+
+    @patch(
+        "passbook.flows.planner.FlowPlanner._check_flow_root_policies",
+        POLICY_RESULT_MOCK,
+    )
+    def test_non_applicable_plan(self):
+        """Test that empty plan raises exception"""
+        flow = Flow.objects.create(
+            name="test-empty",
+            slug="test-empty",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+        request = self.request_factory.get(
+            reverse("passbook_flows:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
+        request.user = get_anonymous_user()
+
+        with self.assertRaises(FlowNonApplicableException):
+            planner = FlowPlanner(flow)
+            planner.plan(request)
+
+    @patch("passbook.flows.planner.time", TIME_NOW_MOCK)
+    def test_planner_cache(self):
+        """Test planner cache"""
+        flow = Flow.objects.create(
+            name="test-cache",
+            slug="test-cache",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+        FlowStageBinding.objects.create(
+            flow=flow, stage=DummyStage.objects.create(name="dummy"), order=0
+        )
+        request = self.request_factory.get(
+            reverse("passbook_flows:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
+        request.user = get_anonymous_user()
+
+        planner = FlowPlanner(flow)
+        planner.plan(request)
+        self.assertEqual(TIME_NOW_MOCK.call_count, 2)  # Start and end
+        planner = FlowPlanner(flow)
+        planner.plan(request)
+        self.assertEqual(
+            TIME_NOW_MOCK.call_count, 2
+        )  # When taking from cache, time is not measured

From fc9f86cccce4d7c2fb0052633c7ef21aceec6709 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 11 May 2020 14:08:04 +0200
Subject: [PATCH 58/80] lib: use TemplateResponse for bad_request_message

---
 passbook/core/tests/test_views_utils.py |  2 +-
 passbook/lib/views.py                   | 11 ++++++-----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/passbook/core/tests/test_views_utils.py b/passbook/core/tests/test_views_utils.py
index 3d0083425..e9c8d6af9 100644
--- a/passbook/core/tests/test_views_utils.py
+++ b/passbook/core/tests/test_views_utils.py
@@ -27,7 +27,7 @@ class TestUtilViews(TestCase):
         request = self.factory.get("something")
         response = LoadingView.as_view(target_url="somestring")(request)
         response.render()
-        self.assertIn("somestring", response.content.decode("utf-8"))
+        self.assertIn("somestring", response.rendered_content)
 
     def test_permission_denied_view(self):
         """Test PermissionDeniedView"""
diff --git a/passbook/lib/views.py b/passbook/lib/views.py
index cb537b826..c816b70fe 100644
--- a/passbook/lib/views.py
+++ b/passbook/lib/views.py
@@ -1,6 +1,7 @@
 """passbook helper views"""
-from django.http import HttpRequest, HttpResponse
-from django.shortcuts import render
+from django.http import HttpRequest
+from django.template.response import TemplateResponse
+from django.utils.translation import gettext_lazy as _
 from django.views.generic import CreateView
 from guardian.shortcuts import assign_perm
 
@@ -25,11 +26,11 @@ class CreateAssignPermView(CreateView):
         return response
 
 
-def bad_request_message(request: HttpRequest, message: str) -> HttpResponse:
+def bad_request_message(request: HttpRequest, message: str) -> TemplateResponse:
     """Return generic error page with message, with status code set to 400"""
-    return render(
+    return TemplateResponse(
         request,
         "error/generic.html",
-        {"message": message, "card_title": "Bad Request",},
+        {"message": message, "card_title": _("Bad Request")},
         status=400,
     )

From 9814d3be0305b2e5f3faf482605ed79e1ba0ac2e Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 11 May 2020 15:01:14 +0200
Subject: [PATCH 59/80] flows: add Planner and Executor unittests

---
 passbook/flows/tests/test_misc.py         |  24 ++++
 passbook/flows/tests/test_views.py        | 146 ++++++++++++++++++++++
 passbook/flows/tests/test_views_helper.py |  39 ++++++
 passbook/flows/views.py                   |  22 ++--
 passbook/lib/utils/urls.py                |  17 ++-
 passbook/recovery/tests.py                |   4 +-
 6 files changed, 239 insertions(+), 13 deletions(-)
 create mode 100644 passbook/flows/tests/test_misc.py
 create mode 100644 passbook/flows/tests/test_views.py
 create mode 100644 passbook/flows/tests/test_views_helper.py

diff --git a/passbook/flows/tests/test_misc.py b/passbook/flows/tests/test_misc.py
new file mode 100644
index 000000000..2fb773ee1
--- /dev/null
+++ b/passbook/flows/tests/test_misc.py
@@ -0,0 +1,24 @@
+"""miscellaneous flow tests"""
+from django.test import TestCase
+
+from passbook.flows.api import StageSerializer, StageViewSet
+from passbook.flows.models import Stage
+from passbook.stages.dummy.models import DummyStage
+
+
+class TestFlowsMisc(TestCase):
+    """miscellaneous tests"""
+
+    def test_models(self):
+        """Test that ui_user_settings returns none"""
+        self.assertIsNone(Stage().ui_user_settings)
+
+    def test_api_serializer(self):
+        """Test that stage serializer returns the correct type"""
+        obj = DummyStage()
+        self.assertEqual(StageSerializer().get_type(obj), "dummy")
+
+    def test_api_viewset(self):
+        """Test that stage serializer returns the correct type"""
+        dummy = DummyStage.objects.create()
+        self.assertIn(dummy, StageViewSet().get_queryset())
diff --git a/passbook/flows/tests/test_views.py b/passbook/flows/tests/test_views.py
new file mode 100644
index 000000000..081ba0f00
--- /dev/null
+++ b/passbook/flows/tests/test_views.py
@@ -0,0 +1,146 @@
+"""flow views tests"""
+from unittest.mock import MagicMock, patch
+
+from django.shortcuts import reverse
+from django.test import Client, TestCase
+
+from passbook.flows.exceptions import EmptyFlowException, FlowNonApplicableException
+from passbook.flows.models import Flow, FlowDesignation, FlowStageBinding
+from passbook.flows.planner import FlowPlan
+from passbook.flows.views import NEXT_ARG_NAME, SESSION_KEY_PLAN
+from passbook.lib.config import CONFIG
+from passbook.stages.dummy.models import DummyStage
+
+POLICY_RESULT_MOCK = MagicMock(return_value=(False, [""],))
+
+
+class TestFlowExecutor(TestCase):
+    """Test views logic"""
+
+    def setUp(self):
+        self.client = Client()
+
+    def test_invalid_domain(self):
+        """Check that an invalid domain triggers the correct message"""
+        flow = Flow.objects.create(
+            name="test-empty",
+            slug="test-empty",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+        wrong_domain = CONFIG.y("domain") + "-invalid:8000"
+        response = self.client.get(
+            reverse("passbook_flows:flow-executor", kwargs={"flow_slug": flow.slug}),
+            HTTP_HOST=wrong_domain,
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("match", response.rendered_content)
+        self.assertIn(CONFIG.y("domain"), response.rendered_content)
+        self.assertIn(wrong_domain.split(":")[0], response.rendered_content)
+
+    def test_existing_plan_diff_flow(self):
+        """Check that a plan for a different flow cancels the current plan"""
+        flow = Flow.objects.create(
+            name="test-existing-plan-diff",
+            slug="test-existing-plan-diff",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+        stage = DummyStage.objects.create(name="dummy")
+        plan = FlowPlan(flow_pk=flow.pk.hex + "a", stages=[stage])
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        cancel_mock = MagicMock()
+        with patch("passbook.flows.views.FlowExecutorView.cancel", cancel_mock):
+            response = self.client.get(
+                reverse(
+                    "passbook_flows:flow-executor", kwargs={"flow_slug": flow.slug}
+                ),
+            )
+            self.assertEqual(response.status_code, 400)
+            self.assertEqual(cancel_mock.call_count, 1)
+
+    @patch(
+        "passbook.flows.planner.FlowPlanner._check_flow_root_policies",
+        POLICY_RESULT_MOCK,
+    )
+    def test_invalid_non_applicable_flow(self):
+        """Tests that a non-applicable flow returns the correct error message"""
+        flow = Flow.objects.create(
+            name="test-non-applicable",
+            slug="test-non-applicable",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+
+        CONFIG.update_from_dict({"domain": "testserver"})
+        response = self.client.get(
+            reverse("passbook_flows:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertInHTML(FlowNonApplicableException.__doc__, response.rendered_content)
+
+    def test_invalid_empty_flow(self):
+        """Tests that an empty flow returns the correct error message"""
+        flow = Flow.objects.create(
+            name="test-empty",
+            slug="test-empty",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+
+        CONFIG.update_from_dict({"domain": "testserver"})
+        response = self.client.get(
+            reverse("passbook_flows:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertInHTML(EmptyFlowException.__doc__, response.rendered_content)
+
+    def test_invalid_flow_redirect(self):
+        """Tests that an invalid flow still redirects"""
+        flow = Flow.objects.create(
+            name="test-empty",
+            slug="test-empty",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+
+        CONFIG.update_from_dict({"domain": "testserver"})
+        dest = "/unique-string"
+        response = self.client.get(
+            reverse("passbook_flows:flow-executor", kwargs={"flow_slug": flow.slug})
+            + f"?{NEXT_ARG_NAME}={dest}"
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, dest)
+
+    def test_multi_stage_flow(self):
+        """Test a full flow with multiple stages"""
+        flow = Flow.objects.create(
+            name="test-full",
+            slug="test-full",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+        FlowStageBinding.objects.create(
+            flow=flow, stage=DummyStage.objects.create(name="dummy1"), order=0
+        )
+        FlowStageBinding.objects.create(
+            flow=flow, stage=DummyStage.objects.create(name="dummy2"), order=1
+        )
+
+        exec_url = reverse(
+            "passbook_flows:flow-executor", kwargs={"flow_slug": flow.slug}
+        )
+        # First Request, start planning, renders form
+        response = self.client.get(exec_url)
+        self.assertEqual(response.status_code, 200)
+        # Check that two stages are in plan
+        session = self.client.session
+        plan: FlowPlan = session[SESSION_KEY_PLAN]
+        self.assertEqual(len(plan.stages), 2)
+        # Second request, submit form, one stage left
+        response = self.client.post(exec_url)
+        # Second request redirects to the same URL
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, exec_url)
+        # Check that two stages are in plan
+        session = self.client.session
+        plan: FlowPlan = session[SESSION_KEY_PLAN]
+        self.assertEqual(len(plan.stages), 1)
diff --git a/passbook/flows/tests/test_views_helper.py b/passbook/flows/tests/test_views_helper.py
new file mode 100644
index 000000000..7336cfc07
--- /dev/null
+++ b/passbook/flows/tests/test_views_helper.py
@@ -0,0 +1,39 @@
+"""flow views tests"""
+from django.shortcuts import reverse
+from django.test import Client, TestCase
+
+from passbook.flows.models import Flow, FlowDesignation
+from passbook.flows.planner import FlowPlan
+from passbook.flows.views import SESSION_KEY_PLAN
+
+
+class TestHelperView(TestCase):
+    """Test helper views logic"""
+
+    def setUp(self):
+        self.client = Client()
+
+    def test_default_view(self):
+        """Test that ToDefaultFlow returns the expected URL"""
+        flow = Flow.objects.filter(designation=FlowDesignation.INVALIDATION,).first()
+        response = self.client.get(reverse("passbook_flows:default-invalidation"),)
+        expected_url = reverse(
+            "passbook_flows:flow-executor", kwargs={"flow_slug": flow.slug}
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, expected_url)
+
+    def test_default_view_invalid_plan(self):
+        """Test that ToDefaultFlow returns the expected URL (with an invalid plan)"""
+        flow = Flow.objects.filter(designation=FlowDesignation.INVALIDATION,).first()
+        plan = FlowPlan(flow_pk=flow.pk.hex + "aa", stages=[])
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.get(reverse("passbook_flows:default-invalidation"),)
+        expected_url = reverse(
+            "passbook_flows:flow-executor", kwargs={"flow_slug": flow.slug}
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, expected_url)
diff --git a/passbook/flows/views.py b/passbook/flows/views.py
index d687c8800..43ca4e609 100644
--- a/passbook/flows/views.py
+++ b/passbook/flows/views.py
@@ -12,7 +12,7 @@ from passbook.flows.models import Flow, FlowDesignation, Stage
 from passbook.flows.planner import FlowPlan, FlowPlanner
 from passbook.lib.config import CONFIG
 from passbook.lib.utils.reflection import class_to_path, path_to_class
-from passbook.lib.utils.urls import is_url_absolute, redirect_with_qs
+from passbook.lib.utils.urls import redirect_with_qs
 from passbook.lib.views import bad_request_message
 
 LOGGER = get_logger()
@@ -59,7 +59,8 @@ class FlowExecutorView(View):
         incorrect_domain_message = self._check_config_domain()
         if incorrect_domain_message:
             return incorrect_domain_message
-        return bad_request_message(self.request, str(exc))
+        message = exc.__doc__ if exc.__doc__ else str(exc)
+        return bad_request_message(self.request, message)
 
     def dispatch(self, request: HttpRequest, flow_slug: str) -> HttpResponse:
         # Early check if theres an active Plan for the current session
@@ -128,10 +129,8 @@ class FlowExecutorView(View):
     def _flow_done(self) -> HttpResponse:
         """User Successfully passed all stages"""
         self.cancel()
-        next_param = self.request.GET.get(NEXT_ARG_NAME, None)
-        if next_param and not is_url_absolute(next_param):
-            return redirect(next_param)
-        return redirect_with_qs("passbook_core:overview")
+        next_param = self.request.GET.get(NEXT_ARG_NAME, "passbook_core:overview")
+        return redirect_with_qs(next_param)
 
     def stage_ok(self) -> HttpResponse:
         """Callback called by stages upon successful completion.
@@ -183,9 +182,16 @@ class ToDefaultFlow(View):
     designation: Optional[FlowDesignation] = None
 
     def dispatch(self, request: HttpRequest) -> HttpResponse:
-        if SESSION_KEY_PLAN in self.request.session:
-            del self.request.session[SESSION_KEY_PLAN]
         flow = get_object_or_404(Flow, designation=self.designation)
+        # If user already has a pending plan, clear it so we don't have to later.
+        if SESSION_KEY_PLAN in self.request.session:
+            plan: FlowPlan = self.request.session[SESSION_KEY_PLAN]
+            if plan.flow_pk != flow.pk.hex:
+                LOGGER.warning(
+                    "f(def): Found existing plan for other flow, deleteing plan",
+                    flow_slug=flow.slug,
+                )
+                del self.request.session[SESSION_KEY_PLAN]
         # TODO: Get Flow depending on subdomain?
         return redirect_with_qs(
             "passbook_flows:flow-executor", request.GET, flow_slug=flow.slug
diff --git a/passbook/lib/utils/urls.py b/passbook/lib/utils/urls.py
index 30cb25603..29f0e9eaf 100644
--- a/passbook/lib/utils/urls.py
+++ b/passbook/lib/utils/urls.py
@@ -3,7 +3,11 @@ from urllib.parse import urlparse
 
 from django.http import HttpResponse
 from django.shortcuts import redirect, reverse
+from django.urls import NoReverseMatch
 from django.utils.http import urlencode
+from structlog import get_logger
+
+LOGGER = get_logger()
 
 
 def is_url_absolute(url):
@@ -13,7 +17,12 @@ def is_url_absolute(url):
 
 def redirect_with_qs(view: str, get_query_set=None, **kwargs) -> HttpResponse:
     """Wrapper to redirect whilst keeping GET Parameters"""
-    target = reverse(view, kwargs=kwargs)
-    if get_query_set:
-        target += "?" + urlencode(get_query_set.items())
-    return redirect(target)
+    try:
+        target = reverse(view, kwargs=kwargs)
+    except NoReverseMatch:
+        LOGGER.debug("redirect target is not a valid view", view=view)
+        raise
+    else:
+        if get_query_set:
+            target += "?" + urlencode(get_query_set.items())
+        return redirect(target)
diff --git a/passbook/recovery/tests.py b/passbook/recovery/tests.py
index bb2c19b68..3080b176e 100644
--- a/passbook/recovery/tests.py
+++ b/passbook/recovery/tests.py
@@ -6,6 +6,7 @@ from django.shortcuts import reverse
 from django.test import TestCase
 
 from passbook.core.models import Nonce, User
+from passbook.lib.config import CONFIG
 
 
 class TestRecovery(TestCase):
@@ -16,10 +17,11 @@ class TestRecovery(TestCase):
 
     def test_create_key(self):
         """Test creation of a new key"""
+        CONFIG.update_from_dict({"domain": "testserver"})
         out = StringIO()
         self.assertEqual(len(Nonce.objects.all()), 0)
         call_command("create_recovery_key", "1", self.user.username, stdout=out)
-        self.assertIn("https://localhost/recovery/use-nonce/", out.getvalue())
+        self.assertIn("https://testserver/recovery/use-nonce/", out.getvalue())
         self.assertEqual(len(Nonce.objects.all()), 1)
 
     def test_recovery_view(self):

From d49c58f326ef5327749794dbbd5bb99f903bcd3e Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 11 May 2020 21:27:46 +0200
Subject: [PATCH 60/80] flows: fix linting

---
 passbook/flows/tests/test_views.py | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/passbook/flows/tests/test_views.py b/passbook/flows/tests/test_views.py
index 081ba0f00..c775eb38c 100644
--- a/passbook/flows/tests/test_views.py
+++ b/passbook/flows/tests/test_views.py
@@ -104,10 +104,8 @@ class TestFlowExecutor(TestCase):
 
         CONFIG.update_from_dict({"domain": "testserver"})
         dest = "/unique-string"
-        response = self.client.get(
-            reverse("passbook_flows:flow-executor", kwargs={"flow_slug": flow.slug})
-            + f"?{NEXT_ARG_NAME}={dest}"
-        )
+        url = reverse("passbook_flows:flow-executor", kwargs={"flow_slug": flow.slug})
+        response = self.client.get(url + f"?{NEXT_ARG_NAME}={dest}")
         self.assertEqual(response.status_code, 302)
         self.assertEqual(response.url, dest)
 

From 7500e622f6aa2bceabbad2b4d1ded0ed4b8c7d01 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 11 May 2020 21:58:02 +0200
Subject: [PATCH 61/80] stages/invitation: start extracting invitation from
 core

---
 passbook/admin/views/invitations.py           | 10 +--
 passbook/admin/views/overview.py              |  3 +-
 passbook/api/v2/urls.py                       |  5 +-
 passbook/core/forms/invitations.py            | 38 ---------
 .../core/migrations/0014_delete_invitation.py | 14 ++++
 passbook/core/models.py                       | 25 ------
 passbook/lib/utils/urls.py                    |  2 +
 passbook/root/settings.py                     |  1 +
 passbook/stages/invitation/__init__.py        |  0
 .../invitation/api.py}                        | 24 +++++-
 passbook/stages/invitation/apps.py            | 10 +++
 passbook/stages/invitation/forms.py           | 33 ++++++++
 .../invitation/migrations/0001_initial.py     | 72 ++++++++++++++++
 ...nstage_continue_flow_without_invitation.py | 21 +++++
 .../stages/invitation/migrations/__init__.py  |  0
 passbook/stages/invitation/models.py          | 50 +++++++++++
 passbook/stages/invitation/stage.py           | 26 ++++++
 passbook/stages/invitation/tests.py           | 83 +++++++++++++++++++
 18 files changed, 344 insertions(+), 73 deletions(-)
 delete mode 100644 passbook/core/forms/invitations.py
 create mode 100644 passbook/core/migrations/0014_delete_invitation.py
 create mode 100644 passbook/stages/invitation/__init__.py
 rename passbook/{core/api/invitations.py => stages/invitation/api.py} (50%)
 create mode 100644 passbook/stages/invitation/apps.py
 create mode 100644 passbook/stages/invitation/forms.py
 create mode 100644 passbook/stages/invitation/migrations/0001_initial.py
 create mode 100644 passbook/stages/invitation/migrations/0002_invitationstage_continue_flow_without_invitation.py
 create mode 100644 passbook/stages/invitation/migrations/__init__.py
 create mode 100644 passbook/stages/invitation/models.py
 create mode 100644 passbook/stages/invitation/stage.py
 create mode 100644 passbook/stages/invitation/tests.py

diff --git a/passbook/admin/views/invitations.py b/passbook/admin/views/invitations.py
index 59383d840..dd00bee83 100644
--- a/passbook/admin/views/invitations.py
+++ b/passbook/admin/views/invitations.py
@@ -11,17 +11,17 @@ from django.utils.translation import ugettext as _
 from django.views.generic import DeleteView, ListView
 from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 
-from passbook.core.forms.invitations import InvitationForm
-from passbook.core.models import Invitation
 from passbook.core.signals import invitation_created
 from passbook.lib.views import CreateAssignPermView
+from passbook.stages.invitation.forms import InvitationForm
+from passbook.stages.invitation.models import Invitation
 
 
 class InvitationListView(LoginRequiredMixin, PermissionListMixin, ListView):
     """Show list of all invitations"""
 
     model = Invitation
-    permission_required = "passbook_core.view_invitation"
+    permission_required = "passbook_stages_invitation.view_invitation"
     template_name = "administration/invitation/list.html"
     paginate_by = 10
     ordering = "-expires"
@@ -37,7 +37,7 @@ class InvitationCreateView(
 
     model = Invitation
     form_class = InvitationForm
-    permission_required = "passbook_core.add_invitation"
+    permission_required = "passbook_stages_invitation.add_invitation"
 
     template_name = "generic/create.html"
     success_url = reverse_lazy("passbook_admin:invitations")
@@ -61,7 +61,7 @@ class InvitationDeleteView(
     """Delete invitation"""
 
     model = Invitation
-    permission_required = "passbook_core.delete_invitation"
+    permission_required = "passbook_stages_invitation.delete_invitation"
 
     template_name = "generic/delete.html"
     success_url = reverse_lazy("passbook_admin:invitations")
diff --git a/passbook/admin/views/overview.py b/passbook/admin/views/overview.py
index c263007dc..41b1ffaa4 100644
--- a/passbook/admin/views/overview.py
+++ b/passbook/admin/views/overview.py
@@ -5,9 +5,10 @@ from django.views.generic import TemplateView
 
 from passbook import __version__
 from passbook.admin.mixins import AdminRequiredMixin
-from passbook.core.models import Application, Invitation, Policy, Provider, Source, User
+from passbook.core.models import Application, Policy, Provider, Source, User
 from passbook.flows.models import Flow, Stage
 from passbook.root.celery import CELERY_APP
+from passbook.stages.invitation.models import Invitation
 
 
 class AdministrationOverviewView(AdminRequiredMixin, TemplateView):
diff --git a/passbook/api/v2/urls.py b/passbook/api/v2/urls.py
index 84dc92d77..402f5eddb 100644
--- a/passbook/api/v2/urls.py
+++ b/passbook/api/v2/urls.py
@@ -11,7 +11,6 @@ from passbook.api.permissions import CustomObjectPermissions
 from passbook.audit.api import EventViewSet
 from passbook.core.api.applications import ApplicationViewSet
 from passbook.core.api.groups import GroupViewSet
-from passbook.core.api.invitations import InvitationViewSet
 from passbook.core.api.policies import PolicyViewSet
 from passbook.core.api.propertymappings import PropertyMappingViewSet
 from passbook.core.api.providers import ProviderViewSet
@@ -34,6 +33,7 @@ from passbook.sources.oauth.api import OAuthSourceViewSet
 from passbook.stages.captcha.api import CaptchaStageViewSet
 from passbook.stages.email.api import EmailStageViewSet
 from passbook.stages.identification.api import IdentificationStageViewSet
+from passbook.stages.invitation.api import InvitationStageViewSet, InvitationViewSet
 from passbook.stages.otp.api import OTPStageViewSet
 from passbook.stages.password.api import PasswordStageViewSet
 from passbook.stages.prompt.api import PromptStageViewSet, PromptViewSet
@@ -51,7 +51,6 @@ for _passbook_app in get_apps():
         LOGGER.debug("Mounted API URLs", app_name=_passbook_app.name)
 
 router.register("core/applications", ApplicationViewSet)
-router.register("core/invitations", InvitationViewSet)
 router.register("core/groups", GroupViewSet)
 router.register("core/users", UserViewSet)
 
@@ -83,6 +82,8 @@ router.register("stages/all", StageViewSet)
 router.register("stages/captcha", CaptchaStageViewSet)
 router.register("stages/email", EmailStageViewSet)
 router.register("stages/identification", IdentificationStageViewSet)
+router.register("stages/invitation", InvitationStageViewSet)
+router.register("stages/invitation/invitations", InvitationViewSet)
 router.register("stages/otp", OTPStageViewSet)
 router.register("stages/password", PasswordStageViewSet)
 router.register("stages/prompt", PromptStageViewSet)
diff --git a/passbook/core/forms/invitations.py b/passbook/core/forms/invitations.py
deleted file mode 100644
index be64ce302..000000000
--- a/passbook/core/forms/invitations.py
+++ /dev/null
@@ -1,38 +0,0 @@
-"""passbook core invitation form"""
-
-from django import forms
-from django.core.exceptions import ValidationError
-from django.utils.translation import gettext as _
-
-from passbook.core.models import Invitation, User
-
-
-class InvitationForm(forms.ModelForm):
-    """InvitationForm"""
-
-    def clean_fixed_username(self):
-        """Check if username is already used"""
-        username = self.cleaned_data.get("fixed_username")
-        if User.objects.filter(username=username).exists():
-            raise ValidationError(_("Username is already in use."))
-        return username
-
-    def clean_fixed_email(self):
-        """Check if email is already used"""
-        email = self.cleaned_data.get("fixed_email")
-        if User.objects.filter(email=email).exists():
-            raise ValidationError(_("E-Mail is already in use."))
-        return email
-
-    class Meta:
-
-        model = Invitation
-        fields = ["expires", "fixed_username", "fixed_email", "needs_confirmation"]
-        labels = {
-            "fixed_username": "Force user's username (optional)",
-            "fixed_email": "Force user's email (optional)",
-        }
-        widgets = {
-            "fixed_username": forms.TextInput(),
-            "fixed_email": forms.TextInput(),
-        }
diff --git a/passbook/core/migrations/0014_delete_invitation.py b/passbook/core/migrations/0014_delete_invitation.py
new file mode 100644
index 000000000..2f3e67b70
--- /dev/null
+++ b/passbook/core/migrations/0014_delete_invitation.py
@@ -0,0 +1,14 @@
+# Generated by Django 3.0.5 on 2020-05-11 19:57
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_core", "0013_delete_debugpolicy"),
+    ]
+
+    operations = [
+        migrations.DeleteModel(name="Invitation",),
+    ]
diff --git a/passbook/core/models.py b/passbook/core/models.py
index 4894829fd..6c0a6d5ea 100644
--- a/passbook/core/models.py
+++ b/passbook/core/models.py
@@ -8,7 +8,6 @@ from django.contrib.postgres.fields import JSONField
 from django.core.exceptions import ValidationError
 from django.db import models
 from django.http import HttpRequest
-from django.urls import reverse_lazy
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from django_prometheus.models import ExportModelOperationsMixin
@@ -196,30 +195,6 @@ class Policy(ExportModelOperationsMixin("policy"), UUIDModel, CreatedUpdatedMode
         raise PolicyException()
 
 
-class Invitation(ExportModelOperationsMixin("invitation"), UUIDModel):
-    """Single-use invitation link"""
-
-    created_by = models.ForeignKey("User", on_delete=models.CASCADE)
-    expires = models.DateTimeField(default=None, blank=True, null=True)
-    fixed_username = models.TextField(blank=True, default=None)
-    fixed_email = models.TextField(blank=True, default=None)
-    needs_confirmation = models.BooleanField(default=True)
-
-    @property
-    def link(self):
-        """Get link to use invitation"""
-        qs = f"?invitation={self.uuid.hex}"
-        return reverse_lazy("passbook_flows:default-enrollment") + qs
-
-    def __str__(self):
-        return f"Invitation {self.uuid.hex} created by {self.created_by}"
-
-    class Meta:
-
-        verbose_name = _("Invitation")
-        verbose_name_plural = _("Invitations")
-
-
 class Nonce(ExportModelOperationsMixin("nonce"), UUIDModel):
     """One-time link for password resets/sign-up-confirmations"""
 
diff --git a/passbook/lib/utils/urls.py b/passbook/lib/utils/urls.py
index 29f0e9eaf..450b98485 100644
--- a/passbook/lib/utils/urls.py
+++ b/passbook/lib/utils/urls.py
@@ -20,6 +20,8 @@ def redirect_with_qs(view: str, get_query_set=None, **kwargs) -> HttpResponse:
     try:
         target = reverse(view, kwargs=kwargs)
     except NoReverseMatch:
+        if not is_url_absolute(view):
+            return redirect(view)
         LOGGER.debug("redirect target is not a valid view", view=view)
         raise
     else:
diff --git a/passbook/root/settings.py b/passbook/root/settings.py
index 7abd08760..cd19685d8 100644
--- a/passbook/root/settings.py
+++ b/passbook/root/settings.py
@@ -108,6 +108,7 @@ INSTALLED_APPS = [
     "passbook.stages.email.apps.PassbookStageEmailConfig",
     "passbook.stages.prompt.apps.PassbookStagPromptConfig",
     "passbook.stages.identification.apps.PassbookStageIdentificationConfig",
+    "passbook.stages.invitation.apps.PassbookStageUserInvitationConfig",
     "passbook.stages.user_login.apps.PassbookStageUserLoginConfig",
     "passbook.stages.user_logout.apps.PassbookStageUserLogoutConfig",
     "passbook.stages.user_write.apps.PassbookStageUserWriteConfig",
diff --git a/passbook/stages/invitation/__init__.py b/passbook/stages/invitation/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/passbook/core/api/invitations.py b/passbook/stages/invitation/api.py
similarity index 50%
rename from passbook/core/api/invitations.py
rename to passbook/stages/invitation/api.py
index c6e451f62..c4218db6f 100644
--- a/passbook/core/api/invitations.py
+++ b/passbook/stages/invitation/api.py
@@ -1,8 +1,28 @@
-"""Invitation API Views"""
+"""Invitation Stage API Views"""
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
-from passbook.core.models import Invitation
+from passbook.stages.invitation.models import Invitation, InvitationStage
+
+
+class InvitationStageSerializer(ModelSerializer):
+    """InvitationStage Serializer"""
+
+    class Meta:
+
+        model = InvitationStage
+        fields = [
+            "pk",
+            "name",
+            "continue_flow_without_invitation",
+        ]
+
+
+class InvitationStageViewSet(ModelViewSet):
+    """InvitationStage Viewset"""
+
+    queryset = InvitationStage.objects.all()
+    serializer_class = InvitationStageSerializer
 
 
 class InvitationSerializer(ModelSerializer):
diff --git a/passbook/stages/invitation/apps.py b/passbook/stages/invitation/apps.py
new file mode 100644
index 000000000..0b0eddd0b
--- /dev/null
+++ b/passbook/stages/invitation/apps.py
@@ -0,0 +1,10 @@
+"""passbook invitation stage app config"""
+from django.apps import AppConfig
+
+
+class PassbookStageUserInvitationConfig(AppConfig):
+    """passbook invitation stage config"""
+
+    name = "passbook.stages.invitation"
+    label = "passbook_stages_invitation"
+    verbose_name = "passbook Stages.User Invitation"
diff --git a/passbook/stages/invitation/forms.py b/passbook/stages/invitation/forms.py
new file mode 100644
index 000000000..a6a34d17e
--- /dev/null
+++ b/passbook/stages/invitation/forms.py
@@ -0,0 +1,33 @@
+"""passbook flows invitation forms"""
+from django import forms
+from django.utils.translation import gettext as _
+
+from passbook.stages.invitation.models import Invitation, InvitationStage
+
+
+class InvitationStageForm(forms.ModelForm):
+    """Form to create/edit InvitationStage instances"""
+
+    class Meta:
+
+        model = InvitationStage
+        fields = ["name", "continue_flow_without_invitation"]
+        widgets = {
+            "name": forms.TextInput(),
+        }
+
+
+class InvitationForm(forms.ModelForm):
+    """InvitationForm"""
+
+    class Meta:
+
+        model = Invitation
+        fields = ["expires", "fixed_data"]
+        labels = {
+            "fixed_data": _("Optional fixed data to enforce on user enrollment."),
+        }
+        widgets = {
+            "fixed_username": forms.TextInput(),
+            "fixed_email": forms.TextInput(),
+        }
diff --git a/passbook/stages/invitation/migrations/0001_initial.py b/passbook/stages/invitation/migrations/0001_initial.py
new file mode 100644
index 000000000..31c10f124
--- /dev/null
+++ b/passbook/stages/invitation/migrations/0001_initial.py
@@ -0,0 +1,72 @@
+# Generated by Django 3.0.5 on 2020-05-11 19:09
+
+import uuid
+
+import django.contrib.postgres.fields.jsonb
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("passbook_flows", "0004_auto_20200510_2310"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="InvitationStage",
+            fields=[
+                (
+                    "stage_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="passbook_flows.Stage",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Invitation Stage",
+                "verbose_name_plural": "Invitation Stages",
+            },
+            bases=("passbook_flows.stage",),
+        ),
+        migrations.CreateModel(
+            name="Invitation",
+            fields=[
+                (
+                    "uuid",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("expires", models.DateTimeField(blank=True, default=None, null=True)),
+                (
+                    "fixed_data",
+                    django.contrib.postgres.fields.jsonb.JSONField(default=dict),
+                ),
+                (
+                    "created_by",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Invitation",
+                "verbose_name_plural": "Invitations",
+            },
+        ),
+    ]
diff --git a/passbook/stages/invitation/migrations/0002_invitationstage_continue_flow_without_invitation.py b/passbook/stages/invitation/migrations/0002_invitationstage_continue_flow_without_invitation.py
new file mode 100644
index 000000000..2772f6c7b
--- /dev/null
+++ b/passbook/stages/invitation/migrations/0002_invitationstage_continue_flow_without_invitation.py
@@ -0,0 +1,21 @@
+# Generated by Django 3.0.5 on 2020-05-11 19:46
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_stages_invitation", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="invitationstage",
+            name="continue_flow_without_invitation",
+            field=models.BooleanField(
+                default=False,
+                help_text="If this flag is set, this Stage will jump to the next Stage when no Invitation is given. By default this Stage will cancel the Flow when no invitation is given.",
+            ),
+        ),
+    ]
diff --git a/passbook/stages/invitation/migrations/__init__.py b/passbook/stages/invitation/migrations/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/passbook/stages/invitation/models.py b/passbook/stages/invitation/models.py
new file mode 100644
index 000000000..fed3ee8b0
--- /dev/null
+++ b/passbook/stages/invitation/models.py
@@ -0,0 +1,50 @@
+"""invitation stage models"""
+from django.contrib.postgres.fields import JSONField
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+
+from passbook.core.models import User
+from passbook.flows.models import Stage
+from passbook.lib.models import UUIDModel
+
+
+class InvitationStage(Stage):
+    """Invitation stage, to enroll themselves with enforced parameters"""
+
+    continue_flow_without_invitation = models.BooleanField(
+        default=False,
+        help_text=_(
+            (
+                "If this flag is set, this Stage will jump to the next Stage when "
+                "no Invitation is given. By default this Stage will cancel the "
+                "Flow when no invitation is given."
+            )
+        ),
+    )
+
+    type = "passbook.stages.invitation.stage.InvitationStageView"
+    form = "passbook.stages.invitation.forms.InvitationStageForm"
+
+    def __str__(self):
+        return f"Invitation Stage {self.name}"
+
+    class Meta:
+
+        verbose_name = _("Invitation Stage")
+        verbose_name_plural = _("Invitation Stages")
+
+
+class Invitation(UUIDModel):
+    """Single-use invitation link"""
+
+    created_by = models.ForeignKey(User, on_delete=models.CASCADE)
+    expires = models.DateTimeField(default=None, blank=True, null=True)
+    fixed_data = JSONField(default=dict)
+
+    def __str__(self):
+        return f"Invitation {self.uuid.hex} created by {self.created_by}"
+
+    class Meta:
+
+        verbose_name = _("Invitation")
+        verbose_name_plural = _("Invitations")
diff --git a/passbook/stages/invitation/stage.py b/passbook/stages/invitation/stage.py
new file mode 100644
index 000000000..e4ca3a5ef
--- /dev/null
+++ b/passbook/stages/invitation/stage.py
@@ -0,0 +1,26 @@
+"""invitation stage logic"""
+from django.http import HttpRequest, HttpResponse
+from django.shortcuts import get_object_or_404
+
+from passbook.flows.stage import AuthenticationStage
+from passbook.stages.invitation.models import Invitation, InvitationStage
+from passbook.stages.prompt.stage import PLAN_CONTEXT_PROMPT
+
+INVITATION_TOKEN_KEY = "token"
+
+
+class InvitationStageView(AuthenticationStage):
+    """Finalise Authentication flow by logging the user in"""
+
+    def get(self, request: HttpRequest) -> HttpResponse:
+        stage: InvitationStage = self.executor.current_stage
+        if INVITATION_TOKEN_KEY not in request.GET:
+            # No Invitation was given, raise error or continue
+            if stage.continue_flow_without_invitation:
+                return self.executor.stage_ok()
+            return self.executor.stage_invalid()
+
+        token = request.GET[INVITATION_TOKEN_KEY]
+        invite: Invitation = get_object_or_404(Invitation, pk=token)
+        self.executor.plan.context[PLAN_CONTEXT_PROMPT] = invite.fixed_data
+        return self.executor.stage_ok()
diff --git a/passbook/stages/invitation/tests.py b/passbook/stages/invitation/tests.py
new file mode 100644
index 000000000..59b988d2b
--- /dev/null
+++ b/passbook/stages/invitation/tests.py
@@ -0,0 +1,83 @@
+"""login tests"""
+from django.shortcuts import reverse
+from django.test import Client, TestCase
+
+from passbook.core.models import User
+from passbook.flows.models import Flow, FlowDesignation, FlowStageBinding
+from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
+from passbook.flows.views import SESSION_KEY_PLAN
+from passbook.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
+from passbook.stages.user_login.forms import UserLoginStageForm
+from passbook.stages.user_login.models import UserLoginStage
+
+
+class TestUserLoginStage(TestCase):
+    """Login tests"""
+
+    def setUp(self):
+        super().setUp()
+        self.user = User.objects.create(username="unittest", email="test@beryju.org")
+        self.client = Client()
+
+        self.flow = Flow.objects.create(
+            name="test-login",
+            slug="test-login",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+        self.stage = UserLoginStage.objects.create(name="login")
+        FlowStageBinding.objects.create(flow=self.flow, stage=self.stage, order=2)
+
+    def test_valid_password(self):
+        """Test with a valid pending user and backend"""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
+        plan.context[
+            PLAN_CONTEXT_AUTHENTICATION_BACKEND
+        ] = "django.contrib.auth.backends.ModelBackend"
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.get(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            )
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse("passbook_core:overview"))
+
+    def test_without_user(self):
+        """Test a plan without any pending user, resulting in a denied"""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.get(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            )
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse("passbook_flows:denied"))
+
+    def test_without_backend(self):
+        """Test a plan with pending user, without backend, resulting in a denied"""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.get(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            )
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse("passbook_flows:denied"))
+
+    def test_form(self):
+        """Test Form"""
+        data = {"name": "test"}
+        self.assertEqual(UserLoginStageForm(data).is_valid(), True)

From 137e90355bbd1fd447f07a9142baceb4fb1167fc Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Tue, 12 May 2020 14:49:47 +0200
Subject: [PATCH 62/80] flows: default-auth -> default-authentication

---
 passbook/admin/views/overview.py                  | 2 +-
 passbook/core/templates/login/form_with_user.html | 2 +-
 passbook/flows/urls.py                            | 4 ++--
 passbook/root/settings.py                         | 2 +-
 passbook/root/urls.py                             | 2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/passbook/admin/views/overview.py b/passbook/admin/views/overview.py
index 41b1ffaa4..1b1b0a88b 100644
--- a/passbook/admin/views/overview.py
+++ b/passbook/admin/views/overview.py
@@ -20,7 +20,7 @@ class AdministrationOverviewView(AdminRequiredMixin, TemplateView):
         """Handle post (clear cache from modal)"""
         if "clear" in self.request.POST:
             cache.clear()
-            return redirect(reverse("passbook_flows:default-auth"))
+            return redirect(reverse("passbook_flows:default-authentication"))
         return self.get(*args, **kwargs)
 
     def get_context_data(self, **kwargs):
diff --git a/passbook/core/templates/login/form_with_user.html b/passbook/core/templates/login/form_with_user.html
index b1ac95753..f1b418b65 100644
--- a/passbook/core/templates/login/form_with_user.html
+++ b/passbook/core/templates/login/form_with_user.html
@@ -37,7 +37,7 @@
             {{ user.username }}
         </div>
         <div class="right">
-            <a href="{% url 'passbook_flows:default-auth' %}">{% trans 'Not you?' %}</a>
+            <a href="{% url 'passbook_flows:default-authentication' %}">{% trans 'Not you?' %}</a>
         </div>
     </div>
 </div>
diff --git a/passbook/flows/urls.py b/passbook/flows/urls.py
index 44b7cde00..96d1eb8ed 100644
--- a/passbook/flows/urls.py
+++ b/passbook/flows/urls.py
@@ -11,9 +11,9 @@ from passbook.flows.views import (
 urlpatterns = [
     path("-/denied/", FlowPermissionDeniedView.as_view(), name="denied"),
     path(
-        "-/default/auth/",
+        "-/default/authentication/",
         ToDefaultFlow.as_view(designation=FlowDesignation.AUTHENTICATION),
-        name="default-auth",
+        name="default-authentication",
     ),
     path(
         "-/default/invalidation/",
diff --git a/passbook/root/settings.py b/passbook/root/settings.py
index cd19685d8..25d70f256 100644
--- a/passbook/root/settings.py
+++ b/passbook/root/settings.py
@@ -44,7 +44,7 @@ INTERNAL_IPS = ["127.0.0.1"]
 ALLOWED_HOSTS = ["*"]
 SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
 
-LOGIN_URL = "passbook_flows:default-auth"
+LOGIN_URL = "passbook_flows:default-authentication"
 # CSRF_FAILURE_VIEW = 'passbook.core.views.errors.CSRFErrorView.as_view'
 
 # Custom user model
diff --git a/passbook/root/urls.py b/passbook/root/urls.py
index a418d097c..67bc4af73 100644
--- a/passbook/root/urls.py
+++ b/passbook/root/urls.py
@@ -11,7 +11,7 @@ from passbook.root.monitoring import MetricsView
 
 LOGGER = get_logger()
 admin.autodiscover()
-admin.site.login = RedirectView.as_view(pattern_name="passbook_flows:default-auth")
+admin.site.login = RedirectView.as_view(pattern_name="passbook_flows:default-authentication")
 admin.site.logout = RedirectView.as_view(
     pattern_name="passbook_flows:default-invalidate"
 )

From e45b33c6c237a8b64c2e7d5703895252e06bf0e1 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Tue, 12 May 2020 14:50:00 +0200
Subject: [PATCH 63/80] stages/user_delete: add user delete stage, remove view
 from core

---
 passbook/core/templates/user/settings.html    |  2 +-
 passbook/core/tests/test_views_user.py        |  7 --
 passbook/core/urls.py                         |  1 -
 passbook/core/views/user.py                   | 14 ----
 .../migrations/0005_auto_20200512_1158.py     | 18 ++++++
 passbook/flows/models.py                      |  3 +-
 passbook/flows/urls.py                        |  5 ++
 passbook/root/settings.py                     |  1 +
 passbook/stages/user_delete/__init__.py       |  0
 passbook/stages/user_delete/api.py            | 24 +++++++
 passbook/stages/user_delete/apps.py           | 10 +++
 passbook/stages/user_delete/forms.py          | 20 ++++++
 .../user_delete/migrations/0001_initial.py    | 27 ++++++++
 .../stages/user_delete/migrations/__init__.py |  0
 passbook/stages/user_delete/models.py         | 19 ++++++
 passbook/stages/user_delete/stage.py          | 35 ++++++++++
 passbook/stages/user_delete/tests.py          | 64 +++++++++++++++++++
 17 files changed, 226 insertions(+), 24 deletions(-)
 create mode 100644 passbook/flows/migrations/0005_auto_20200512_1158.py
 create mode 100644 passbook/stages/user_delete/__init__.py
 create mode 100644 passbook/stages/user_delete/api.py
 create mode 100644 passbook/stages/user_delete/apps.py
 create mode 100644 passbook/stages/user_delete/forms.py
 create mode 100644 passbook/stages/user_delete/migrations/0001_initial.py
 create mode 100644 passbook/stages/user_delete/migrations/__init__.py
 create mode 100644 passbook/stages/user_delete/models.py
 create mode 100644 passbook/stages/user_delete/stage.py
 create mode 100644 passbook/stages/user_delete/tests.py

diff --git a/passbook/core/templates/user/settings.html b/passbook/core/templates/user/settings.html
index 09c8a2ec5..7c7cb3976 100644
--- a/passbook/core/templates/user/settings.html
+++ b/passbook/core/templates/user/settings.html
@@ -15,7 +15,7 @@
             <div class="pf-c-form__horizontal-group">
                 <div class="pf-c-form__actions">
                     <input class="pf-c-button pf-m-primary" type="submit" value="{% trans 'Update' %}" />
-                    <a class="pf-c-button pf-m-danger" href="{% url 'passbook_core:user-delete' %}?back={{ request.get_full_path }}">{% trans "Delete account" %}</a>
+                    <a class="pf-c-button pf-m-danger" href="{% url 'passbook_flows:default-unenrollment' %}?back={{ request.get_full_path }}">{% trans "Delete account" %}</a>
                 </div>
             </div>
         </div>
diff --git a/passbook/core/tests/test_views_user.py b/passbook/core/tests/test_views_user.py
index 1a49dff3f..ab4a75654 100644
--- a/passbook/core/tests/test_views_user.py
+++ b/passbook/core/tests/test_views_user.py
@@ -29,10 +29,3 @@ class TestUserViews(TestCase):
             self.client.get(reverse("passbook_core:user-settings")).status_code, 200
         )
 
-    def test_user_delete(self):
-        """Test UserDeleteView"""
-        self.assertEqual(
-            self.client.post(reverse("passbook_core:user-delete")).status_code, 302
-        )
-        self.assertEqual(User.objects.filter(username="unittest user").exists(), False)
-        self.setUp()
diff --git a/passbook/core/urls.py b/passbook/core/urls.py
index b4d7bd5fa..df29adde5 100644
--- a/passbook/core/urls.py
+++ b/passbook/core/urls.py
@@ -6,7 +6,6 @@ from passbook.core.views import overview, user
 urlpatterns = [
     # User views
     path("-/user/", user.UserSettingsView.as_view(), name="user-settings"),
-    path("-/user/delete/", user.UserDeleteView.as_view(), name="user-delete"),
     # Overview
     path("", overview.OverviewView.as_view(), name="overview"),
 ]
diff --git a/passbook/core/views/user.py b/passbook/core/views/user.py
index 946819fb9..a6c6e0ada 100644
--- a/passbook/core/views/user.py
+++ b/passbook/core/views/user.py
@@ -22,17 +22,3 @@ class UserSettingsView(SuccessMessageMixin, LoginRequiredMixin, UpdateView):
 
     def get_object(self):
         return self.request.user
-
-
-class UserDeleteView(LoginRequiredMixin, DeleteView):
-    """Delete user account"""
-
-    template_name = "generic/delete.html"
-
-    def get_object(self):
-        return self.request.user
-
-    def get_success_url(self):
-        messages.success(self.request, _("Successfully deleted user."))
-        logout(self.request)
-        return reverse("passbook_flows:default-auth")
diff --git a/passbook/flows/migrations/0005_auto_20200512_1158.py b/passbook/flows/migrations/0005_auto_20200512_1158.py
new file mode 100644
index 000000000..f6968079b
--- /dev/null
+++ b/passbook/flows/migrations/0005_auto_20200512_1158.py
@@ -0,0 +1,18 @@
+# Generated by Django 3.0.5 on 2020-05-12 11:58
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_flows', '0004_auto_20200510_2310'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='flow',
+            name='designation',
+            field=models.CharField(choices=[('authentication', 'Authentication'), ('invalidation', 'Invalidation'), ('enrollment', 'Enrollment'), ('unenrollment', 'Unrenollment'), ('recovery', 'Recovery'), ('password_change', 'Password Change')], max_length=100),
+        ),
+    ]
diff --git a/passbook/flows/models.py b/passbook/flows/models.py
index c82ab6e19..11735de39 100644
--- a/passbook/flows/models.py
+++ b/passbook/flows/models.py
@@ -15,10 +15,11 @@ class FlowDesignation(models.TextChoices):
     should be replaced by a database entry."""
 
     AUTHENTICATION = "authentication"
+    INVALIDATION = "invalidation"
     ENROLLMENT = "enrollment"
+    UNRENOLLMENT = "unenrollment"
     RECOVERY = "recovery"
     PASSWORD_CHANGE = "password_change"  # nosec # noqa
-    INVALIDATION = "invalidation"
 
 
 class Stage(UUIDModel):
diff --git a/passbook/flows/urls.py b/passbook/flows/urls.py
index 96d1eb8ed..ea7072792 100644
--- a/passbook/flows/urls.py
+++ b/passbook/flows/urls.py
@@ -30,6 +30,11 @@ urlpatterns = [
         ToDefaultFlow.as_view(designation=FlowDesignation.ENROLLMENT),
         name="default-enrollment",
     ),
+    path(
+        "-/default/unenrollment/",
+        ToDefaultFlow.as_view(designation=FlowDesignation.UNRENOLLMENT),
+        name="default-unenrollment",
+    ),
     path(
         "-/default/password_change/",
         ToDefaultFlow.as_view(designation=FlowDesignation.PASSWORD_CHANGE),
diff --git a/passbook/root/settings.py b/passbook/root/settings.py
index 25d70f256..ae80d333e 100644
--- a/passbook/root/settings.py
+++ b/passbook/root/settings.py
@@ -109,6 +109,7 @@ INSTALLED_APPS = [
     "passbook.stages.prompt.apps.PassbookStagPromptConfig",
     "passbook.stages.identification.apps.PassbookStageIdentificationConfig",
     "passbook.stages.invitation.apps.PassbookStageUserInvitationConfig",
+    "passbook.stages.user_delete.apps.PassbookStageUserDeleteConfig",
     "passbook.stages.user_login.apps.PassbookStageUserLoginConfig",
     "passbook.stages.user_logout.apps.PassbookStageUserLogoutConfig",
     "passbook.stages.user_write.apps.PassbookStageUserWriteConfig",
diff --git a/passbook/stages/user_delete/__init__.py b/passbook/stages/user_delete/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/passbook/stages/user_delete/api.py b/passbook/stages/user_delete/api.py
new file mode 100644
index 000000000..5b2b84942
--- /dev/null
+++ b/passbook/stages/user_delete/api.py
@@ -0,0 +1,24 @@
+"""User Delete Stage API Views"""
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import ModelViewSet
+
+from passbook.stages.user_delete.models import UserDeleteStage
+
+
+class UserDeleteStageSerializer(ModelSerializer):
+    """UserDeleteStage Serializer"""
+
+    class Meta:
+
+        model = UserDeleteStage
+        fields = [
+            "pk",
+            "name",
+        ]
+
+
+class UserDeleteStageViewSet(ModelViewSet):
+    """UserDeleteStage Viewset"""
+
+    queryset = UserDeleteStage.objects.all()
+    serializer_class = UserDeleteStageSerializer
diff --git a/passbook/stages/user_delete/apps.py b/passbook/stages/user_delete/apps.py
new file mode 100644
index 000000000..c9119d295
--- /dev/null
+++ b/passbook/stages/user_delete/apps.py
@@ -0,0 +1,10 @@
+"""passbook delete stage app config"""
+from django.apps import AppConfig
+
+
+class PassbookStageUserDeleteConfig(AppConfig):
+    """passbook delete stage config"""
+
+    name = "passbook.stages.user_delete"
+    label = "passbook_stages_user_delete"
+    verbose_name = "passbook Stages.User Delete"
diff --git a/passbook/stages/user_delete/forms.py b/passbook/stages/user_delete/forms.py
new file mode 100644
index 000000000..c226f1f4f
--- /dev/null
+++ b/passbook/stages/user_delete/forms.py
@@ -0,0 +1,20 @@
+"""passbook flows delete forms"""
+from django import forms
+
+from passbook.stages.user_delete.models import UserDeleteStage
+
+
+class UserDeleteStageForm(forms.ModelForm):
+    """Form to delete/edit UserDeleteStage instances"""
+
+    class Meta:
+
+        model = UserDeleteStage
+        fields = ["name"]
+        widgets = {
+            "name": forms.TextInput(),
+        }
+
+
+class UserDeleteForm(forms.Form):
+    """Confirmation form to ensure user knows they are deleting their profile"""
diff --git a/passbook/stages/user_delete/migrations/0001_initial.py b/passbook/stages/user_delete/migrations/0001_initial.py
new file mode 100644
index 000000000..ca80b5565
--- /dev/null
+++ b/passbook/stages/user_delete/migrations/0001_initial.py
@@ -0,0 +1,27 @@
+# Generated by Django 3.0.5 on 2020-05-12 11:59
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ('passbook_flows', '0005_auto_20200512_1158'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='UserDeleteStage',
+            fields=[
+                ('stage_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_flows.Stage')),
+            ],
+            options={
+                'verbose_name': 'User Delete Stage',
+                'verbose_name_plural': 'User Delete Stages',
+            },
+            bases=('passbook_flows.stage',),
+        ),
+    ]
diff --git a/passbook/stages/user_delete/migrations/__init__.py b/passbook/stages/user_delete/migrations/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/passbook/stages/user_delete/models.py b/passbook/stages/user_delete/models.py
new file mode 100644
index 000000000..f7ad5a520
--- /dev/null
+++ b/passbook/stages/user_delete/models.py
@@ -0,0 +1,19 @@
+"""delete stage models"""
+from django.utils.translation import gettext_lazy as _
+
+from passbook.flows.models import Stage
+
+
+class UserDeleteStage(Stage):
+    """Delete stage, delete a user from saved data."""
+
+    type = "passbook.stages.user_delete.stage.UserDeleteStageView"
+    form = "passbook.stages.user_delete.forms.UserDeleteStageForm"
+
+    def __str__(self):
+        return f"User Delete Stage {self.name}"
+
+    class Meta:
+
+        verbose_name = _("User Delete Stage")
+        verbose_name_plural = _("User Delete Stages")
diff --git a/passbook/stages/user_delete/stage.py b/passbook/stages/user_delete/stage.py
new file mode 100644
index 000000000..4c4d02fa1
--- /dev/null
+++ b/passbook/stages/user_delete/stage.py
@@ -0,0 +1,35 @@
+"""Delete stage logic"""
+from django.contrib import messages
+from django.contrib.auth.backends import ModelBackend
+from django.http import HttpRequest, HttpResponse
+from django.utils.translation import gettext as _
+from structlog import get_logger
+
+from django.views.generic import FormView
+from passbook.core.models import User
+from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER
+from passbook.flows.stage import AuthenticationStage
+from passbook.stages.user_delete.forms import UserDeleteForm
+
+LOGGER = get_logger()
+
+
+class UserDeleteStageView(FormView, AuthenticationStage):
+    """Finalise Enrollment flow by creating a user object."""
+
+    form_class = UserDeleteForm
+
+    def get(self, request: HttpRequest) -> HttpResponse:
+        if PLAN_CONTEXT_PENDING_USER not in self.executor.plan.context:
+            message = _("No Pending User.")
+            messages.error(request, message)
+            LOGGER.debug(message)
+            return self.executor.stage_invalid()
+        return super().get(request)
+
+    def form_valid(self, form: UserDeleteForm) -> HttpResponse:
+        user: User = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
+        user.delete()
+        LOGGER.debug("Deleted user", user=user)
+        del self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
+        return self.executor.stage_ok()
diff --git a/passbook/stages/user_delete/tests.py b/passbook/stages/user_delete/tests.py
new file mode 100644
index 000000000..040da90b0
--- /dev/null
+++ b/passbook/stages/user_delete/tests.py
@@ -0,0 +1,64 @@
+"""delete tests"""
+import string
+from random import SystemRandom
+
+from django.shortcuts import reverse
+from django.test import Client, TestCase
+
+from passbook.core.models import User
+from passbook.flows.models import Flow, FlowDesignation, FlowStageBinding
+from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
+from passbook.flows.views import SESSION_KEY_PLAN
+from passbook.stages.prompt.stage import PLAN_CONTEXT_PROMPT
+from passbook.stages.user_delete.forms import UserDeleteStageForm
+from passbook.stages.user_delete.models import UserDeleteStage
+
+
+class TestUserDeleteStage(TestCase):
+    """Delete tests"""
+
+    def setUp(self):
+        super().setUp()
+        self.username = 'qerqwerqrwqwerwq'
+        self.user = User.objects.create(username=self.username, email="test@beryju.org")
+        self.client = Client()
+
+        self.flow = Flow.objects.create(
+            name="test-delete",
+            slug="test-delete",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+        self.stage = UserDeleteStage.objects.create(name="delete")
+        FlowStageBinding.objects.create(flow=self.flow, stage=self.stage, order=2)
+
+    def test_user_delete_get(self):
+        """Test Form render"""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.get(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            )
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_user_delete_post(self):
+        """Test User delete (actual)"""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.post(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            ),
+            {}
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertFalse(User.objects.filter(username=self.username).exists())

From 57fed2b92b4cbd20819e34756d5a293de912d510 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Tue, 12 May 2020 15:21:53 +0200
Subject: [PATCH 64/80] stages/user_delete: fix formatting

---
 passbook/core/tests/test_views_user.py        |  1 -
 passbook/core/views/user.py                   |  5 +---
 .../migrations/0005_auto_20200512_1158.py     | 18 ++++++++++----
 passbook/root/urls.py                         |  4 +++-
 .../user_delete/migrations/0001_initial.py    | 24 +++++++++++++------
 passbook/stages/user_delete/stage.py          |  3 +--
 passbook/stages/user_delete/tests.py          |  9 ++-----
 7 files changed, 38 insertions(+), 26 deletions(-)

diff --git a/passbook/core/tests/test_views_user.py b/passbook/core/tests/test_views_user.py
index ab4a75654..88e984f85 100644
--- a/passbook/core/tests/test_views_user.py
+++ b/passbook/core/tests/test_views_user.py
@@ -28,4 +28,3 @@ class TestUserViews(TestCase):
         self.assertEqual(
             self.client.get(reverse("passbook_core:user-settings")).status_code, 200
         )
-
diff --git a/passbook/core/views/user.py b/passbook/core/views/user.py
index a6c6e0ada..bb575ee8e 100644
--- a/passbook/core/views/user.py
+++ b/passbook/core/views/user.py
@@ -1,12 +1,9 @@
 """passbook core user views"""
-from django.contrib import messages
-from django.contrib.auth import logout
 from django.contrib.auth.mixins import LoginRequiredMixin
 from django.contrib.messages.views import SuccessMessageMixin
-from django.shortcuts import reverse
 from django.urls import reverse_lazy
 from django.utils.translation import gettext as _
-from django.views.generic import DeleteView, UpdateView
+from django.views.generic import UpdateView
 
 from passbook.core.forms.users import UserDetailForm
 
diff --git a/passbook/flows/migrations/0005_auto_20200512_1158.py b/passbook/flows/migrations/0005_auto_20200512_1158.py
index f6968079b..92998affc 100644
--- a/passbook/flows/migrations/0005_auto_20200512_1158.py
+++ b/passbook/flows/migrations/0005_auto_20200512_1158.py
@@ -6,13 +6,23 @@ from django.db import migrations, models
 class Migration(migrations.Migration):
 
     dependencies = [
-        ('passbook_flows', '0004_auto_20200510_2310'),
+        ("passbook_flows", "0004_auto_20200510_2310"),
     ]
 
     operations = [
         migrations.AlterField(
-            model_name='flow',
-            name='designation',
-            field=models.CharField(choices=[('authentication', 'Authentication'), ('invalidation', 'Invalidation'), ('enrollment', 'Enrollment'), ('unenrollment', 'Unrenollment'), ('recovery', 'Recovery'), ('password_change', 'Password Change')], max_length=100),
+            model_name="flow",
+            name="designation",
+            field=models.CharField(
+                choices=[
+                    ("authentication", "Authentication"),
+                    ("invalidation", "Invalidation"),
+                    ("enrollment", "Enrollment"),
+                    ("unenrollment", "Unrenollment"),
+                    ("recovery", "Recovery"),
+                    ("password_change", "Password Change"),
+                ],
+                max_length=100,
+            ),
         ),
     ]
diff --git a/passbook/root/urls.py b/passbook/root/urls.py
index 67bc4af73..17eee10c0 100644
--- a/passbook/root/urls.py
+++ b/passbook/root/urls.py
@@ -11,7 +11,9 @@ from passbook.root.monitoring import MetricsView
 
 LOGGER = get_logger()
 admin.autodiscover()
-admin.site.login = RedirectView.as_view(pattern_name="passbook_flows:default-authentication")
+admin.site.login = RedirectView.as_view(
+    pattern_name="passbook_flows:default-authentication"
+)
 admin.site.logout = RedirectView.as_view(
     pattern_name="passbook_flows:default-invalidate"
 )
diff --git a/passbook/stages/user_delete/migrations/0001_initial.py b/passbook/stages/user_delete/migrations/0001_initial.py
index ca80b5565..f2e361a86 100644
--- a/passbook/stages/user_delete/migrations/0001_initial.py
+++ b/passbook/stages/user_delete/migrations/0001_initial.py
@@ -1,7 +1,7 @@
 # Generated by Django 3.0.5 on 2020-05-12 11:59
 
-from django.db import migrations, models
 import django.db.models.deletion
+from django.db import migrations, models
 
 
 class Migration(migrations.Migration):
@@ -9,19 +9,29 @@ class Migration(migrations.Migration):
     initial = True
 
     dependencies = [
-        ('passbook_flows', '0005_auto_20200512_1158'),
+        ("passbook_flows", "0005_auto_20200512_1158"),
     ]
 
     operations = [
         migrations.CreateModel(
-            name='UserDeleteStage',
+            name="UserDeleteStage",
             fields=[
-                ('stage_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_flows.Stage')),
+                (
+                    "stage_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="passbook_flows.Stage",
+                    ),
+                ),
             ],
             options={
-                'verbose_name': 'User Delete Stage',
-                'verbose_name_plural': 'User Delete Stages',
+                "verbose_name": "User Delete Stage",
+                "verbose_name_plural": "User Delete Stages",
             },
-            bases=('passbook_flows.stage',),
+            bases=("passbook_flows.stage",),
         ),
     ]
diff --git a/passbook/stages/user_delete/stage.py b/passbook/stages/user_delete/stage.py
index 4c4d02fa1..aeed299ce 100644
--- a/passbook/stages/user_delete/stage.py
+++ b/passbook/stages/user_delete/stage.py
@@ -1,11 +1,10 @@
 """Delete stage logic"""
 from django.contrib import messages
-from django.contrib.auth.backends import ModelBackend
 from django.http import HttpRequest, HttpResponse
 from django.utils.translation import gettext as _
+from django.views.generic import FormView
 from structlog import get_logger
 
-from django.views.generic import FormView
 from passbook.core.models import User
 from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER
 from passbook.flows.stage import AuthenticationStage
diff --git a/passbook/stages/user_delete/tests.py b/passbook/stages/user_delete/tests.py
index 040da90b0..d4aeb2f25 100644
--- a/passbook/stages/user_delete/tests.py
+++ b/passbook/stages/user_delete/tests.py
@@ -1,7 +1,4 @@
 """delete tests"""
-import string
-from random import SystemRandom
-
 from django.shortcuts import reverse
 from django.test import Client, TestCase
 
@@ -9,8 +6,6 @@ from passbook.core.models import User
 from passbook.flows.models import Flow, FlowDesignation, FlowStageBinding
 from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
 from passbook.flows.views import SESSION_KEY_PLAN
-from passbook.stages.prompt.stage import PLAN_CONTEXT_PROMPT
-from passbook.stages.user_delete.forms import UserDeleteStageForm
 from passbook.stages.user_delete.models import UserDeleteStage
 
 
@@ -19,7 +14,7 @@ class TestUserDeleteStage(TestCase):
 
     def setUp(self):
         super().setUp()
-        self.username = 'qerqwerqrwqwerwq'
+        self.username = "qerqwerqrwqwerwq"
         self.user = User.objects.create(username=self.username, email="test@beryju.org")
         self.client = Client()
 
@@ -58,7 +53,7 @@ class TestUserDeleteStage(TestCase):
             reverse(
                 "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
             ),
-            {}
+            {},
         )
         self.assertEqual(response.status_code, 302)
         self.assertFalse(User.objects.filter(username=self.username).exists())

From c42ed6bc990c019c0bc434da7045fd0d4bcad4e0 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 13 May 2020 11:57:10 +0200
Subject: [PATCH 65/80] admin: sort types, minor fixups

---
 passbook/admin/views/stages.py                |  3 +-
 passbook/api/v2/urls.py                       |  4 +-
 passbook/core/templates/partials/form.html    |  5 ++
 passbook/core/templates/user/base.html        |  8 +--
 passbook/core/templates/user/settings.html    | 65 ++++++++++++-----
 .../templatetags/passbook_user_settings.py    | 21 +++---
 passbook/flows/api.py                         | 10 ++-
 passbook/flows/forms.py                       | 10 +++
 passbook/root/settings.py                     |  1 +
 .../templates/stages/otp/user_settings.html   | 72 +++++++++----------
 passbook/stages/otp/views.py                  |  2 +-
 11 files changed, 121 insertions(+), 80 deletions(-)

diff --git a/passbook/admin/views/stages.py b/passbook/admin/views/stages.py
index e60d7aa9f..912497332 100644
--- a/passbook/admin/views/stages.py
+++ b/passbook/admin/views/stages.py
@@ -34,7 +34,8 @@ class StageListView(LoginRequiredMixin, PermissionListMixin, ListView):
 
     def get_context_data(self, **kwargs):
         kwargs["types"] = {
-            x.__name__: x._meta.verbose_name for x in all_subclasses(Stage)
+            x.__name__: x._meta.verbose_name
+            for x in sorted(all_subclasses(Stage), key=lambda x: x.__name__)
         }
         return super().get_context_data(**kwargs)
 
diff --git a/passbook/api/v2/urls.py b/passbook/api/v2/urls.py
index 402f5eddb..4cf282a98 100644
--- a/passbook/api/v2/urls.py
+++ b/passbook/api/v2/urls.py
@@ -86,13 +86,13 @@ router.register("stages/invitation", InvitationStageViewSet)
 router.register("stages/invitation/invitations", InvitationViewSet)
 router.register("stages/otp", OTPStageViewSet)
 router.register("stages/password", PasswordStageViewSet)
-router.register("stages/prompt", PromptStageViewSet)
+router.register("stages/prompt/stages", PromptStageViewSet)
 router.register("stages/prompt/prompts", PromptViewSet)
 router.register("stages/user_login", UserLoginStageViewSet)
 router.register("stages/user_logout", UserLogoutStageViewSet)
 router.register("stages/user_write", UserWriteStageViewSet)
 
-router.register("flows", FlowViewSet)
+router.register("flows/instances", FlowViewSet)
 router.register("flows/bindings", FlowStageBindingViewSet)
 
 if settings.DEBUG:
diff --git a/passbook/core/templates/partials/form.html b/passbook/core/templates/partials/form.html
index c7aa7ebe9..77c867889 100644
--- a/passbook/core/templates/partials/form.html
+++ b/passbook/core/templates/partials/form.html
@@ -25,6 +25,11 @@
         <div class="select col-sm-10">
             {{ field }}
         </div>
+        {% if field.help_text %}
+        <span>
+            {{ field.help_text }}
+        </span>
+        {% endif %}
     {% elif field.field.widget|fieldtype == 'CheckboxInput' %}
         <label class="checkbox-label">
             {{ field }} {{ field.label }}
diff --git a/passbook/core/templates/user/base.html b/passbook/core/templates/user/base.html
index f1267358b..36770773b 100644
--- a/passbook/core/templates/user/base.html
+++ b/passbook/core/templates/user/base.html
@@ -57,12 +57,8 @@
 <main role="main" class="pf-c-page__main" tabindex="-1" id="main-content">
     <section class="pf-c-page__main-section">
         <div class="pf-l-split pf-m-gutter">
-            <div class="pf-l-split__item">
-                <div class="pf-c-card">
-                    {% block page %}
-                    {% endblock %}
-                </div>
-            </div>
+            {% block page %}
+            {% endblock %}
         </div>
     </section>
 </main>
diff --git a/passbook/core/templates/user/settings.html b/passbook/core/templates/user/settings.html
index 7c7cb3976..2c36a8e70 100644
--- a/passbook/core/templates/user/settings.html
+++ b/passbook/core/templates/user/settings.html
@@ -3,22 +3,55 @@
 {% load i18n %}
 
 {% block page %}
-<div class="pf-c-card__header pf-c-title pf-m-md">
-    <h1>{% trans 'Update details' %}</h1>
-</div>
-<div class="pf-c-card__body">
-    <form action="" method="post" class="pf-c-form pf-m-horizontal">
-        {% include 'partials/form_horizontal.html' with form=form %}
-        {% block beneath_form %}
-        {% endblock %}
-        <div class="pf-c-form__group pf-m-action">
-            <div class="pf-c-form__horizontal-group">
-                <div class="pf-c-form__actions">
-                    <input class="pf-c-button pf-m-primary" type="submit" value="{% trans 'Update' %}" />
-                    <a class="pf-c-button pf-m-danger" href="{% url 'passbook_flows:default-unenrollment' %}?back={{ request.get_full_path }}">{% trans "Delete account" %}</a>
-                </div>
-            </div>
+<div class="pf-l-split__item">
+    <div class="pf-c-card">
+        <div class="pf-c-card__header pf-c-title pf-m-md">
+            <h1>{% trans 'Update details' %}</h1>
         </div>
-    </form>
+        <div class="pf-c-card__body">
+            <form action="" method="post" class="pf-c-form pf-m-horizontal">
+                {% include 'partials/form_horizontal.html' with form=form %}
+                {% block beneath_form %}
+                {% endblock %}
+                <div class="pf-c-form__group pf-m-action">
+                    <div class="pf-c-form__horizontal-group">
+                        <div class="pf-c-form__actions">
+                            <input class="pf-c-button pf-m-primary" type="submit" value="{% trans 'Update' %}" />
+                            <a class="pf-c-button pf-m-danger" href="{% url 'passbook_flows:default-unenrollment' %}?back={{ request.get_full_path }}">{% trans "Delete account" %}</a>
+                        </div>
+                    </div>
+                </div>
+            </form>
+        </div>
+    </div>
+</div>
+<div class="pf-l-split__item">
+    <div class="pf-c-card">
+        <div class="pf-c-card__header pf-c-title pf-m-md">
+            <h1>{% trans 'Sessions' %}</h1>
+        </div>
+        <div class="pf-c-card__body">
+            <table class="pf-c-table pf-m-grid-md" role="grid" aria-label="This is a simple table example" id="table-basic">
+                <thead>
+                    <tr role="row">
+                        <th role="columnheader" scope="col">Repositories</th>
+                        <th role="columnheader" scope="col">Branches</th>
+                        <th role="columnheader" scope="col">Pull requests</th>
+                        <th role="columnheader" scope="col">Workspaces</th>
+                        <th role="columnheader" scope="col">Last commit</th>
+                    </tr>
+                </thead>
+                <tbody role="rowgroup">
+                    <tr role="row">
+                        <td role="cell" data-label="Repository name">Repository 1</td>
+                        <td role="cell" data-label="Branches">10</td>
+                        <td role="cell" data-label="Pull requests">25</td>
+                        <td role="cell" data-label="Workspaces">5</td>
+                        <td role="cell" data-label="Last commit">2 days ago</td>
+                    </tr>
+                </tbody>
+            </table>
+        </div>
+    </div>
 </div>
 {% endblock %}
diff --git a/passbook/core/templatetags/passbook_user_settings.py b/passbook/core/templatetags/passbook_user_settings.py
index 57cb25711..b00f827f0 100644
--- a/passbook/core/templatetags/passbook_user_settings.py
+++ b/passbook/core/templatetags/passbook_user_settings.py
@@ -6,6 +6,7 @@ from django.template.context import RequestContext
 
 from passbook.core.models import Source
 from passbook.core.types import UIUserSettings
+from passbook.flows.models import Stage
 from passbook.policies.engine import PolicyEngine
 
 register = template.Library()
@@ -15,20 +16,14 @@ register = template.Library()
 # pylint: disable=unused-argument
 def user_stages(context: RequestContext) -> List[UIUserSettings]:
     """Return list of all stages which apply to user"""
-    # TODO: Rewrite this based on flows
-    # user = context.get("request").user
-    # _all_stages: Iterable[Stage] = (Stage.objects.all().select_subclasses())
+    _all_stages: Iterable[Stage] = Stage.objects.all().select_subclasses()
     matching_stages: List[UIUserSettings] = []
-    # for stage in _all_stages:
-    #     user_settings = stage.ui_user_settings
-    #     if not user_settings:
-    #         continue
-    #     policy_engine = PolicyEngine(
-    #         stage.policies.all(), user, context.get("request")
-    #     )
-    #     policy_engine.build()
-    #     if policy_engine.passing:
-    #         matching_stages.append(user_settings)
+    for stage in _all_stages:
+        user_settings = stage.ui_user_settings
+        if not user_settings:
+            continue
+        matching_stages.append(user_settings)
+    print(matching_stages)
     return matching_stages
 
 
diff --git a/passbook/flows/api.py b/passbook/flows/api.py
index bfb4bbde2..6b54a6da5 100644
--- a/passbook/flows/api.py
+++ b/passbook/flows/api.py
@@ -35,21 +35,27 @@ class FlowStageBindingViewSet(ModelViewSet):
 
     queryset = FlowStageBinding.objects.all()
     serializer_class = FlowStageBindingSerializer
+    filterset_fields = "__all__"
 
 
 class StageSerializer(ModelSerializer):
     """Stage Serializer"""
 
     __type__ = SerializerMethodField(method_name="get_type")
+    verbose_name = SerializerMethodField(method_name="get_verbose_name")
 
-    def get_type(self, obj):
+    def get_type(self, obj: Stage) -> str:
         """Get object type so that we know which API Endpoint to use to get the full object"""
         return obj._meta.object_name.lower().replace("stage", "")
 
+    def get_verbose_name(self, obj: Stage) -> str:
+        """Get verbose name for UI"""
+        return obj._meta.verbose_name
+
     class Meta:
 
         model = Stage
-        fields = ["pk", "name", "__type__"]
+        fields = ["pk", "name", "__type__", "verbose_name"]
 
 
 class StageViewSet(ReadOnlyModelViewSet):
diff --git a/passbook/flows/forms.py b/passbook/flows/forms.py
index 227679a10..a20d53413 100644
--- a/passbook/flows/forms.py
+++ b/passbook/flows/forms.py
@@ -20,6 +20,16 @@ class FlowForm(forms.ModelForm):
             "stages",
             "policies",
         ]
+        help_texts = {
+            "name": _("Shown as the Title in Flow pages."),
+            "slug": _("Visible in the URL."),
+            "designation": _(
+                (
+                    "Decides what this Flow is used for. For example, the Authentication flow "
+                    "is redirect to when an un-authenticated user visits passbook."
+                )
+            ),
+        }
         widgets = {
             "name": forms.TextInput(),
             "stages": FilteredSelectMultiple(_("stages"), False),
diff --git a/passbook/root/settings.py b/passbook/root/settings.py
index ae80d333e..c671f98b4 100644
--- a/passbook/root/settings.py
+++ b/passbook/root/settings.py
@@ -77,6 +77,7 @@ INSTALLED_APPS = [
     "django.contrib.postgres",
     "django.contrib.humanize",
     "rest_framework",
+    "django_filters",
     "drf_yasg",
     "guardian",
     "django_prometheus",
diff --git a/passbook/stages/otp/templates/stages/otp/user_settings.html b/passbook/stages/otp/templates/stages/otp/user_settings.html
index bb5ff5359..7cb86d941 100644
--- a/passbook/stages/otp/templates/stages/otp/user_settings.html
+++ b/passbook/stages/otp/templates/stages/otp/user_settings.html
@@ -4,45 +4,39 @@
 {% load i18n %}
 
 {% block page %}
-<div class="pf-c-card__header pf-c-title pf-m-md">
-    <h1>{% trans "One-Time Passwords" %}</h1>
+<div class="pf-c-card">
+    <div class="pf-c-card__header pf-c-title pf-m-md">
+        {% trans "One-Time Passwords" %}
+    </div>
+    <div class="pf-c-card__body">
+        <p>
+            {% blocktrans with state=state|yesno:"Enabled,Disabled" %}
+            Status: {{ state }}
+            {% endblocktrans %}
+            {% if state %}
+            <i class="pf-icon pf-icon-ok"></i>
+            {% else %}
+            <i class="pf-icon pf-icon-error-circle-o"></i>
+            {% endif %}
+        </p>
+        <p>
+            {% if not state %}
+            <a href="{% url 'passbook_stages_otp:otp-enable' %}" class="btn btn-success btn-sm">{% trans "Enable OTP" %}</a>
+            {% else %}
+            <a href="{% url 'passbook_stages_otp:otp-disable' %}" class="btn btn-danger btn-sm">{% trans "Disable OTP" %}</a>
+            {% endif %}
+        </p>
+    </div>
 </div>
-<div class="pf-c-card__body">
-    <div class="row">
-        <div class="col-md-6">
-            <div class="card-footer">
-                <p>
-                    {% blocktrans with state=state|yesno:"Enabled,Disabled" %}
-                    Status: {{ state }}
-                    {% endblocktrans %}
-                    {% if state %}
-                    <i class="pf-icon pf-icon-ok"></i>
-                    {% else %}
-                    <i class="pf-icon pf-icon-error-circle-o"></i>
-                    {% endif %}
-                </p>
-                <p>
-                    {% if not state %}
-                    <a href="{% url 'passbook_stages_otp:otp-enable' %}"
-                    class="btn btn-success btn-sm">{% trans "Enable OTP" %}</a>
-                    {% else %}
-                    <a href="{% url 'passbook_stages_otp:otp-disable' %}"
-                    class="btn btn-danger btn-sm">{% trans "Disable OTP" %}</a>
-                    {% endif %}
-                </p>
-            </div>
-        </div>
-        <div class="col-md-6">
-            <div class="card">
-                <div class="card-header">
-                    {% trans "Your Backup tokens:" %}
-                </div>
-                <div class="card-block">
-                    <pre>{% for token in static_tokens %}{{ token.token }}
-                        {% empty %}{% trans 'N/A' %}{% endfor %}</pre>
-                    </div>
-                </div>
-            </div>
+
+<div class="pf-c-card">
+    <div class="pf-c-card__header pf-c-title pf-m-md">
+        {% trans "Your Backup tokens:" %}
+    </div>
+    <div class="pf-c-card__body">
+        <pre>{% for token in static_tokens %}{{ token.token }}
+        {% empty %}{% trans 'N/A' %}{% endfor %}</pre>
         </div>
     </div>
-    {% endblock %}
+</div>
+{% endblock %}
diff --git a/passbook/stages/otp/views.py b/passbook/stages/otp/views.py
index 833441318..e933bedec 100644
--- a/passbook/stages/otp/views.py
+++ b/passbook/stages/otp/views.py
@@ -31,7 +31,7 @@ LOGGER = get_logger()
 class UserSettingsView(LoginRequiredMixin, TemplateView):
     """View for user settings to control OTP"""
 
-    template_name = "otp/user_settings.html"
+    template_name = "stages/otp/user_settings.html"
 
     # TODO: Check if OTP Stage exists and applies to user
     def get_context_data(self, **kwargs):

From d5f6714ed746112678dcfe69c5e6288dac61209b Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 13 May 2020 11:57:19 +0200
Subject: [PATCH 66/80] admin: remove redundant code

---
 passbook/admin/views/property_mapping.py |  9 +--------
 passbook/admin/views/sources.py          |  9 +--------
 passbook/admin/views/stages.py           | 12 ++----------
 passbook/lib/utils/reflection.py         | 12 +++++++++++-
 4 files changed, 15 insertions(+), 27 deletions(-)

diff --git a/passbook/admin/views/property_mapping.py b/passbook/admin/views/property_mapping.py
index d81b933ed..426e06dd4 100644
--- a/passbook/admin/views/property_mapping.py
+++ b/passbook/admin/views/property_mapping.py
@@ -12,17 +12,10 @@ from django.views.generic import DeleteView, ListView, UpdateView
 from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 
 from passbook.core.models import PropertyMapping
-from passbook.lib.utils.reflection import path_to_class
+from passbook.lib.utils.reflection import all_subclasses, path_to_class
 from passbook.lib.views import CreateAssignPermView
 
 
-def all_subclasses(cls):
-    """Recursively return all subclassess of cls"""
-    return set(cls.__subclasses__()).union(
-        [s for c in cls.__subclasses__() for s in all_subclasses(c)]
-    )
-
-
 class PropertyMappingListView(LoginRequiredMixin, PermissionListMixin, ListView):
     """Show list of all property_mappings"""
 
diff --git a/passbook/admin/views/sources.py b/passbook/admin/views/sources.py
index 68c1bd422..b5d46af2f 100644
--- a/passbook/admin/views/sources.py
+++ b/passbook/admin/views/sources.py
@@ -12,17 +12,10 @@ from django.views.generic import DeleteView, ListView, UpdateView
 from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 
 from passbook.core.models import Source
-from passbook.lib.utils.reflection import path_to_class
+from passbook.lib.utils.reflection import all_subclasses, path_to_class
 from passbook.lib.views import CreateAssignPermView
 
 
-def all_subclasses(cls):
-    """Recursively return all subclassess of cls"""
-    return set(cls.__subclasses__()).union(
-        [s for c in cls.__subclasses__() for s in all_subclasses(c)]
-    )
-
-
 class SourceListView(LoginRequiredMixin, PermissionListMixin, ListView):
     """Show list of all sources"""
 
diff --git a/passbook/admin/views/stages.py b/passbook/admin/views/stages.py
index 912497332..c2c86d2be 100644
--- a/passbook/admin/views/stages.py
+++ b/passbook/admin/views/stages.py
@@ -12,17 +12,10 @@ from django.views.generic import DeleteView, ListView, UpdateView
 from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 
 from passbook.flows.models import Stage
-from passbook.lib.utils.reflection import path_to_class
+from passbook.lib.utils.reflection import all_subclasses, path_to_class
 from passbook.lib.views import CreateAssignPermView
 
 
-def all_subclasses(cls):
-    """Recursively return all subclassess of cls"""
-    return set(cls.__subclasses__()).union(
-        [s for c in cls.__subclasses__() for s in all_subclasses(c)]
-    )
-
-
 class StageListView(LoginRequiredMixin, PermissionListMixin, ListView):
     """Show list of all stages"""
 
@@ -34,8 +27,7 @@ class StageListView(LoginRequiredMixin, PermissionListMixin, ListView):
 
     def get_context_data(self, **kwargs):
         kwargs["types"] = {
-            x.__name__: x._meta.verbose_name
-            for x in sorted(all_subclasses(Stage), key=lambda x: x.__name__)
+            x.__name__: x._meta.verbose_name for x in all_subclasses(Stage)
         }
         return super().get_context_data(**kwargs)
 
diff --git a/passbook/lib/utils/reflection.py b/passbook/lib/utils/reflection.py
index 59131efa0..5fc72f948 100644
--- a/passbook/lib/utils/reflection.py
+++ b/passbook/lib/utils/reflection.py
@@ -2,9 +2,19 @@
 from importlib import import_module
 
 
+def all_subclasses(cls, sort=True):
+    """Recursively return all subclassess of cls"""
+    classes = set(cls.__subclasses__()).union(
+        [s for c in cls.__subclasses__() for s in all_subclasses(c, sort=sort)]
+    )
+    if sort:
+        return sorted(classes, key=lambda x: x.__name__)
+    return classes
+
+
 def class_to_path(cls):
     """Turn Class (Class or instance) into module path"""
-    return "%s.%s" % (cls.__module__, cls.__name__)
+    return f"{cls.__module__}.{cls.__name__}"
 
 
 def path_to_class(path):

From 461fed556756abd7f84da0411eea40fa77ac8a7d Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 13 May 2020 13:45:57 +0200
Subject: [PATCH 67/80] admin: remove more duplicate code

---
 passbook/admin/views/policy.py    | 6 +++---
 passbook/admin/views/providers.py | 8 +++-----
 passbook/stages/invitation/api.py | 4 +---
 passbook/stages/password/api.py   | 1 -
 4 files changed, 7 insertions(+), 12 deletions(-)

diff --git a/passbook/admin/views/policy.py b/passbook/admin/views/policy.py
index 588f3a5cf..7c65c1d5c 100644
--- a/passbook/admin/views/policy.py
+++ b/passbook/admin/views/policy.py
@@ -14,7 +14,7 @@ from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 
 from passbook.admin.forms.policies import PolicyTestForm
 from passbook.core.models import Policy
-from passbook.lib.utils.reflection import path_to_class
+from passbook.lib.utils.reflection import all_subclasses, path_to_class
 from passbook.lib.views import CreateAssignPermView
 from passbook.policies.engine import PolicyEngine
 
@@ -30,7 +30,7 @@ class PolicyListView(LoginRequiredMixin, PermissionListMixin, ListView):
 
     def get_context_data(self, **kwargs):
         kwargs["types"] = {
-            x.__name__: x._meta.verbose_name for x in Policy.__subclasses__()
+            x.__name__: x._meta.verbose_name for x in all_subclasses(Policy)
         }
         return super().get_context_data(**kwargs)
 
@@ -62,7 +62,7 @@ class PolicyCreateView(
 
     def get_form_class(self):
         policy_type = self.request.GET.get("type")
-        model = next(x for x in Policy.__subclasses__() if x.__name__ == policy_type)
+        model = next(x for x in all_subclasses(Policy) if x.__name__ == policy_type)
         if not model:
             raise Http404
         return path_to_class(model.form)
diff --git a/passbook/admin/views/providers.py b/passbook/admin/views/providers.py
index 845dfaad0..f0a1d5892 100644
--- a/passbook/admin/views/providers.py
+++ b/passbook/admin/views/providers.py
@@ -12,7 +12,7 @@ from django.views.generic import DeleteView, ListView, UpdateView
 from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 
 from passbook.core.models import Provider
-from passbook.lib.utils.reflection import path_to_class
+from passbook.lib.utils.reflection import all_subclasses, path_to_class
 from passbook.lib.views import CreateAssignPermView
 
 
@@ -27,7 +27,7 @@ class ProviderListView(LoginRequiredMixin, PermissionListMixin, ListView):
 
     def get_context_data(self, **kwargs):
         kwargs["types"] = {
-            x.__name__: x._meta.verbose_name for x in Provider.__subclasses__()
+            x.__name__: x._meta.verbose_name for x in all_subclasses(Provider)
         }
         return super().get_context_data(**kwargs)
 
@@ -52,9 +52,7 @@ class ProviderCreateView(
 
     def get_form_class(self):
         provider_type = self.request.GET.get("type")
-        model = next(
-            x for x in Provider.__subclasses__() if x.__name__ == provider_type
-        )
+        model = next(x for x in all_subclasses(Provider) if x.__name__ == provider_type)
         if not model:
             raise Http404
         return path_to_class(model.form)
diff --git a/passbook/stages/invitation/api.py b/passbook/stages/invitation/api.py
index c4218db6f..33da32b63 100644
--- a/passbook/stages/invitation/api.py
+++ b/passbook/stages/invitation/api.py
@@ -34,9 +34,7 @@ class InvitationSerializer(ModelSerializer):
         fields = [
             "pk",
             "expires",
-            "fixed_username",
-            "fixed_email",
-            "needs_confirmation",
+            "fixed_data",
         ]
 
 
diff --git a/passbook/stages/password/api.py b/passbook/stages/password/api.py
index 48e1c5191..6b8f28703 100644
--- a/passbook/stages/password/api.py
+++ b/passbook/stages/password/api.py
@@ -15,7 +15,6 @@ class PasswordStageSerializer(ModelSerializer):
             "pk",
             "name",
             "backends",
-            "password_policies",
         ]
 
 

From 80c3246333cd5094792cdc8c849f0eed41f5183e Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 13 May 2020 18:44:36 +0200
Subject: [PATCH 68/80] policies/expression: add pb_flow_plan variable

---
 docs/policies/expression/index.md                             | 1 +
 passbook/core/templatetags/passbook_user_settings.py          | 1 -
 passbook/flows/tests/test_misc.py                             | 1 +
 passbook/policies/expression/evaluator.py                     | 4 +++-
 .../policies/expression/templates/policy/expression/form.html | 1 +
 passbook/providers/oidc/signals.py                            | 1 -
 6 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/docs/policies/expression/index.md b/docs/policies/expression/index.md
index 418c4b9eb..2bf6b2fb0 100644
--- a/docs/policies/expression/index.md
+++ b/docs/policies/expression/index.md
@@ -10,6 +10,7 @@ The following objects are passed into the variable:
     - `request.user`: The current User, which the Policy is applied against. ([ref](../../property-mappings/reference/user-object.md))
     - `request.http_request`: The Django HTTP Request, as documented [here](https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects).
     - `request.obj`: A Django Model instance. This is only set if the Policy is ran against an object.
+- `pb_flow_plan`: Current Plan if Policy is called while a flow is active.
 - `pb_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external Provider.
 - `pb_is_group_member(user, group_name)`: Function which checks if `user` is member of a Group with Name `gorup_name`.
 - `pb_logger`: Standard Python Logger Object, which can be used to debug expressions.
diff --git a/passbook/core/templatetags/passbook_user_settings.py b/passbook/core/templatetags/passbook_user_settings.py
index b00f827f0..7c0287eec 100644
--- a/passbook/core/templatetags/passbook_user_settings.py
+++ b/passbook/core/templatetags/passbook_user_settings.py
@@ -23,7 +23,6 @@ def user_stages(context: RequestContext) -> List[UIUserSettings]:
         if not user_settings:
             continue
         matching_stages.append(user_settings)
-    print(matching_stages)
     return matching_stages
 
 
diff --git a/passbook/flows/tests/test_misc.py b/passbook/flows/tests/test_misc.py
index 2fb773ee1..40e4bc0ea 100644
--- a/passbook/flows/tests/test_misc.py
+++ b/passbook/flows/tests/test_misc.py
@@ -17,6 +17,7 @@ class TestFlowsMisc(TestCase):
         """Test that stage serializer returns the correct type"""
         obj = DummyStage()
         self.assertEqual(StageSerializer().get_type(obj), "dummy")
+        self.assertEqual(StageSerializer().get_verbose_name(obj), "Dummy Stage")
 
     def test_api_viewset(self):
         """Test that stage serializer returns the correct type"""
diff --git a/passbook/policies/expression/evaluator.py b/passbook/policies/expression/evaluator.py
index b50b663fc..6e10ea313 100644
--- a/passbook/policies/expression/evaluator.py
+++ b/passbook/policies/expression/evaluator.py
@@ -9,6 +9,7 @@ from jinja2.nativetypes import NativeEnvironment
 from structlog import get_logger
 
 from passbook.flows.planner import PLAN_CONTEXT_SSO
+from passbook.flows.views import SESSION_KEY_PLAN
 from passbook.lib.utils.http import get_client_ip
 from passbook.policies.types import PolicyRequest, PolicyResult
 
@@ -54,13 +55,14 @@ class Evaluator:
         kwargs["pb_is_group_member"] = Evaluator.jinja2_func_is_group_member
         kwargs["pb_logger"] = get_logger()
         if request.http_request:
-            # TODO: Get access to current plan
             kwargs["pb_is_sso_flow"] = request.http_request.session.get(
                 PLAN_CONTEXT_SSO, False
             )
             kwargs["pb_client_ip"] = (
                 get_client_ip(request.http_request) or "255.255.255.255"
             )
+            if SESSION_KEY_PLAN in request.http_request.session:
+                kwargs["pb_flow_plan"] = request.http_request.session[SESSION_KEY_PLAN]
         return kwargs
 
     def evaluate(self, expression_source: str, request: PolicyRequest) -> PolicyResult:
diff --git a/passbook/policies/expression/templates/policy/expression/form.html b/passbook/policies/expression/templates/policy/expression/form.html
index b8c50910d..14bfa626e 100644
--- a/passbook/policies/expression/templates/policy/expression/form.html
+++ b/passbook/policies/expression/templates/policy/expression/form.html
@@ -13,6 +13,7 @@
             <li><code>request.user</code>: Passbook User Object (<a href="https://beryju.github.io/passbook/property-mappings/reference/user-object/">Reference</a>)</li>
             <li><code>request.http_request</code>: Django HTTP Request Object (<a href="https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects">Reference</a>) </li>
             <li><code>request.obj</code>: Model the Policy is run against. </li>
+            <li><code>pb_flow_plan</code>: Current Plan if Policy is called while a flow is active.</li>
             <li><code>pb_is_sso_flow</code>: Boolean which is true if request was initiated by authenticating through an external Provider.</li>
             <li><code>pb_is_group_member(user, group_name)</code>: Function which checks if <code>user</code> is member of a Group with Name <code>group_name</code>.</li>
             <li><code>pb_logger</code>: Standard Python Logger Object, which can be used to debug expressions.</li>
diff --git a/passbook/providers/oidc/signals.py b/passbook/providers/oidc/signals.py
index 0281464ff..a74550388 100644
--- a/passbook/providers/oidc/signals.py
+++ b/passbook/providers/oidc/signals.py
@@ -13,4 +13,3 @@ def on_application_save(sender, instance: Application, **_):
     if isinstance(instance.provider, OpenIDProvider):
         instance.provider.oidc_client.require_consent = not instance.skip_authorization
         instance.provider.oidc_client.save()
-        print("updating skip_authz")

From c104eeebe6ccbd1b1780ec7e3724a3a1df15b61d Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 13 May 2020 18:52:37 +0200
Subject: [PATCH 69/80] gh/actions: add codecov

---
 .github/workflows/ci.yml | 4 ++++
 README.md                | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8284aec70..83392df43 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -123,6 +123,10 @@ jobs:
         run: sudo pip install -U wheel pipenv && pipenv install --dev
       - name: Run coverage
         run: pipenv run ./scripts/coverage.sh
+      - uses: codecov/codecov-action@v1
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          file: ./unittest.xml
   # Build
   build-server:
     needs:
diff --git a/README.md b/README.md
index 70329e0f4..5e1cb6231 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,8 @@
 # passbook
 
 ![](https://github.com/BeryJu/passbook/workflows/passbook-ci/badge.svg)
+![](https://img.shields.io/docker/pulls/beryju/passbook.svg)
+![](https://img.shields.io/docker/v/beryju/passbook?sort=semver)
 
 ## Quick instance
 

From 922cbf932da0acdf8920abe793f7387b83c4ec3c Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 13 May 2020 19:05:01 +0200
Subject: [PATCH 70/80] : update readme

---
 README.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 5e1cb6231..6a6777e40 100644
--- a/README.md
+++ b/README.md
@@ -1,8 +1,9 @@
 # passbook
 
-![](https://github.com/BeryJu/passbook/workflows/passbook-ci/badge.svg)
-![](https://img.shields.io/docker/pulls/beryju/passbook.svg)
-![](https://img.shields.io/docker/v/beryju/passbook?sort=semver)
+![](https://img.shields.io/github/workflow/status/beryju/passbook/passbook-ci?style=flat-square)
+![](https://img.shields.io/docker/pulls/beryju/passbook.svg?style=flat-square)
+![](https://img.shields.io/docker/v/beryju/passbook?sort=semver&style=flat-square)
+![](https://img.shields.io/codecov/c/gh/beryju/passbook?style=flat-square)
 
 ## Quick instance
 

From 47f6d0ac59990483f851363fbdd524470e6f91e8 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 13 May 2020 22:27:18 +0200
Subject: [PATCH 71/80] gh/actions: fix invalid path for codecov

---
 .github/workflows/ci.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 83392df43..aba70a4bd 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -126,7 +126,6 @@ jobs:
       - uses: codecov/codecov-action@v1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
-          file: ./unittest.xml
   # Build
   build-server:
     needs:

From 19cb310446685f1100f7532c0e8271ca51b351ae Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 13 May 2020 22:40:09 +0200
Subject: [PATCH 72/80] gh/actions: run coverage xml before codecov

---
 .github/workflows/ci.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index aba70a4bd..3b76df232 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -123,6 +123,8 @@ jobs:
         run: sudo pip install -U wheel pipenv && pipenv install --dev
       - name: Run coverage
         run: pipenv run ./scripts/coverage.sh
+      - name: Create XML Report
+        run: pipenv run coverage xml
       - uses: codecov/codecov-action@v1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}

From f289025d8ef4f6b1e400062489096c80497256c4 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 13 May 2020 23:20:07 +0200
Subject: [PATCH 73/80] stages/user_delete: fix missing API, fix missing tests

---
 passbook/api/v2/urls.py              |  2 ++
 passbook/stages/user_delete/stage.py |  2 +-
 passbook/stages/user_delete/tests.py | 15 +++++++++++++++
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/passbook/api/v2/urls.py b/passbook/api/v2/urls.py
index 4cf282a98..f00e6f636 100644
--- a/passbook/api/v2/urls.py
+++ b/passbook/api/v2/urls.py
@@ -37,6 +37,7 @@ from passbook.stages.invitation.api import InvitationStageViewSet, InvitationVie
 from passbook.stages.otp.api import OTPStageViewSet
 from passbook.stages.password.api import PasswordStageViewSet
 from passbook.stages.prompt.api import PromptStageViewSet, PromptViewSet
+from passbook.stages.user_delete.api import UserDeleteStageViewSet
 from passbook.stages.user_login.api import UserLoginStageViewSet
 from passbook.stages.user_logout.api import UserLogoutStageViewSet
 from passbook.stages.user_write.api import UserWriteStageViewSet
@@ -88,6 +89,7 @@ router.register("stages/otp", OTPStageViewSet)
 router.register("stages/password", PasswordStageViewSet)
 router.register("stages/prompt/stages", PromptStageViewSet)
 router.register("stages/prompt/prompts", PromptViewSet)
+router.register("stages/user_delete", UserDeleteStageViewSet)
 router.register("stages/user_login", UserLoginStageViewSet)
 router.register("stages/user_logout", UserLogoutStageViewSet)
 router.register("stages/user_write", UserWriteStageViewSet)
diff --git a/passbook/stages/user_delete/stage.py b/passbook/stages/user_delete/stage.py
index aeed299ce..1547cf944 100644
--- a/passbook/stages/user_delete/stage.py
+++ b/passbook/stages/user_delete/stage.py
@@ -14,7 +14,7 @@ LOGGER = get_logger()
 
 
 class UserDeleteStageView(FormView, AuthenticationStage):
-    """Finalise Enrollment flow by creating a user object."""
+    """Finalise unenrollment flow by deleting the user object."""
 
     form_class = UserDeleteForm
 
diff --git a/passbook/stages/user_delete/tests.py b/passbook/stages/user_delete/tests.py
index d4aeb2f25..88ff49479 100644
--- a/passbook/stages/user_delete/tests.py
+++ b/passbook/stages/user_delete/tests.py
@@ -26,6 +26,21 @@ class TestUserDeleteStage(TestCase):
         self.stage = UserDeleteStage.objects.create(name="delete")
         FlowStageBinding.objects.create(flow=self.flow, stage=self.stage, order=2)
 
+    def test_no_user(self):
+        """Test without user set"""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.get(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            )
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse("passbook_flows:denied"))
+
     def test_user_delete_get(self):
         """Test Form render"""
         plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])

From 43a583e2d27fa9a13bd78f40017808e07cae9628 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 13 May 2020 23:20:27 +0200
Subject: [PATCH 74/80] stages/invitation: add unittests

---
 passbook/policies/dummy/tests.py    | 39 ++++++++++++
 passbook/root/settings.py           | 16 ++---
 passbook/root/tests.py              | 28 +++++++++
 passbook/stages/invitation/tests.py | 95 ++++++++++++++++++-----------
 4 files changed, 134 insertions(+), 44 deletions(-)
 create mode 100644 passbook/policies/dummy/tests.py
 create mode 100644 passbook/root/tests.py

diff --git a/passbook/policies/dummy/tests.py b/passbook/policies/dummy/tests.py
new file mode 100644
index 000000000..409596252
--- /dev/null
+++ b/passbook/policies/dummy/tests.py
@@ -0,0 +1,39 @@
+"""dummy policy tests"""
+from django.test import TestCase
+from guardian.shortcuts import get_anonymous_user
+
+from passbook.policies.dummy.forms import DummyPolicyForm
+from passbook.policies.dummy.models import DummyPolicy
+from passbook.policies.engine import PolicyRequest
+
+
+class TestDummyPolicy(TestCase):
+    """Test dummy policy"""
+
+    def setUp(self):
+        super().setUp()
+        self.request = PolicyRequest(user=get_anonymous_user())
+
+    def test_policy(self):
+        """test policy .passes"""
+        policy: DummyPolicy = DummyPolicy.objects.create(
+            name="dummy", wait_min=1, wait_max=2
+        )
+        result = policy.passes(self.request)
+        self.assertFalse(result.passing)
+        self.assertEqual(result.messages, ("dummy",))
+
+    def test_form(self):
+        """test form"""
+        form = DummyPolicyForm(
+            data={
+                "name": "dummy",
+                "negate": False,
+                "order": 0,
+                "timeout": 1,
+                "result": True,
+                "wait_min": 1,
+                "wait_max": 2,
+            }
+        )
+        self.assertTrue(form.is_valid())
diff --git a/passbook/root/settings.py b/passbook/root/settings.py
index c671f98b4..4378fdbd8 100644
--- a/passbook/root/settings.py
+++ b/passbook/root/settings.py
@@ -45,20 +45,15 @@ ALLOWED_HOSTS = ["*"]
 SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
 
 LOGIN_URL = "passbook_flows:default-authentication"
-# CSRF_FAILURE_VIEW = 'passbook.core.views.errors.CSRFErrorView.as_view'
 
 # Custom user model
 AUTH_USER_MODEL = "passbook_core.User"
 
-if DEBUG:
-    CSRF_COOKIE_NAME = "passbook_csrf_debug"
-    LANGUAGE_COOKIE_NAME = "passbook_language_debug"
-    SESSION_COOKIE_NAME = "passbook_session_debug"
-    SESSION_COOKIE_SAMESITE = None
-else:
-    CSRF_COOKIE_NAME = "passbook_csrf"
-    LANGUAGE_COOKIE_NAME = "passbook_language"
-    SESSION_COOKIE_NAME = "passbook_session"
+_cookie_suffix = "_debug" if DEBUG else ""
+CSRF_COOKIE_NAME = f"passbook_csrf{_cookie_suffix}"
+LANGUAGE_COOKIE_NAME = f"passbook_language{_cookie_suffix}"
+SESSION_COOKIE_NAME = f"passbook_session{_cookie_suffix}"
+
 SESSION_COOKIE_DOMAIN = CONFIG.y("domain", None)
 
 AUTHENTICATION_BACKENDS = [
@@ -396,6 +391,7 @@ for _app in INSTALLED_APPS:
             pass
 
 if DEBUG:
+    SESSION_COOKIE_SAMESITE = None
     INSTALLED_APPS.append("debug_toolbar")
     MIDDLEWARE.append("debug_toolbar.middleware.DebugToolbarMiddleware")
 
diff --git a/passbook/root/tests.py b/passbook/root/tests.py
new file mode 100644
index 000000000..e8021c617
--- /dev/null
+++ b/passbook/root/tests.py
@@ -0,0 +1,28 @@
+"""root tests"""
+from base64 import b64encode
+
+from django.conf import settings
+from django.shortcuts import reverse
+from django.test import Client, TestCase
+
+
+class TestRoot(TestCase):
+    """Test root application"""
+
+    def setUp(self):
+        super().setUp()
+        self.client = Client()
+
+    def test_monitoring_error(self):
+        """Test monitoring without any credentials"""
+        response = self.client.get(reverse("metrics"))
+        self.assertEqual(response.status_code, 401)
+
+    def test_monitoring_ok(self):
+        """Test monitoring with credentials"""
+        creds = "Basic " + b64encode(f"monitor:{settings.SECRET_KEY}".encode()).decode(
+            "utf-8"
+        )
+        auth_headers = {"HTTP_AUTHORIZATION": creds}
+        response = self.client.get(reverse("metrics"), **auth_headers)
+        self.assertEqual(response.status_code, 200)
diff --git a/passbook/stages/invitation/tests.py b/passbook/stages/invitation/tests.py
index 59b988d2b..5998d26ac 100644
--- a/passbook/stages/invitation/tests.py
+++ b/passbook/stages/invitation/tests.py
@@ -1,14 +1,18 @@
-"""login tests"""
+"""invitation tests"""
+from unittest.mock import MagicMock, patch
+
 from django.shortcuts import reverse
 from django.test import Client, TestCase
+from guardian.shortcuts import get_anonymous_user
 
 from passbook.core.models import User
 from passbook.flows.models import Flow, FlowDesignation, FlowStageBinding
 from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
 from passbook.flows.views import SESSION_KEY_PLAN
+from passbook.stages.invitation.forms import InvitationStageForm
+from passbook.stages.invitation.models import Invitation, InvitationStage
+from passbook.stages.invitation.stage import INVITATION_TOKEN_KEY, PLAN_CONTEXT_PROMPT
 from passbook.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
-from passbook.stages.user_login.forms import UserLoginStageForm
-from passbook.stages.user_login.models import UserLoginStage
 
 
 class TestUserLoginStage(TestCase):
@@ -20,15 +24,41 @@ class TestUserLoginStage(TestCase):
         self.client = Client()
 
         self.flow = Flow.objects.create(
-            name="test-login",
-            slug="test-login",
+            name="test-invitation",
+            slug="test-invitation",
             designation=FlowDesignation.AUTHENTICATION,
         )
-        self.stage = UserLoginStage.objects.create(name="login")
+        self.stage = InvitationStage.objects.create(name="invitation")
         FlowStageBinding.objects.create(flow=self.flow, stage=self.stage, order=2)
 
-    def test_valid_password(self):
-        """Test with a valid pending user and backend"""
+    def test_form(self):
+        """Test Form"""
+        data = {"name": "test"}
+        self.assertEqual(InvitationStageForm(data).is_valid(), True)
+
+    def test_without_invitation_fail(self):
+        """Test without any invitation, continue_flow_without_invitation not set."""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
+        plan.context[
+            PLAN_CONTEXT_AUTHENTICATION_BACKEND
+        ] = "django.contrib.auth.backends.ModelBackend"
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.get(
+            reverse(
+                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
+            )
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse("passbook_flows:denied"))
+
+    def test_without_invitation_continue(self):
+        """Test without any invitation, continue_flow_without_invitation is set."""
+        self.stage.continue_flow_without_invitation = True
+        self.stage.save()
         plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
         plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
         plan.context[
@@ -45,39 +75,36 @@ class TestUserLoginStage(TestCase):
         )
         self.assertEqual(response.status_code, 302)
         self.assertEqual(response.url, reverse("passbook_core:overview"))
+        self.stage.continue_flow_without_invitation = False
+        self.stage.save()
 
-    def test_without_user(self):
-        """Test a plan without any pending user, resulting in a denied"""
-        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
-        session = self.client.session
-        session[SESSION_KEY_PLAN] = plan
-        session.save()
-
-        response = self.client.get(
-            reverse(
-                "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
-            )
-        )
-        self.assertEqual(response.status_code, 302)
-        self.assertEqual(response.url, reverse("passbook_flows:denied"))
-
-    def test_without_backend(self):
-        """Test a plan with pending user, without backend, resulting in a denied"""
+    def test_with_invitation(self):
+        """Test with invitation, check data in session"""
         plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
         plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
+        plan.context[
+            PLAN_CONTEXT_AUTHENTICATION_BACKEND
+        ] = "django.contrib.auth.backends.ModelBackend"
         session = self.client.session
         session[SESSION_KEY_PLAN] = plan
         session.save()
 
-        response = self.client.get(
-            reverse(
+        data = {"foo": "bar"}
+        invite = Invitation.objects.create(
+            created_by=get_anonymous_user(), fixed_data=data
+        )
+
+        with patch("passbook.flows.views.FlowExecutorView.cancel", MagicMock()):
+            base_url = reverse(
                 "passbook_flows:flow-executor", kwargs={"flow_slug": self.flow.slug}
             )
-        )
-        self.assertEqual(response.status_code, 302)
-        self.assertEqual(response.url, reverse("passbook_flows:denied"))
+            response = self.client.get(
+                base_url + f"?{INVITATION_TOKEN_KEY}={invite.pk.hex}"
+            )
 
-    def test_form(self):
-        """Test Form"""
-        data = {"name": "test"}
-        self.assertEqual(UserLoginStageForm(data).is_valid(), True)
+        session = self.client.session
+        plan: FlowPlan = session[SESSION_KEY_PLAN]
+        self.assertEqual(plan.context[PLAN_CONTEXT_PROMPT], data)
+
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, reverse("passbook_core:overview"))

From fe503c8de0976c176bc3f3e79d07d082dac15072 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 14 May 2020 13:45:46 +0200
Subject: [PATCH 75/80] root: add swagger to repository

---
 scripts/pre-commit.sh |    1 +
 swagger.yaml          | 6173 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 6174 insertions(+)
 create mode 100755 swagger.yaml

diff --git a/scripts/pre-commit.sh b/scripts/pre-commit.sh
index e97bac37c..2960f8976 100755
--- a/scripts/pre-commit.sh
+++ b/scripts/pre-commit.sh
@@ -6,3 +6,4 @@ scripts/coverage.sh
 bandit -r passbook
 pylint passbook
 prospector
+./manage.py generate_swagger -o swagger.yaml -f yaml
diff --git a/swagger.yaml b/swagger.yaml
new file mode 100755
index 000000000..cd9cc6476
--- /dev/null
+++ b/swagger.yaml
@@ -0,0 +1,6173 @@
+swagger: '2.0'
+info:
+  title: passbook API
+  contact:
+    email: hello@beryju.org
+  license:
+    name: MIT License
+  version: v2
+basePath: /api/v2
+consumes:
+  - application/json
+produces:
+  - application/json
+securityDefinitions:
+  Basic:
+    type: basic
+security:
+  - Basic: []
+paths:
+  /audit/events/:
+    get:
+      operationId: audit_events_list
+      description: Event Read-Only Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/Event'
+      tags:
+        - audit
+    parameters: []
+  /audit/events/{uuid}/:
+    get:
+      operationId: audit_events_read
+      description: Event Read-Only Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/Event'
+      tags:
+        - audit
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this Audit Event.
+        required: true
+        type: string
+        format: uuid
+  /core/applications/:
+    get:
+      operationId: core_applications_list
+      description: Application Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/Application'
+      tags:
+        - core
+    post:
+      operationId: core_applications_create
+      description: Application Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/Application'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/Application'
+      tags:
+        - core
+    parameters: []
+  /core/applications/{uuid}/:
+    get:
+      operationId: core_applications_read
+      description: Application Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/Application'
+      tags:
+        - core
+    put:
+      operationId: core_applications_update
+      description: Application Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/Application'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/Application'
+      tags:
+        - core
+    patch:
+      operationId: core_applications_partial_update
+      description: Application Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/Application'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/Application'
+      tags:
+        - core
+    delete:
+      operationId: core_applications_delete
+      description: Application Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - core
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this application.
+        required: true
+        type: string
+        format: uuid
+  /core/groups/:
+    get:
+      operationId: core_groups_list
+      description: Group Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/Group'
+      tags:
+        - core
+    post:
+      operationId: core_groups_create
+      description: Group Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/Group'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/Group'
+      tags:
+        - core
+    parameters: []
+  /core/groups/{uuid}/:
+    get:
+      operationId: core_groups_read
+      description: Group Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/Group'
+      tags:
+        - core
+    put:
+      operationId: core_groups_update
+      description: Group Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/Group'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/Group'
+      tags:
+        - core
+    patch:
+      operationId: core_groups_partial_update
+      description: Group Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/Group'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/Group'
+      tags:
+        - core
+    delete:
+      operationId: core_groups_delete
+      description: Group Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - core
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this group.
+        required: true
+        type: string
+        format: uuid
+  /core/users/:
+    get:
+      operationId: core_users_list
+      description: User Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/User'
+      tags:
+        - core
+    post:
+      operationId: core_users_create
+      description: User Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/User'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/User'
+      tags:
+        - core
+    parameters: []
+  /core/users/{id}/:
+    get:
+      operationId: core_users_read
+      description: User Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/User'
+      tags:
+        - core
+    put:
+      operationId: core_users_update
+      description: User Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/User'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/User'
+      tags:
+        - core
+    patch:
+      operationId: core_users_partial_update
+      description: User Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/User'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/User'
+      tags:
+        - core
+    delete:
+      operationId: core_users_delete
+      description: User Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - core
+    parameters:
+      - name: id
+        in: path
+        description: A unique integer value identifying this user.
+        required: true
+        type: integer
+  /flows/bindings/:
+    get:
+      operationId: flows_bindings_list
+      description: FlowStageBinding Viewset
+      parameters:
+        - name: uuid
+          in: query
+          description: ''
+          required: false
+          type: string
+        - name: policies
+          in: query
+          description: ''
+          required: false
+          type: string
+        - name: flow
+          in: query
+          description: ''
+          required: false
+          type: string
+        - name: stage
+          in: query
+          description: ''
+          required: false
+          type: string
+        - name: re_evaluate_policies
+          in: query
+          description: ''
+          required: false
+          type: string
+        - name: order
+          in: query
+          description: ''
+          required: false
+          type: number
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/FlowStageBinding'
+      tags:
+        - flows
+    post:
+      operationId: flows_bindings_create
+      description: FlowStageBinding Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/FlowStageBinding'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/FlowStageBinding'
+      tags:
+        - flows
+    parameters: []
+  /flows/bindings/{uuid}/:
+    get:
+      operationId: flows_bindings_read
+      description: FlowStageBinding Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/FlowStageBinding'
+      tags:
+        - flows
+    put:
+      operationId: flows_bindings_update
+      description: FlowStageBinding Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/FlowStageBinding'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/FlowStageBinding'
+      tags:
+        - flows
+    patch:
+      operationId: flows_bindings_partial_update
+      description: FlowStageBinding Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/FlowStageBinding'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/FlowStageBinding'
+      tags:
+        - flows
+    delete:
+      operationId: flows_bindings_delete
+      description: FlowStageBinding Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - flows
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this Flow Stage Binding.
+        required: true
+        type: string
+        format: uuid
+  /flows/instances/:
+    get:
+      operationId: flows_instances_list
+      description: Flow Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/Flow'
+      tags:
+        - flows
+    post:
+      operationId: flows_instances_create
+      description: Flow Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/Flow'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/Flow'
+      tags:
+        - flows
+    parameters: []
+  /flows/instances/{uuid}/:
+    get:
+      operationId: flows_instances_read
+      description: Flow Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/Flow'
+      tags:
+        - flows
+    put:
+      operationId: flows_instances_update
+      description: Flow Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/Flow'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/Flow'
+      tags:
+        - flows
+    patch:
+      operationId: flows_instances_partial_update
+      description: Flow Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/Flow'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/Flow'
+      tags:
+        - flows
+    delete:
+      operationId: flows_instances_delete
+      description: Flow Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - flows
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this Flow.
+        required: true
+        type: string
+        format: uuid
+  /policies/all/:
+    get:
+      operationId: policies_all_list
+      description: Policy Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/Policy'
+      tags:
+        - policies
+    parameters: []
+  /policies/all/{uuid}/:
+    get:
+      operationId: policies_all_read
+      description: Policy Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/Policy'
+      tags:
+        - policies
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this policy.
+        required: true
+        type: string
+        format: uuid
+  /policies/dummy/:
+    get:
+      operationId: policies_dummy_list
+      description: Dummy Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/DummyPolicy'
+      tags:
+        - policies
+    post:
+      operationId: policies_dummy_create
+      description: Dummy Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/DummyPolicy'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/DummyPolicy'
+      tags:
+        - policies
+    parameters: []
+  /policies/dummy/{uuid}/:
+    get:
+      operationId: policies_dummy_read
+      description: Dummy Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/DummyPolicy'
+      tags:
+        - policies
+    put:
+      operationId: policies_dummy_update
+      description: Dummy Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/DummyPolicy'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/DummyPolicy'
+      tags:
+        - policies
+    patch:
+      operationId: policies_dummy_partial_update
+      description: Dummy Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/DummyPolicy'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/DummyPolicy'
+      tags:
+        - policies
+    delete:
+      operationId: policies_dummy_delete
+      description: Dummy Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - policies
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this Dummy Policy.
+        required: true
+        type: string
+        format: uuid
+  /policies/expression/:
+    get:
+      operationId: policies_expression_list
+      description: Source Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/ExpressionPolicy'
+      tags:
+        - policies
+    post:
+      operationId: policies_expression_create
+      description: Source Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/ExpressionPolicy'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/ExpressionPolicy'
+      tags:
+        - policies
+    parameters: []
+  /policies/expression/{uuid}/:
+    get:
+      operationId: policies_expression_read
+      description: Source Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/ExpressionPolicy'
+      tags:
+        - policies
+    put:
+      operationId: policies_expression_update
+      description: Source Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/ExpressionPolicy'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/ExpressionPolicy'
+      tags:
+        - policies
+    patch:
+      operationId: policies_expression_partial_update
+      description: Source Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/ExpressionPolicy'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/ExpressionPolicy'
+      tags:
+        - policies
+    delete:
+      operationId: policies_expression_delete
+      description: Source Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - policies
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this Expression Policy.
+        required: true
+        type: string
+        format: uuid
+  /policies/haveibeenpwned/:
+    get:
+      operationId: policies_haveibeenpwned_list
+      description: Source Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/HaveIBeenPwendPolicy'
+      tags:
+        - policies
+    post:
+      operationId: policies_haveibeenpwned_create
+      description: Source Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/HaveIBeenPwendPolicy'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/HaveIBeenPwendPolicy'
+      tags:
+        - policies
+    parameters: []
+  /policies/haveibeenpwned/{uuid}/:
+    get:
+      operationId: policies_haveibeenpwned_read
+      description: Source Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/HaveIBeenPwendPolicy'
+      tags:
+        - policies
+    put:
+      operationId: policies_haveibeenpwned_update
+      description: Source Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/HaveIBeenPwendPolicy'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/HaveIBeenPwendPolicy'
+      tags:
+        - policies
+    patch:
+      operationId: policies_haveibeenpwned_partial_update
+      description: Source Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/HaveIBeenPwendPolicy'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/HaveIBeenPwendPolicy'
+      tags:
+        - policies
+    delete:
+      operationId: policies_haveibeenpwned_delete
+      description: Source Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - policies
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this Have I Been Pwned Policy.
+        required: true
+        type: string
+        format: uuid
+  /policies/password/:
+    get:
+      operationId: policies_password_list
+      description: Source Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/PasswordPolicy'
+      tags:
+        - policies
+    post:
+      operationId: policies_password_create
+      description: Source Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/PasswordPolicy'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/PasswordPolicy'
+      tags:
+        - policies
+    parameters: []
+  /policies/password/{uuid}/:
+    get:
+      operationId: policies_password_read
+      description: Source Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/PasswordPolicy'
+      tags:
+        - policies
+    put:
+      operationId: policies_password_update
+      description: Source Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/PasswordPolicy'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/PasswordPolicy'
+      tags:
+        - policies
+    patch:
+      operationId: policies_password_partial_update
+      description: Source Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/PasswordPolicy'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/PasswordPolicy'
+      tags:
+        - policies
+    delete:
+      operationId: policies_password_delete
+      description: Source Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - policies
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this Password Policy.
+        required: true
+        type: string
+        format: uuid
+  /policies/passwordexpiry/:
+    get:
+      operationId: policies_passwordexpiry_list
+      description: Password Expiry Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/PasswordExpiryPolicy'
+      tags:
+        - policies
+    post:
+      operationId: policies_passwordexpiry_create
+      description: Password Expiry Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/PasswordExpiryPolicy'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/PasswordExpiryPolicy'
+      tags:
+        - policies
+    parameters: []
+  /policies/passwordexpiry/{uuid}/:
+    get:
+      operationId: policies_passwordexpiry_read
+      description: Password Expiry Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/PasswordExpiryPolicy'
+      tags:
+        - policies
+    put:
+      operationId: policies_passwordexpiry_update
+      description: Password Expiry Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/PasswordExpiryPolicy'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/PasswordExpiryPolicy'
+      tags:
+        - policies
+    patch:
+      operationId: policies_passwordexpiry_partial_update
+      description: Password Expiry Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/PasswordExpiryPolicy'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/PasswordExpiryPolicy'
+      tags:
+        - policies
+    delete:
+      operationId: policies_passwordexpiry_delete
+      description: Password Expiry Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - policies
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this Password Expiry Policy.
+        required: true
+        type: string
+        format: uuid
+  /policies/reputation/:
+    get:
+      operationId: policies_reputation_list
+      description: Source Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/ReputationPolicy'
+      tags:
+        - policies
+    post:
+      operationId: policies_reputation_create
+      description: Source Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/ReputationPolicy'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/ReputationPolicy'
+      tags:
+        - policies
+    parameters: []
+  /policies/reputation/{uuid}/:
+    get:
+      operationId: policies_reputation_read
+      description: Source Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/ReputationPolicy'
+      tags:
+        - policies
+    put:
+      operationId: policies_reputation_update
+      description: Source Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/ReputationPolicy'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/ReputationPolicy'
+      tags:
+        - policies
+    patch:
+      operationId: policies_reputation_partial_update
+      description: Source Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/ReputationPolicy'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/ReputationPolicy'
+      tags:
+        - policies
+    delete:
+      operationId: policies_reputation_delete
+      description: Source Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - policies
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this Reputation Policy.
+        required: true
+        type: string
+        format: uuid
+  /policies/webhook/:
+    get:
+      operationId: policies_webhook_list
+      description: Source Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/WebhookPolicy'
+      tags:
+        - policies
+    post:
+      operationId: policies_webhook_create
+      description: Source Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/WebhookPolicy'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/WebhookPolicy'
+      tags:
+        - policies
+    parameters: []
+  /policies/webhook/{uuid}/:
+    get:
+      operationId: policies_webhook_read
+      description: Source Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/WebhookPolicy'
+      tags:
+        - policies
+    put:
+      operationId: policies_webhook_update
+      description: Source Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/WebhookPolicy'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/WebhookPolicy'
+      tags:
+        - policies
+    patch:
+      operationId: policies_webhook_partial_update
+      description: Source Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/WebhookPolicy'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/WebhookPolicy'
+      tags:
+        - policies
+    delete:
+      operationId: policies_webhook_delete
+      description: Source Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - policies
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this Webhook Policy.
+        required: true
+        type: string
+        format: uuid
+  /propertymappings/all/:
+    get:
+      operationId: propertymappings_all_list
+      description: PropertyMapping Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/PropertyMapping'
+      tags:
+        - propertymappings
+    parameters: []
+  /propertymappings/all/{uuid}/:
+    get:
+      operationId: propertymappings_all_read
+      description: PropertyMapping Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/PropertyMapping'
+      tags:
+        - propertymappings
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this Property Mapping.
+        required: true
+        type: string
+        format: uuid
+  /propertymappings/ldap/:
+    get:
+      operationId: propertymappings_ldap_list
+      description: LDAP PropertyMapping Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/LDAPPropertyMapping'
+      tags:
+        - propertymappings
+    post:
+      operationId: propertymappings_ldap_create
+      description: LDAP PropertyMapping Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/LDAPPropertyMapping'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/LDAPPropertyMapping'
+      tags:
+        - propertymappings
+    parameters: []
+  /propertymappings/ldap/{uuid}/:
+    get:
+      operationId: propertymappings_ldap_read
+      description: LDAP PropertyMapping Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/LDAPPropertyMapping'
+      tags:
+        - propertymappings
+    put:
+      operationId: propertymappings_ldap_update
+      description: LDAP PropertyMapping Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/LDAPPropertyMapping'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/LDAPPropertyMapping'
+      tags:
+        - propertymappings
+    patch:
+      operationId: propertymappings_ldap_partial_update
+      description: LDAP PropertyMapping Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/LDAPPropertyMapping'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/LDAPPropertyMapping'
+      tags:
+        - propertymappings
+    delete:
+      operationId: propertymappings_ldap_delete
+      description: LDAP PropertyMapping Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - propertymappings
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this LDAP Property Mapping.
+        required: true
+        type: string
+        format: uuid
+  /propertymappings/saml/:
+    get:
+      operationId: propertymappings_saml_list
+      description: SAMLPropertyMapping Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/SAMLPropertyMapping'
+      tags:
+        - propertymappings
+    post:
+      operationId: propertymappings_saml_create
+      description: SAMLPropertyMapping Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/SAMLPropertyMapping'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/SAMLPropertyMapping'
+      tags:
+        - propertymappings
+    parameters: []
+  /propertymappings/saml/{uuid}/:
+    get:
+      operationId: propertymappings_saml_read
+      description: SAMLPropertyMapping Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/SAMLPropertyMapping'
+      tags:
+        - propertymappings
+    put:
+      operationId: propertymappings_saml_update
+      description: SAMLPropertyMapping Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/SAMLPropertyMapping'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/SAMLPropertyMapping'
+      tags:
+        - propertymappings
+    patch:
+      operationId: propertymappings_saml_partial_update
+      description: SAMLPropertyMapping Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/SAMLPropertyMapping'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/SAMLPropertyMapping'
+      tags:
+        - propertymappings
+    delete:
+      operationId: propertymappings_saml_delete
+      description: SAMLPropertyMapping Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - propertymappings
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this SAML Property Mapping.
+        required: true
+        type: string
+        format: uuid
+  /providers/all/:
+    get:
+      operationId: providers_all_list
+      description: Provider Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/Provider'
+      tags:
+        - providers
+    parameters: []
+  /providers/all/{id}/:
+    get:
+      operationId: providers_all_read
+      description: Provider Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/Provider'
+      tags:
+        - providers
+    parameters:
+      - name: id
+        in: path
+        description: A unique integer value identifying this provider.
+        required: true
+        type: integer
+  /providers/applicationgateway/:
+    get:
+      operationId: providers_applicationgateway_list
+      description: ApplicationGatewayProvider Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/ApplicationGatewayProvider'
+      tags:
+        - providers
+    post:
+      operationId: providers_applicationgateway_create
+      description: ApplicationGatewayProvider Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/ApplicationGatewayProvider'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/ApplicationGatewayProvider'
+      tags:
+        - providers
+    parameters: []
+  /providers/applicationgateway/{id}/:
+    get:
+      operationId: providers_applicationgateway_read
+      description: ApplicationGatewayProvider Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/ApplicationGatewayProvider'
+      tags:
+        - providers
+    put:
+      operationId: providers_applicationgateway_update
+      description: ApplicationGatewayProvider Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/ApplicationGatewayProvider'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/ApplicationGatewayProvider'
+      tags:
+        - providers
+    patch:
+      operationId: providers_applicationgateway_partial_update
+      description: ApplicationGatewayProvider Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/ApplicationGatewayProvider'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/ApplicationGatewayProvider'
+      tags:
+        - providers
+    delete:
+      operationId: providers_applicationgateway_delete
+      description: ApplicationGatewayProvider Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - providers
+    parameters:
+      - name: id
+        in: path
+        description: A unique integer value identifying this Application Gateway Provider.
+        required: true
+        type: integer
+  /providers/oauth/:
+    get:
+      operationId: providers_oauth_list
+      description: OAuth2Provider Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/OAuth2Provider'
+      tags:
+        - providers
+    post:
+      operationId: providers_oauth_create
+      description: OAuth2Provider Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/OAuth2Provider'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/OAuth2Provider'
+      tags:
+        - providers
+    parameters: []
+  /providers/oauth/{id}/:
+    get:
+      operationId: providers_oauth_read
+      description: OAuth2Provider Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/OAuth2Provider'
+      tags:
+        - providers
+    put:
+      operationId: providers_oauth_update
+      description: OAuth2Provider Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/OAuth2Provider'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/OAuth2Provider'
+      tags:
+        - providers
+    patch:
+      operationId: providers_oauth_partial_update
+      description: OAuth2Provider Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/OAuth2Provider'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/OAuth2Provider'
+      tags:
+        - providers
+    delete:
+      operationId: providers_oauth_delete
+      description: OAuth2Provider Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - providers
+    parameters:
+      - name: id
+        in: path
+        description: A unique integer value identifying this OAuth2 Provider.
+        required: true
+        type: integer
+  /providers/openid/:
+    get:
+      operationId: providers_openid_list
+      description: OpenIDProvider Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/OpenIDProvider'
+      tags:
+        - providers
+    post:
+      operationId: providers_openid_create
+      description: OpenIDProvider Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/OpenIDProvider'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/OpenIDProvider'
+      tags:
+        - providers
+    parameters: []
+  /providers/openid/{id}/:
+    get:
+      operationId: providers_openid_read
+      description: OpenIDProvider Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/OpenIDProvider'
+      tags:
+        - providers
+    put:
+      operationId: providers_openid_update
+      description: OpenIDProvider Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/OpenIDProvider'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/OpenIDProvider'
+      tags:
+        - providers
+    patch:
+      operationId: providers_openid_partial_update
+      description: OpenIDProvider Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/OpenIDProvider'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/OpenIDProvider'
+      tags:
+        - providers
+    delete:
+      operationId: providers_openid_delete
+      description: OpenIDProvider Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - providers
+    parameters:
+      - name: id
+        in: path
+        description: A unique integer value identifying this Client.
+        required: true
+        type: integer
+  /providers/saml/:
+    get:
+      operationId: providers_saml_list
+      description: SAMLProvider Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/SAMLProvider'
+      tags:
+        - providers
+    post:
+      operationId: providers_saml_create
+      description: SAMLProvider Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/SAMLProvider'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/SAMLProvider'
+      tags:
+        - providers
+    parameters: []
+  /providers/saml/{id}/:
+    get:
+      operationId: providers_saml_read
+      description: SAMLProvider Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/SAMLProvider'
+      tags:
+        - providers
+    put:
+      operationId: providers_saml_update
+      description: SAMLProvider Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/SAMLProvider'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/SAMLProvider'
+      tags:
+        - providers
+    patch:
+      operationId: providers_saml_partial_update
+      description: SAMLProvider Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/SAMLProvider'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/SAMLProvider'
+      tags:
+        - providers
+    delete:
+      operationId: providers_saml_delete
+      description: SAMLProvider Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - providers
+    parameters:
+      - name: id
+        in: path
+        description: A unique integer value identifying this SAML Provider.
+        required: true
+        type: integer
+  /sources/all/:
+    get:
+      operationId: sources_all_list
+      description: Source Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/Source'
+      tags:
+        - sources
+    parameters: []
+  /sources/all/{uuid}/:
+    get:
+      operationId: sources_all_read
+      description: Source Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/Source'
+      tags:
+        - sources
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this source.
+        required: true
+        type: string
+        format: uuid
+  /sources/ldap/:
+    get:
+      operationId: sources_ldap_list
+      description: LDAP Source Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/LDAPSource'
+      tags:
+        - sources
+    post:
+      operationId: sources_ldap_create
+      description: LDAP Source Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/LDAPSource'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/LDAPSource'
+      tags:
+        - sources
+    parameters: []
+  /sources/ldap/{uuid}/:
+    get:
+      operationId: sources_ldap_read
+      description: LDAP Source Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/LDAPSource'
+      tags:
+        - sources
+    put:
+      operationId: sources_ldap_update
+      description: LDAP Source Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/LDAPSource'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/LDAPSource'
+      tags:
+        - sources
+    patch:
+      operationId: sources_ldap_partial_update
+      description: LDAP Source Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/LDAPSource'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/LDAPSource'
+      tags:
+        - sources
+    delete:
+      operationId: sources_ldap_delete
+      description: LDAP Source Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - sources
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this LDAP Source.
+        required: true
+        type: string
+        format: uuid
+  /sources/oauth/:
+    get:
+      operationId: sources_oauth_list
+      description: Source Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/OAuthSource'
+      tags:
+        - sources
+    post:
+      operationId: sources_oauth_create
+      description: Source Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/OAuthSource'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/OAuthSource'
+      tags:
+        - sources
+    parameters: []
+  /sources/oauth/{uuid}/:
+    get:
+      operationId: sources_oauth_read
+      description: Source Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/OAuthSource'
+      tags:
+        - sources
+    put:
+      operationId: sources_oauth_update
+      description: Source Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/OAuthSource'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/OAuthSource'
+      tags:
+        - sources
+    patch:
+      operationId: sources_oauth_partial_update
+      description: Source Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/OAuthSource'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/OAuthSource'
+      tags:
+        - sources
+    delete:
+      operationId: sources_oauth_delete
+      description: Source Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - sources
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this Generic OAuth Source.
+        required: true
+        type: string
+        format: uuid
+  /stages/all/:
+    get:
+      operationId: stages_all_list
+      description: Stage Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/Stage'
+      tags:
+        - stages
+    parameters: []
+  /stages/all/{uuid}/:
+    get:
+      operationId: stages_all_read
+      description: Stage Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/Stage'
+      tags:
+        - stages
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this stage.
+        required: true
+        type: string
+        format: uuid
+  /stages/captcha/:
+    get:
+      operationId: stages_captcha_list
+      description: CaptchaStage Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/CaptchaStage'
+      tags:
+        - stages
+    post:
+      operationId: stages_captcha_create
+      description: CaptchaStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/CaptchaStage'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/CaptchaStage'
+      tags:
+        - stages
+    parameters: []
+  /stages/captcha/{uuid}/:
+    get:
+      operationId: stages_captcha_read
+      description: CaptchaStage Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/CaptchaStage'
+      tags:
+        - stages
+    put:
+      operationId: stages_captcha_update
+      description: CaptchaStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/CaptchaStage'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/CaptchaStage'
+      tags:
+        - stages
+    patch:
+      operationId: stages_captcha_partial_update
+      description: CaptchaStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/CaptchaStage'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/CaptchaStage'
+      tags:
+        - stages
+    delete:
+      operationId: stages_captcha_delete
+      description: CaptchaStage Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - stages
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this Captcha Stage.
+        required: true
+        type: string
+        format: uuid
+  /stages/dummy/:
+    get:
+      operationId: stages_dummy_list
+      description: DummyStage Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/DummyStage'
+      tags:
+        - stages
+    post:
+      operationId: stages_dummy_create
+      description: DummyStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/DummyStage'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/DummyStage'
+      tags:
+        - stages
+    parameters: []
+  /stages/dummy/{uuid}/:
+    get:
+      operationId: stages_dummy_read
+      description: DummyStage Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/DummyStage'
+      tags:
+        - stages
+    put:
+      operationId: stages_dummy_update
+      description: DummyStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/DummyStage'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/DummyStage'
+      tags:
+        - stages
+    patch:
+      operationId: stages_dummy_partial_update
+      description: DummyStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/DummyStage'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/DummyStage'
+      tags:
+        - stages
+    delete:
+      operationId: stages_dummy_delete
+      description: DummyStage Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - stages
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this Dummy Stage.
+        required: true
+        type: string
+        format: uuid
+  /stages/email/:
+    get:
+      operationId: stages_email_list
+      description: EmailStage Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/EmailStage'
+      tags:
+        - stages
+    post:
+      operationId: stages_email_create
+      description: EmailStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/EmailStage'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/EmailStage'
+      tags:
+        - stages
+    parameters: []
+  /stages/email/{uuid}/:
+    get:
+      operationId: stages_email_read
+      description: EmailStage Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/EmailStage'
+      tags:
+        - stages
+    put:
+      operationId: stages_email_update
+      description: EmailStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/EmailStage'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/EmailStage'
+      tags:
+        - stages
+    patch:
+      operationId: stages_email_partial_update
+      description: EmailStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/EmailStage'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/EmailStage'
+      tags:
+        - stages
+    delete:
+      operationId: stages_email_delete
+      description: EmailStage Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - stages
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this Email Stage.
+        required: true
+        type: string
+        format: uuid
+  /stages/identification/:
+    get:
+      operationId: stages_identification_list
+      description: IdentificationStage Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/IdentificationStage'
+      tags:
+        - stages
+    post:
+      operationId: stages_identification_create
+      description: IdentificationStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/IdentificationStage'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/IdentificationStage'
+      tags:
+        - stages
+    parameters: []
+  /stages/identification/{uuid}/:
+    get:
+      operationId: stages_identification_read
+      description: IdentificationStage Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/IdentificationStage'
+      tags:
+        - stages
+    put:
+      operationId: stages_identification_update
+      description: IdentificationStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/IdentificationStage'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/IdentificationStage'
+      tags:
+        - stages
+    patch:
+      operationId: stages_identification_partial_update
+      description: IdentificationStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/IdentificationStage'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/IdentificationStage'
+      tags:
+        - stages
+    delete:
+      operationId: stages_identification_delete
+      description: IdentificationStage Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - stages
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this Identification Stage.
+        required: true
+        type: string
+        format: uuid
+  /stages/invitation/:
+    get:
+      operationId: stages_invitation_list
+      description: InvitationStage Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/InvitationStage'
+      tags:
+        - stages
+    post:
+      operationId: stages_invitation_create
+      description: InvitationStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/InvitationStage'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/InvitationStage'
+      tags:
+        - stages
+    parameters: []
+  /stages/invitation/invitations/:
+    get:
+      operationId: stages_invitation_invitations_list
+      description: Invitation Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/Invitation'
+      tags:
+        - stages
+    post:
+      operationId: stages_invitation_invitations_create
+      description: Invitation Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/Invitation'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/Invitation'
+      tags:
+        - stages
+    parameters: []
+  /stages/invitation/invitations/{uuid}/:
+    get:
+      operationId: stages_invitation_invitations_read
+      description: Invitation Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/Invitation'
+      tags:
+        - stages
+    put:
+      operationId: stages_invitation_invitations_update
+      description: Invitation Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/Invitation'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/Invitation'
+      tags:
+        - stages
+    patch:
+      operationId: stages_invitation_invitations_partial_update
+      description: Invitation Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/Invitation'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/Invitation'
+      tags:
+        - stages
+    delete:
+      operationId: stages_invitation_invitations_delete
+      description: Invitation Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - stages
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this Invitation.
+        required: true
+        type: string
+        format: uuid
+  /stages/invitation/{uuid}/:
+    get:
+      operationId: stages_invitation_read
+      description: InvitationStage Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/InvitationStage'
+      tags:
+        - stages
+    put:
+      operationId: stages_invitation_update
+      description: InvitationStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/InvitationStage'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/InvitationStage'
+      tags:
+        - stages
+    patch:
+      operationId: stages_invitation_partial_update
+      description: InvitationStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/InvitationStage'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/InvitationStage'
+      tags:
+        - stages
+    delete:
+      operationId: stages_invitation_delete
+      description: InvitationStage Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - stages
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this Invitation Stage.
+        required: true
+        type: string
+        format: uuid
+  /stages/otp/:
+    get:
+      operationId: stages_otp_list
+      description: OTPStage Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/OTPStage'
+      tags:
+        - stages
+    post:
+      operationId: stages_otp_create
+      description: OTPStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/OTPStage'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/OTPStage'
+      tags:
+        - stages
+    parameters: []
+  /stages/otp/{uuid}/:
+    get:
+      operationId: stages_otp_read
+      description: OTPStage Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/OTPStage'
+      tags:
+        - stages
+    put:
+      operationId: stages_otp_update
+      description: OTPStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/OTPStage'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/OTPStage'
+      tags:
+        - stages
+    patch:
+      operationId: stages_otp_partial_update
+      description: OTPStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/OTPStage'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/OTPStage'
+      tags:
+        - stages
+    delete:
+      operationId: stages_otp_delete
+      description: OTPStage Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - stages
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this OTP Stage.
+        required: true
+        type: string
+        format: uuid
+  /stages/password/:
+    get:
+      operationId: stages_password_list
+      description: PasswordStage Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/PasswordStage'
+      tags:
+        - stages
+    post:
+      operationId: stages_password_create
+      description: PasswordStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/PasswordStage'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/PasswordStage'
+      tags:
+        - stages
+    parameters: []
+  /stages/password/{uuid}/:
+    get:
+      operationId: stages_password_read
+      description: PasswordStage Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/PasswordStage'
+      tags:
+        - stages
+    put:
+      operationId: stages_password_update
+      description: PasswordStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/PasswordStage'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/PasswordStage'
+      tags:
+        - stages
+    patch:
+      operationId: stages_password_partial_update
+      description: PasswordStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/PasswordStage'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/PasswordStage'
+      tags:
+        - stages
+    delete:
+      operationId: stages_password_delete
+      description: PasswordStage Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - stages
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this Password Stage.
+        required: true
+        type: string
+        format: uuid
+  /stages/prompt/prompts/:
+    get:
+      operationId: stages_prompt_prompts_list
+      description: Prompt Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/Prompt'
+      tags:
+        - stages
+    post:
+      operationId: stages_prompt_prompts_create
+      description: Prompt Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/Prompt'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/Prompt'
+      tags:
+        - stages
+    parameters: []
+  /stages/prompt/prompts/{uuid}/:
+    get:
+      operationId: stages_prompt_prompts_read
+      description: Prompt Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/Prompt'
+      tags:
+        - stages
+    put:
+      operationId: stages_prompt_prompts_update
+      description: Prompt Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/Prompt'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/Prompt'
+      tags:
+        - stages
+    patch:
+      operationId: stages_prompt_prompts_partial_update
+      description: Prompt Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/Prompt'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/Prompt'
+      tags:
+        - stages
+    delete:
+      operationId: stages_prompt_prompts_delete
+      description: Prompt Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - stages
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this Prompt.
+        required: true
+        type: string
+        format: uuid
+  /stages/prompt/stages/:
+    get:
+      operationId: stages_prompt_stages_list
+      description: PromptStage Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/PromptStage'
+      tags:
+        - stages
+    post:
+      operationId: stages_prompt_stages_create
+      description: PromptStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/PromptStage'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/PromptStage'
+      tags:
+        - stages
+    parameters: []
+  /stages/prompt/stages/{uuid}/:
+    get:
+      operationId: stages_prompt_stages_read
+      description: PromptStage Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/PromptStage'
+      tags:
+        - stages
+    put:
+      operationId: stages_prompt_stages_update
+      description: PromptStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/PromptStage'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/PromptStage'
+      tags:
+        - stages
+    patch:
+      operationId: stages_prompt_stages_partial_update
+      description: PromptStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/PromptStage'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/PromptStage'
+      tags:
+        - stages
+    delete:
+      operationId: stages_prompt_stages_delete
+      description: PromptStage Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - stages
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this Prompt Stage.
+        required: true
+        type: string
+        format: uuid
+  /stages/user_delete/:
+    get:
+      operationId: stages_user_delete_list
+      description: UserDeleteStage Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/UserDeleteStage'
+      tags:
+        - stages
+    post:
+      operationId: stages_user_delete_create
+      description: UserDeleteStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/UserDeleteStage'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/UserDeleteStage'
+      tags:
+        - stages
+    parameters: []
+  /stages/user_delete/{uuid}/:
+    get:
+      operationId: stages_user_delete_read
+      description: UserDeleteStage Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/UserDeleteStage'
+      tags:
+        - stages
+    put:
+      operationId: stages_user_delete_update
+      description: UserDeleteStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/UserDeleteStage'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/UserDeleteStage'
+      tags:
+        - stages
+    patch:
+      operationId: stages_user_delete_partial_update
+      description: UserDeleteStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/UserDeleteStage'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/UserDeleteStage'
+      tags:
+        - stages
+    delete:
+      operationId: stages_user_delete_delete
+      description: UserDeleteStage Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - stages
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this User Delete Stage.
+        required: true
+        type: string
+        format: uuid
+  /stages/user_login/:
+    get:
+      operationId: stages_user_login_list
+      description: UserLoginStage Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/UserLoginStage'
+      tags:
+        - stages
+    post:
+      operationId: stages_user_login_create
+      description: UserLoginStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/UserLoginStage'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/UserLoginStage'
+      tags:
+        - stages
+    parameters: []
+  /stages/user_login/{uuid}/:
+    get:
+      operationId: stages_user_login_read
+      description: UserLoginStage Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/UserLoginStage'
+      tags:
+        - stages
+    put:
+      operationId: stages_user_login_update
+      description: UserLoginStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/UserLoginStage'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/UserLoginStage'
+      tags:
+        - stages
+    patch:
+      operationId: stages_user_login_partial_update
+      description: UserLoginStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/UserLoginStage'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/UserLoginStage'
+      tags:
+        - stages
+    delete:
+      operationId: stages_user_login_delete
+      description: UserLoginStage Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - stages
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this User Login Stage.
+        required: true
+        type: string
+        format: uuid
+  /stages/user_logout/:
+    get:
+      operationId: stages_user_logout_list
+      description: UserLogoutStage Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/UserLogoutStage'
+      tags:
+        - stages
+    post:
+      operationId: stages_user_logout_create
+      description: UserLogoutStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/UserLogoutStage'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/UserLogoutStage'
+      tags:
+        - stages
+    parameters: []
+  /stages/user_logout/{uuid}/:
+    get:
+      operationId: stages_user_logout_read
+      description: UserLogoutStage Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/UserLogoutStage'
+      tags:
+        - stages
+    put:
+      operationId: stages_user_logout_update
+      description: UserLogoutStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/UserLogoutStage'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/UserLogoutStage'
+      tags:
+        - stages
+    patch:
+      operationId: stages_user_logout_partial_update
+      description: UserLogoutStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/UserLogoutStage'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/UserLogoutStage'
+      tags:
+        - stages
+    delete:
+      operationId: stages_user_logout_delete
+      description: UserLogoutStage Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - stages
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this User Logout Stage.
+        required: true
+        type: string
+        format: uuid
+  /stages/user_write/:
+    get:
+      operationId: stages_user_write_list
+      description: UserWriteStage Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/UserWriteStage'
+      tags:
+        - stages
+    post:
+      operationId: stages_user_write_create
+      description: UserWriteStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/UserWriteStage'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/UserWriteStage'
+      tags:
+        - stages
+    parameters: []
+  /stages/user_write/{uuid}/:
+    get:
+      operationId: stages_user_write_read
+      description: UserWriteStage Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/UserWriteStage'
+      tags:
+        - stages
+    put:
+      operationId: stages_user_write_update
+      description: UserWriteStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/UserWriteStage'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/UserWriteStage'
+      tags:
+        - stages
+    patch:
+      operationId: stages_user_write_partial_update
+      description: UserWriteStage Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/UserWriteStage'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/UserWriteStage'
+      tags:
+        - stages
+    delete:
+      operationId: stages_user_write_delete
+      description: UserWriteStage Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - stages
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this User Write Stage.
+        required: true
+        type: string
+        format: uuid
+definitions:
+  Event:
+    required:
+      - action
+      - app
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      user:
+        title: User
+        type: integer
+        x-nullable: true
+      action:
+        title: Action
+        type: string
+        enum:
+          - LOGIN
+          - LOGIN_FAILED
+          - LOGOUT
+          - AUTHORIZE_APPLICATION
+          - SUSPICIOUS_REQUEST
+          - SIGN_UP
+          - PASSWORD_RESET
+          - INVITE_CREATED
+          - INVITE_USED
+          - CUSTOM
+      date:
+        title: Date
+        type: string
+        format: date-time
+        readOnly: true
+      app:
+        title: App
+        type: string
+        minLength: 1
+      context:
+        title: Context
+        type: object
+      client_ip:
+        title: Client ip
+        type: string
+        minLength: 1
+        x-nullable: true
+      created:
+        title: Created
+        type: string
+        format: date-time
+        readOnly: true
+  Application:
+    required:
+      - name
+      - slug
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        description: Application's display Name.
+        type: string
+        minLength: 1
+      slug:
+        title: Slug
+        description: Internal application name, used in URLs.
+        type: string
+        format: slug
+        pattern: ^[-a-zA-Z0-9_]+$
+        maxLength: 50
+        minLength: 1
+      skip_authorization:
+        title: Skip authorization
+        type: boolean
+      provider:
+        title: Provider
+        type: integer
+        x-nullable: true
+      meta_launch_url:
+        title: Meta launch url
+        type: string
+        format: uri
+        maxLength: 200
+      meta_icon_url:
+        title: Meta icon url
+        type: string
+      meta_description:
+        title: Meta description
+        type: string
+      meta_publisher:
+        title: Meta publisher
+        type: string
+      policies:
+        type: array
+        items:
+          type: string
+          format: uuid
+        uniqueItems: true
+  Group:
+    required:
+      - name
+      - parent
+      - user_set
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        maxLength: 80
+        minLength: 1
+      parent:
+        title: Parent
+        type: string
+        format: uuid
+      user_set:
+        type: array
+        items:
+          type: integer
+        uniqueItems: true
+      attributes:
+        title: Attributes
+        type: object
+  User:
+    required:
+      - username
+      - name
+    type: object
+    properties:
+      pk:
+        title: ID
+        type: integer
+        readOnly: true
+      username:
+        title: Username
+        description: Required. 150 characters or fewer. Letters, digits and @/./+/-/_
+          only.
+        type: string
+        pattern: ^[\w.@+-]+$
+        maxLength: 150
+        minLength: 1
+      name:
+        title: Name
+        description: User's display name.
+        type: string
+        minLength: 1
+      email:
+        title: Email address
+        type: string
+        format: email
+        maxLength: 254
+  FlowStageBinding:
+    required:
+      - flow
+      - stage
+      - order
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      flow:
+        title: Flow
+        type: string
+        format: uuid
+      stage:
+        title: Stage
+        type: string
+        format: uuid
+      re_evaluate_policies:
+        title: Re evaluate policies
+        description: When this option is enabled, the planner will re-evaluate policies
+          bound to this.
+        type: boolean
+      order:
+        title: Order
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+      policies:
+        type: array
+        items:
+          type: integer
+        readOnly: true
+        uniqueItems: true
+  Flow:
+    required:
+      - name
+      - slug
+      - designation
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        minLength: 1
+      slug:
+        title: Slug
+        type: string
+        format: slug
+        pattern: ^[-a-zA-Z0-9_]+$
+        maxLength: 50
+        minLength: 1
+      designation:
+        title: Designation
+        type: string
+        enum:
+          - authentication
+          - invalidation
+          - enrollment
+          - unenrollment
+          - recovery
+          - password_change
+      stages:
+        type: array
+        items:
+          type: string
+          format: uuid
+        readOnly: true
+        uniqueItems: true
+      policies:
+        type: array
+        items:
+          type: integer
+        readOnly: true
+        uniqueItems: true
+  Policy:
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        x-nullable: true
+      negate:
+        title: Negate
+        type: boolean
+      order:
+        title: Order
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+      timeout:
+        title: Timeout
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+      __type__:
+        title: 'type  '
+        type: string
+        readOnly: true
+  DummyPolicy:
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        x-nullable: true
+      negate:
+        title: Negate
+        type: boolean
+      order:
+        title: Order
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+      timeout:
+        title: Timeout
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+      result:
+        title: Result
+        type: boolean
+      wait_min:
+        title: Wait min
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+      wait_max:
+        title: Wait max
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+  ExpressionPolicy:
+    required:
+      - expression
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        x-nullable: true
+      negate:
+        title: Negate
+        type: boolean
+      order:
+        title: Order
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+      timeout:
+        title: Timeout
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+      expression:
+        title: Expression
+        type: string
+        minLength: 1
+  HaveIBeenPwendPolicy:
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        x-nullable: true
+      negate:
+        title: Negate
+        type: boolean
+      order:
+        title: Order
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+      timeout:
+        title: Timeout
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+      allowed_count:
+        title: Allowed count
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+  PasswordPolicy:
+    required:
+      - error_message
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        x-nullable: true
+      negate:
+        title: Negate
+        type: boolean
+      order:
+        title: Order
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+      timeout:
+        title: Timeout
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+      amount_uppercase:
+        title: Amount uppercase
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+      amount_lowercase:
+        title: Amount lowercase
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+      amount_symbols:
+        title: Amount symbols
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+      length_min:
+        title: Length min
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+      symbol_charset:
+        title: Symbol charset
+        type: string
+        minLength: 1
+      error_message:
+        title: Error message
+        type: string
+        minLength: 1
+  PasswordExpiryPolicy:
+    required:
+      - days
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        x-nullable: true
+      negate:
+        title: Negate
+        type: boolean
+      order:
+        title: Order
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+      timeout:
+        title: Timeout
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+      days:
+        title: Days
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+      deny_only:
+        title: Deny only
+        type: boolean
+  ReputationPolicy:
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        x-nullable: true
+      negate:
+        title: Negate
+        type: boolean
+      order:
+        title: Order
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+      timeout:
+        title: Timeout
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+      check_ip:
+        title: Check ip
+        type: boolean
+      check_username:
+        title: Check username
+        type: boolean
+      threshold:
+        title: Threshold
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+  WebhookPolicy:
+    required:
+      - url
+      - method
+      - json_body
+      - json_headers
+      - result_jsonpath
+      - result_json_value
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        x-nullable: true
+      negate:
+        title: Negate
+        type: boolean
+      order:
+        title: Order
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+      timeout:
+        title: Timeout
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+      url:
+        title: Url
+        type: string
+        format: uri
+        maxLength: 200
+        minLength: 1
+      method:
+        title: Method
+        type: string
+        enum:
+          - GET
+          - POST
+          - PATCH
+          - DELETE
+          - PUT
+      json_body:
+        title: Json body
+        type: string
+        minLength: 1
+      json_headers:
+        title: Json headers
+        type: string
+        minLength: 1
+      result_jsonpath:
+        title: Result jsonpath
+        type: string
+        minLength: 1
+      result_json_value:
+        title: Result json value
+        type: string
+        minLength: 1
+  PropertyMapping:
+    required:
+      - name
+      - expression
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        minLength: 1
+      expression:
+        title: Expression
+        type: string
+        minLength: 1
+      __type__:
+        title: 'type  '
+        type: string
+        readOnly: true
+  LDAPPropertyMapping:
+    required:
+      - name
+      - expression
+      - object_field
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        minLength: 1
+      expression:
+        title: Expression
+        type: string
+        minLength: 1
+      object_field:
+        title: Object field
+        type: string
+        minLength: 1
+  SAMLPropertyMapping:
+    required:
+      - name
+      - saml_name
+      - expression
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        minLength: 1
+      saml_name:
+        title: SAML Name
+        type: string
+        minLength: 1
+      friendly_name:
+        title: Friendly name
+        type: string
+        x-nullable: true
+      expression:
+        title: Expression
+        type: string
+        minLength: 1
+  Provider:
+    type: object
+    properties:
+      pk:
+        title: ID
+        type: integer
+        readOnly: true
+      property_mappings:
+        type: array
+        items:
+          type: string
+          format: uuid
+        uniqueItems: true
+      __type__:
+        title: 'type  '
+        type: string
+        readOnly: true
+  OpenIDProvider:
+    title: Client
+    required:
+      - client_id
+      - response_types
+    type: object
+    properties:
+      pk:
+        title: ID
+        type: integer
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        maxLength: 100
+        minLength: 1
+      client_type:
+        title: Client Type
+        description: <b>Confidential</b> clients are capable of maintaining the confidentiality
+          of their credentials. <b>Public</b> clients are incapable.
+        type: string
+        enum:
+          - confidential
+          - public
+      client_id:
+        title: Client ID
+        type: string
+        maxLength: 255
+        minLength: 1
+      client_secret:
+        title: Client SECRET
+        type: string
+        maxLength: 255
+      response_types:
+        type: array
+        items:
+          type: integer
+        uniqueItems: true
+      jwt_alg:
+        title: JWT Algorithm
+        description: Algorithm used to encode ID Tokens.
+        type: string
+        enum:
+          - HS256
+          - RS256
+      reuse_consent:
+        title: Reuse Consent?
+        description: If enabled, server will save the user consent given to a specific
+          client, so that user won't be prompted for the same authorization multiple
+          times.
+        type: boolean
+      require_consent:
+        title: Require Consent?
+        description: If disabled, the Server will NEVER ask the user for consent.
+        type: boolean
+      _redirect_uris:
+        title: Redirect URIs
+        description: Enter each URI on a new line.
+        type: string
+        minLength: 1
+      _scope:
+        title: Scopes
+        description: Specifies the authorized scope values for the client app.
+        type: string
+  ApplicationGatewayProvider:
+    required:
+      - name
+      - internal_host
+      - external_host
+      - client
+    type: object
+    properties:
+      pk:
+        title: ID
+        type: integer
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        minLength: 1
+      internal_host:
+        title: Internal host
+        type: string
+        minLength: 1
+      external_host:
+        title: External host
+        type: string
+        minLength: 1
+      client:
+        $ref: '#/definitions/OpenIDProvider'
+  OAuth2Provider:
+    required:
+      - client_type
+      - authorization_grant_type
+    type: object
+    properties:
+      pk:
+        title: ID
+        type: integer
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        maxLength: 255
+      redirect_uris:
+        title: Redirect uris
+        description: Allowed URIs list, space separated
+        type: string
+      client_type:
+        title: Client type
+        type: string
+        enum:
+          - confidential
+          - public
+      authorization_grant_type:
+        title: Authorization grant type
+        type: string
+        enum:
+          - authorization-code
+          - implicit
+          - password
+          - client-credentials
+      client_id:
+        title: Client id
+        type: string
+        maxLength: 100
+        minLength: 1
+      client_secret:
+        title: Client secret
+        type: string
+        maxLength: 255
+  SAMLProvider:
+    required:
+      - name
+      - processor_path
+      - acs_url
+      - issuer
+    type: object
+    properties:
+      pk:
+        title: ID
+        type: integer
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        minLength: 1
+      processor_path:
+        title: Processor path
+        type: string
+        maxLength: 255
+        minLength: 1
+      acs_url:
+        title: ACS URL
+        type: string
+        format: uri
+        maxLength: 200
+        minLength: 1
+      audience:
+        title: Audience
+        type: string
+        minLength: 1
+      issuer:
+        title: Issuer
+        description: Also known as EntityID
+        type: string
+        minLength: 1
+      assertion_valid_not_before:
+        title: Assertion valid not before
+        description: 'Assertion valid not before current time + this value (Format:
+          hours=-1;minutes=-2;seconds=-3).'
+        type: string
+        minLength: 1
+      assertion_valid_not_on_or_after:
+        title: Assertion valid not on or after
+        description: 'Assertion not valid on or after current time + this value (Format:
+          hours=1;minutes=2;seconds=3).'
+        type: string
+        minLength: 1
+      session_valid_not_on_or_after:
+        title: Session valid not on or after
+        description: 'Session not valid on or after current time + this value (Format:
+          hours=1;minutes=2;seconds=3).'
+        type: string
+        minLength: 1
+      property_mappings:
+        type: array
+        items:
+          type: string
+          format: uuid
+        uniqueItems: true
+      digest_algorithm:
+        title: Digest algorithm
+        type: string
+        enum:
+          - sha1
+          - sha256
+      signature_algorithm:
+        title: Signature algorithm
+        type: string
+        enum:
+          - rsa-sha1
+          - rsa-sha256
+          - ecdsa-sha256
+          - dsa-sha1
+      signing_kp:
+        title: Signing Keypair
+        description: Singing is enabled upon selection of a Key Pair.
+        type: string
+        format: uuid
+        x-nullable: true
+      require_signing:
+        title: Require signing
+        description: Require Requests to be signed by an X509 Certificate. Must match
+          the Certificate selected in `Singing Keypair`.
+        type: boolean
+  Source:
+    required:
+      - name
+      - slug
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        description: Source's display Name.
+        type: string
+        minLength: 1
+      slug:
+        title: Slug
+        description: Internal source name, used in URLs.
+        type: string
+        format: slug
+        pattern: ^[-a-zA-Z0-9_]+$
+        maxLength: 50
+        minLength: 1
+      enabled:
+        title: Enabled
+        type: boolean
+      __type__:
+        title: 'type  '
+        type: string
+        readOnly: true
+  LDAPSource:
+    required:
+      - name
+      - slug
+      - server_uri
+      - bind_cn
+      - bind_password
+      - base_dn
+      - additional_user_dn
+      - additional_group_dn
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        description: Source's display Name.
+        type: string
+        minLength: 1
+      slug:
+        title: Slug
+        description: Internal source name, used in URLs.
+        type: string
+        format: slug
+        pattern: ^[-a-zA-Z0-9_]+$
+        maxLength: 50
+        minLength: 1
+      enabled:
+        title: Enabled
+        type: boolean
+      server_uri:
+        title: Server URI
+        type: string
+        minLength: 1
+      bind_cn:
+        title: Bind CN
+        type: string
+        minLength: 1
+      bind_password:
+        title: Bind password
+        type: string
+        minLength: 1
+      start_tls:
+        title: Enable Start TLS
+        type: boolean
+      base_dn:
+        title: Base DN
+        type: string
+        minLength: 1
+      additional_user_dn:
+        title: Addition User DN
+        description: Prepended to Base DN for User-queries.
+        type: string
+        minLength: 1
+      additional_group_dn:
+        title: Addition Group DN
+        description: Prepended to Base DN for Group-queries.
+        type: string
+        minLength: 1
+      user_object_filter:
+        title: User object filter
+        description: Consider Objects matching this filter to be Users.
+        type: string
+        minLength: 1
+      group_object_filter:
+        title: Group object filter
+        description: Consider Objects matching this filter to be Groups.
+        type: string
+        minLength: 1
+      user_group_membership_field:
+        title: User group membership field
+        description: Field which contains Groups of user.
+        type: string
+        minLength: 1
+      object_uniqueness_field:
+        title: Object uniqueness field
+        description: Field which contains a unique Identifier.
+        type: string
+        minLength: 1
+      sync_groups:
+        title: Sync groups
+        type: boolean
+      sync_parent_group:
+        title: Sync parent group
+        type: string
+        format: uuid
+        x-nullable: true
+      property_mappings:
+        type: array
+        items:
+          type: string
+          format: uuid
+        uniqueItems: true
+  OAuthSource:
+    required:
+      - name
+      - slug
+      - provider_type
+      - authorization_url
+      - access_token_url
+      - profile_url
+      - consumer_key
+      - consumer_secret
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        description: Source's display Name.
+        type: string
+        minLength: 1
+      slug:
+        title: Slug
+        description: Internal source name, used in URLs.
+        type: string
+        format: slug
+        pattern: ^[-a-zA-Z0-9_]+$
+        maxLength: 50
+        minLength: 1
+      enabled:
+        title: Enabled
+        type: boolean
+      provider_type:
+        title: Provider type
+        type: string
+        maxLength: 255
+        minLength: 1
+      request_token_url:
+        title: Request Token URL
+        type: string
+        maxLength: 255
+      authorization_url:
+        title: Authorization URL
+        type: string
+        maxLength: 255
+        minLength: 1
+      access_token_url:
+        title: Access Token URL
+        type: string
+        maxLength: 255
+        minLength: 1
+      profile_url:
+        title: Profile URL
+        type: string
+        maxLength: 255
+        minLength: 1
+      consumer_key:
+        title: Consumer key
+        type: string
+        minLength: 1
+      consumer_secret:
+        title: Consumer secret
+        type: string
+        minLength: 1
+  Stage:
+    required:
+      - name
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        minLength: 1
+      __type__:
+        title: 'type  '
+        type: string
+        readOnly: true
+      verbose_name:
+        title: Verbose name
+        type: string
+        readOnly: true
+  CaptchaStage:
+    required:
+      - name
+      - public_key
+      - private_key
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        minLength: 1
+      public_key:
+        title: Public key
+        description: Public key, acquired from https://www.google.com/recaptcha/intro/v3.html
+        type: string
+        minLength: 1
+      private_key:
+        title: Private key
+        description: Private key, acquired from https://www.google.com/recaptcha/intro/v3.html
+        type: string
+        minLength: 1
+  DummyStage:
+    required:
+      - name
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        minLength: 1
+  EmailStage:
+    required:
+      - name
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        minLength: 1
+      host:
+        title: Host
+        type: string
+        minLength: 1
+      port:
+        title: Port
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+      username:
+        title: Username
+        type: string
+      password:
+        title: Password
+        type: string
+      use_tls:
+        title: Use tls
+        type: boolean
+      use_ssl:
+        title: Use ssl
+        type: boolean
+      timeout:
+        title: Timeout
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
+      from_address:
+        title: From address
+        type: string
+        format: email
+        maxLength: 254
+        minLength: 1
+  IdentificationStage:
+    required:
+      - name
+      - user_fields
+      - template
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        minLength: 1
+      user_fields:
+        description: Fields of the user object to match against.
+        type: array
+        items:
+          title: User fields
+          type: string
+          enum:
+            - email
+            - username
+      template:
+        title: Template
+        type: string
+        enum:
+          - stages/identification/login.html
+          - stages/identification/recovery.html
+  InvitationStage:
+    required:
+      - name
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        minLength: 1
+      continue_flow_without_invitation:
+        title: Continue flow without invitation
+        description: If this flag is set, this Stage will jump to the next Stage when
+          no Invitation is given. By default this Stage will cancel the Flow when
+          no invitation is given.
+        type: boolean
+  Invitation:
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      expires:
+        title: Expires
+        type: string
+        format: date-time
+        x-nullable: true
+      fixed_data:
+        title: Fixed data
+        type: object
+  OTPStage:
+    required:
+      - name
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        minLength: 1
+      enforced:
+        title: Enforced
+        description: Enforce enabled OTP for Users this stage applies to.
+        type: boolean
+  PasswordStage:
+    required:
+      - name
+      - backends
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        minLength: 1
+      backends:
+        description: Selection of backends to test the password against.
+        type: array
+        items:
+          title: Backends
+          type: string
+          minLength: 1
+  Prompt:
+    required:
+      - field_key
+      - label
+      - type
+      - placeholder
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      field_key:
+        title: Field key
+        description: Name of the form field, also used to store the value
+        type: string
+        format: slug
+        pattern: ^[-a-zA-Z0-9_]+$
+        maxLength: 50
+        minLength: 1
+      label:
+        title: Label
+        type: string
+        minLength: 1
+      type:
+        title: Type
+        type: string
+        enum:
+          - text
+          - e-mail
+          - password
+          - number
+          - hidden
+      required:
+        title: Required
+        type: boolean
+      placeholder:
+        title: Placeholder
+        type: string
+        minLength: 1
+  PromptStage:
+    required:
+      - name
+      - fields
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        minLength: 1
+      fields:
+        type: array
+        items:
+          type: string
+          format: uuid
+        uniqueItems: true
+  UserDeleteStage:
+    required:
+      - name
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        minLength: 1
+  UserLoginStage:
+    required:
+      - name
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        minLength: 1
+  UserLogoutStage:
+    required:
+      - name
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        minLength: 1
+  UserWriteStage:
+    required:
+      - name
+    type: object
+    properties:
+      pk:
+        title: Uuid
+        type: string
+        format: uuid
+        readOnly: true
+      name:
+        title: Name
+        type: string
+        minLength: 1

From 9859c5db0af46277809314beeda2c55349e7778c Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 14 May 2020 13:51:05 +0200
Subject: [PATCH 76/80] policies: add API for policybindings

---
 passbook/api/v2/urls.py     |  2 ++
 passbook/policies/api.py    | 21 +++++++++++++++++++++
 passbook/policies/models.py |  2 +-
 3 files changed, 24 insertions(+), 1 deletion(-)
 create mode 100644 passbook/policies/api.py

diff --git a/passbook/api/v2/urls.py b/passbook/api/v2/urls.py
index f00e6f636..c9482cfff 100644
--- a/passbook/api/v2/urls.py
+++ b/passbook/api/v2/urls.py
@@ -18,6 +18,7 @@ from passbook.core.api.sources import SourceViewSet
 from passbook.core.api.users import UserViewSet
 from passbook.flows.api import FlowStageBindingViewSet, FlowViewSet, StageViewSet
 from passbook.lib.utils.reflection import get_apps
+from passbook.policies.api import PolicyBindingViewSet
 from passbook.policies.expiry.api import PasswordExpiryPolicyViewSet
 from passbook.policies.expression.api import ExpressionPolicyViewSet
 from passbook.policies.hibp.api import HaveIBeenPwendPolicyViewSet
@@ -62,6 +63,7 @@ router.register("sources/ldap", LDAPSourceViewSet)
 router.register("sources/oauth", OAuthSourceViewSet)
 
 router.register("policies/all", PolicyViewSet)
+router.register("policies/bindings", PolicyBindingViewSet)
 router.register("policies/expression", ExpressionPolicyViewSet)
 router.register("policies/haveibeenpwned", HaveIBeenPwendPolicyViewSet)
 router.register("policies/password", PasswordPolicyViewSet)
diff --git a/passbook/policies/api.py b/passbook/policies/api.py
new file mode 100644
index 000000000..7bf1be18a
--- /dev/null
+++ b/passbook/policies/api.py
@@ -0,0 +1,21 @@
+"""policy API Views"""
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import ModelViewSet
+
+from passbook.policies.models import PolicyBinding
+
+
+class PolicyBindingSerializer(ModelSerializer):
+    """PolicyBinding Serializer"""
+
+    class Meta:
+
+        model = PolicyBinding
+        fields = ["policy", "target", "enabled", "order"]
+
+
+class PolicyBindingViewSet(ModelViewSet):
+    """PolicyBinding Viewset"""
+
+    queryset = PolicyBinding.objects.all()
+    serializer_class = PolicyBindingSerializer
diff --git a/passbook/policies/models.py b/passbook/policies/models.py
index 033c818a0..e2c35786b 100644
--- a/passbook/policies/models.py
+++ b/passbook/policies/models.py
@@ -7,7 +7,7 @@ from passbook.lib.models import UUIDModel
 
 
 class PolicyBindingModel(models.Model):
-    """Base Model for objects which have Policies applied to them"""
+    """Base Model for objects that have policies applied to them."""
 
     policies = models.ManyToManyField(
         Policy, through="PolicyBinding", related_name="+", blank=True

From a7a839a29ccaf6b41749ab90f2b6517a7fe16b79 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 14 May 2020 13:51:22 +0200
Subject: [PATCH 77/80] stages/prompt: promptstage based on PolicyBindingModel

---
 .../stages/prompt/migrations/0001_initial.py  |  21 ++-
 .../migrations/0002_auto_20200510_1648.py     |  31 ----
 passbook/stages/prompt/models.py              |   3 +-
 swagger.yaml                                  | 162 +++++++++++++++++-
 4 files changed, 172 insertions(+), 45 deletions(-)
 delete mode 100644 passbook/stages/prompt/migrations/0002_auto_20200510_1648.py

diff --git a/passbook/stages/prompt/migrations/0001_initial.py b/passbook/stages/prompt/migrations/0001_initial.py
index 5227f0c67..2809be16c 100644
--- a/passbook/stages/prompt/migrations/0001_initial.py
+++ b/passbook/stages/prompt/migrations/0001_initial.py
@@ -1,4 +1,4 @@
-# Generated by Django 3.0.5 on 2020-05-10 14:03
+# Generated by Django 3.0.5 on 2020-05-14 11:46
 
 import uuid
 
@@ -11,7 +11,8 @@ class Migration(migrations.Migration):
     initial = True
 
     dependencies = [
-        ("passbook_flows", "0003_auto_20200509_1258"),
+        ("passbook_flows", "0005_auto_20200512_1158"),
+        ("passbook_policies", "0003_auto_20200508_1642"),
     ]
 
     operations = [
@@ -42,6 +43,7 @@ class Migration(migrations.Migration):
                             ("e-mail", "Email"),
                             ("password", "Password"),
                             ("number", "Number"),
+                            ("hidden", "Hidden"),
                         ],
                         max_length=100,
                     ),
@@ -49,20 +51,29 @@ class Migration(migrations.Migration):
                 ("required", models.BooleanField(default=True)),
                 ("placeholder", models.TextField()),
             ],
-            options={"abstract": False,},
+            options={"verbose_name": "Prompt", "verbose_name_plural": "Prompts",},
         ),
         migrations.CreateModel(
             name="PromptStage",
             fields=[
                 (
                     "stage_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        to="passbook_flows.Stage",
+                    ),
+                ),
+                (
+                    "policybindingmodel_ptr",
                     models.OneToOneField(
                         auto_created=True,
                         on_delete=django.db.models.deletion.CASCADE,
                         parent_link=True,
                         primary_key=True,
                         serialize=False,
-                        to="passbook_flows.Stage",
+                        to="passbook_policies.PolicyBindingModel",
                     ),
                 ),
                 ("fields", models.ManyToManyField(to="passbook_stages_prompt.Prompt")),
@@ -71,6 +82,6 @@ class Migration(migrations.Migration):
                 "verbose_name": "Prompt Stage",
                 "verbose_name_plural": "Prompt Stages",
             },
-            bases=("passbook_flows.stage",),
+            bases=("passbook_policies.policybindingmodel", "passbook_flows.stage"),
         ),
     ]
diff --git a/passbook/stages/prompt/migrations/0002_auto_20200510_1648.py b/passbook/stages/prompt/migrations/0002_auto_20200510_1648.py
deleted file mode 100644
index 439e201f1..000000000
--- a/passbook/stages/prompt/migrations/0002_auto_20200510_1648.py
+++ /dev/null
@@ -1,31 +0,0 @@
-# Generated by Django 3.0.5 on 2020-05-10 16:48
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("passbook_stages_prompt", "0001_initial"),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name="prompt",
-            options={"verbose_name": "Prompt", "verbose_name_plural": "Prompts"},
-        ),
-        migrations.AlterField(
-            model_name="prompt",
-            name="type",
-            field=models.CharField(
-                choices=[
-                    ("text", "Text"),
-                    ("e-mail", "Email"),
-                    ("password", "Password"),
-                    ("number", "Number"),
-                    ("hidden", "Hidden"),
-                ],
-                max_length=100,
-            ),
-        ),
-    ]
diff --git a/passbook/stages/prompt/models.py b/passbook/stages/prompt/models.py
index 28df19fb0..c239c2224 100644
--- a/passbook/stages/prompt/models.py
+++ b/passbook/stages/prompt/models.py
@@ -5,6 +5,7 @@ from django.utils.translation import gettext_lazy as _
 
 from passbook.flows.models import Stage
 from passbook.lib.models import UUIDModel
+from passbook.policies.models import PolicyBindingModel
 
 
 class FieldTypes(models.TextChoices):
@@ -78,7 +79,7 @@ class Prompt(UUIDModel):
         verbose_name_plural = _("Prompts")
 
 
-class PromptStage(Stage):
+class PromptStage(PolicyBindingModel, Stage):
     """Prompt Stage, pointing to multiple prompts"""
 
     fields = models.ManyToManyField(Prompt)
diff --git a/swagger.yaml b/swagger.yaml
index cd9cc6476..7681d5484 100755
--- a/swagger.yaml
+++ b/swagger.yaml
@@ -821,6 +821,133 @@ paths:
         required: true
         type: string
         format: uuid
+  /policies/bindings/:
+    get:
+      operationId: policies_bindings_list
+      description: PolicyBinding Viewset
+      parameters:
+        - name: ordering
+          in: query
+          description: Which field to use when ordering the results.
+          required: false
+          type: string
+        - name: search
+          in: query
+          description: A search term.
+          required: false
+          type: string
+        - name: limit
+          in: query
+          description: Number of results to return per page.
+          required: false
+          type: integer
+        - name: offset
+          in: query
+          description: The initial index from which to return the results.
+          required: false
+          type: integer
+      responses:
+        '200':
+          description: ''
+          schema:
+            required:
+              - count
+              - results
+            type: object
+            properties:
+              count:
+                type: integer
+              next:
+                type: string
+                format: uri
+                x-nullable: true
+              previous:
+                type: string
+                format: uri
+                x-nullable: true
+              results:
+                type: array
+                items:
+                  $ref: '#/definitions/PolicyBinding'
+      tags:
+        - policies
+    post:
+      operationId: policies_bindings_create
+      description: PolicyBinding Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/PolicyBinding'
+      responses:
+        '201':
+          description: ''
+          schema:
+            $ref: '#/definitions/PolicyBinding'
+      tags:
+        - policies
+    parameters: []
+  /policies/bindings/{uuid}/:
+    get:
+      operationId: policies_bindings_read
+      description: PolicyBinding Viewset
+      parameters: []
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/PolicyBinding'
+      tags:
+        - policies
+    put:
+      operationId: policies_bindings_update
+      description: PolicyBinding Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/PolicyBinding'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/PolicyBinding'
+      tags:
+        - policies
+    patch:
+      operationId: policies_bindings_partial_update
+      description: PolicyBinding Viewset
+      parameters:
+        - name: data
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/PolicyBinding'
+      responses:
+        '200':
+          description: ''
+          schema:
+            $ref: '#/definitions/PolicyBinding'
+      tags:
+        - policies
+    delete:
+      operationId: policies_bindings_delete
+      description: PolicyBinding Viewset
+      parameters: []
+      responses:
+        '204':
+          description: ''
+      tags:
+        - policies
+    parameters:
+      - name: uuid
+        in: path
+        description: A UUID string identifying this Policy Binding.
+        required: true
+        type: string
+        format: uuid
   /policies/dummy/:
     get:
       operationId: policies_dummy_list
@@ -4211,7 +4338,7 @@ paths:
       tags:
         - stages
     parameters: []
-  /stages/prompt/stages/{uuid}/:
+  /stages/prompt/stages/{id}/:
     get:
       operationId: stages_prompt_stages_read
       description: PromptStage Viewset
@@ -4265,12 +4392,11 @@ paths:
       tags:
         - stages
     parameters:
-      - name: uuid
+      - name: id
         in: path
-        description: A UUID string identifying this Prompt Stage.
+        description: A unique integer value identifying this Prompt Stage.
         required: true
-        type: string
-        format: uuid
+        type: integer
   /stages/user_delete/:
     get:
       operationId: stages_user_delete_list
@@ -5050,6 +5176,27 @@ definitions:
         title: 'type  '
         type: string
         readOnly: true
+  PolicyBinding:
+    required:
+      - policy
+      - target
+    type: object
+    properties:
+      policy:
+        title: Policy
+        type: string
+        format: uuid
+      target:
+        title: Target
+        type: integer
+      enabled:
+        title: Enabled
+        type: boolean
+      order:
+        title: Order
+        type: integer
+        maximum: 2147483647
+        minimum: -2147483648
   DummyPolicy:
     type: object
     properties:
@@ -6101,9 +6248,8 @@ definitions:
     type: object
     properties:
       pk:
-        title: Uuid
-        type: string
-        format: uuid
+        title: ID
+        type: integer
         readOnly: true
       name:
         title: Name

From 74ddf70cb7410284b6405c7de29f67827388d089 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 14 May 2020 15:47:56 +0200
Subject: [PATCH 78/80] policy: add context to PolicyRequest

---
 passbook/policies/types.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/passbook/policies/types.py b/passbook/policies/types.py
index fd549589a..1fd65e63b 100644
--- a/passbook/policies/types.py
+++ b/passbook/policies/types.py
@@ -1,7 +1,7 @@
 """policy structures"""
 from __future__ import annotations
 
-from typing import TYPE_CHECKING, Optional, Tuple
+from typing import TYPE_CHECKING, Dict, Optional, Tuple
 
 from django.db.models import Model
 from django.http import HttpRequest
@@ -16,11 +16,13 @@ class PolicyRequest:
     user: User
     http_request: Optional[HttpRequest]
     obj: Optional[Model]
+    context: Dict[str, str]
 
     def __init__(self, user: User):
         self.user = user
         self.http_request = None
         self.obj = None
+        self.context = {}
 
     def __str__(self):
         return f"<PolicyRequest user={self.user}>"

From 776ad3cfbf4c4baac24a557197dad51df714e336 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 14 May 2020 15:48:08 +0200
Subject: [PATCH 79/80] policies/expression: add pb_log function to debug

---
 passbook/policies/expression/evaluator.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/passbook/policies/expression/evaluator.py b/passbook/policies/expression/evaluator.py
index 6e10ea313..38c730c55 100644
--- a/passbook/policies/expression/evaluator.py
+++ b/passbook/policies/expression/evaluator.py
@@ -46,6 +46,11 @@ class Evaluator:
         """Check if `user` is member of group with name `group_name`"""
         return user.groups.filter(name=group_name).exists()
 
+    @staticmethod
+    def jinja2_log(message, **kwargs):
+        """Output debug log to console"""
+        return LOGGER.debug("Expression log", _m=message, **kwargs)
+
     def _get_expression_context(
         self, request: PolicyRequest, **kwargs
     ) -> Dict[str, Any]:
@@ -53,6 +58,7 @@ class Evaluator:
         # update passbook/policies/expression/templates/policy/expression/form.html
         # update docs/policies/expression/index.md
         kwargs["pb_is_group_member"] = Evaluator.jinja2_func_is_group_member
+        kwargs["pb_log"] = Evaluator.jinja2_log
         kwargs["pb_logger"] = get_logger()
         if request.http_request:
             kwargs["pb_is_sso_flow"] = request.http_request.session.get(
@@ -88,7 +94,7 @@ class Evaluator:
             if isinstance(result, (list, tuple)) and len(result) == 2:
                 return PolicyResult(*result)
             if result:
-                return PolicyResult(result)
+                return PolicyResult(bool(result))
             return PolicyResult(False)
         except UndefinedError as exc:
             return PolicyResult(False, str(exc))

From 814c797c6409437f923b93a2445939d6318ecd2b Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 14 May 2020 15:48:23 +0200
Subject: [PATCH 80/80] stages/prompt: add policy verification logic

---
 passbook/stages/prompt/forms.py | 17 +++++++++++++-
 passbook/stages/prompt/stage.py |  1 +
 passbook/stages/prompt/tests.py | 41 +++++++++++++++++++++++++++++++--
 3 files changed, 56 insertions(+), 3 deletions(-)

diff --git a/passbook/stages/prompt/forms.py b/passbook/stages/prompt/forms.py
index e15811cc2..ac520c2da 100644
--- a/passbook/stages/prompt/forms.py
+++ b/passbook/stages/prompt/forms.py
@@ -1,6 +1,9 @@
 """Prompt forms"""
 from django import forms
+from guardian.shortcuts import get_anonymous_user
 
+from passbook.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
+from passbook.policies.engine import PolicyEngine
 from passbook.stages.prompt.models import Prompt, PromptStage
 
 
@@ -20,10 +23,22 @@ class PromptForm(forms.Form):
     """Dynamically created form based on PromptStage"""
 
     stage: PromptStage
+    plan: FlowPlan
 
-    def __init__(self, stage: PromptStage, *args, **kwargs):
+    def __init__(self, stage: PromptStage, plan: FlowPlan, *args, **kwargs):
         self.stage = stage
+        self.plan = plan
         super().__init__(*args, **kwargs)
         for field in self.stage.fields.all():
             field: Prompt
             self.fields[field.field_key] = field.field
+
+    def clean(self):
+        cleaned_data = super().clean()
+        user = self.plan.context.get(PLAN_CONTEXT_PENDING_USER, get_anonymous_user())
+        engine = PolicyEngine(self.stage.policies.all(), user)
+        engine.request.context = cleaned_data
+        engine.build()
+        passing, messages = engine.result
+        if not passing:
+            raise forms.ValidationError(messages)
diff --git a/passbook/stages/prompt/stage.py b/passbook/stages/prompt/stage.py
index 08c2601a7..c7b256d46 100644
--- a/passbook/stages/prompt/stage.py
+++ b/passbook/stages/prompt/stage.py
@@ -25,6 +25,7 @@ class PromptStageView(FormView, AuthenticationStage):
     def get_form_kwargs(self):
         kwargs = super().get_form_kwargs()
         kwargs["stage"] = self.executor.current_stage
+        kwargs["plan"] = self.executor.plan
         return kwargs
 
     def form_valid(self, form: PromptForm) -> HttpResponse:
diff --git a/passbook/stages/prompt/tests.py b/passbook/stages/prompt/tests.py
index 3551a2e47..d4d2e108d 100644
--- a/passbook/stages/prompt/tests.py
+++ b/passbook/stages/prompt/tests.py
@@ -8,6 +8,8 @@ from passbook.core.models import User
 from passbook.flows.models import Flow, FlowDesignation, FlowStageBinding
 from passbook.flows.planner import FlowPlan
 from passbook.flows.views import SESSION_KEY_PLAN
+from passbook.policies.expression.models import ExpressionPolicy
+from passbook.policies.models import PolicyBinding
 from passbook.stages.prompt.forms import PromptForm
 from passbook.stages.prompt.models import FieldTypes, Prompt, PromptStage
 from passbook.stages.prompt.stage import PLAN_CONTEXT_PROMPT
@@ -47,6 +49,13 @@ class TestPromptStage(TestCase):
             required=True,
             placeholder="PASSWORD_PLACEHOLDER",
         )
+        password2_prompt = Prompt.objects.create(
+            field_key="password2_prompt",
+            label="PASSWORD_LABEL",
+            type=FieldTypes.PASSWORD,
+            required=True,
+            placeholder="PASSWORD_PLACEHOLDER",
+        )
         number_prompt = Prompt.objects.create(
             field_key="number_prompt",
             label="NUMBER_LABEL",
@@ -62,7 +71,14 @@ class TestPromptStage(TestCase):
         )
         self.stage = PromptStage.objects.create(name="prompt-stage")
         self.stage.fields.set(
-            [text_prompt, email_prompt, password_prompt, number_prompt, hidden_prompt,]
+            [
+                text_prompt,
+                email_prompt,
+                password_prompt,
+                password2_prompt,
+                number_prompt,
+                hidden_prompt,
+            ]
         )
         self.stage.save()
 
@@ -70,6 +86,7 @@ class TestPromptStage(TestCase):
             text_prompt.field_key: "test-input",
             email_prompt.field_key: "test@test.test",
             password_prompt.field_key: "test",
+            password2_prompt.field_key: "test",
             number_prompt.field_key: 3,
             hidden_prompt.field_key: hidden_prompt.placeholder,
         }
@@ -115,10 +132,30 @@ class TestPromptStage(TestCase):
 
     def test_valid_form(self) -> PromptForm:
         """Test form validation"""
-        form = PromptForm(stage=self.stage, data=self.prompt_data)
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
+        expr = (
+            "{{ request.context.password_prompt == request.context.password2_prompt }}"
+        )
+        expr_policy = ExpressionPolicy.objects.create(
+            name="validate-form", expression=expr
+        )
+        PolicyBinding.objects.create(policy=expr_policy, target=self.stage)
+        form = PromptForm(stage=self.stage, plan=plan, data=self.prompt_data)
         self.assertEqual(form.is_valid(), True)
         return form
 
+    def test_invalid_form(self) -> PromptForm:
+        """Test form validation"""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])
+        expr = "False"
+        expr_policy = ExpressionPolicy.objects.create(
+            name="validate-form", expression=expr
+        )
+        PolicyBinding.objects.create(policy=expr_policy, target=self.stage)
+        form = PromptForm(stage=self.stage, plan=plan, data=self.prompt_data)
+        self.assertEqual(form.is_valid(), False)
+        return form
+
     def test_valid_form_request(self):
         """Test a request with valid form data"""
         plan = FlowPlan(flow_pk=self.flow.pk.hex, stages=[self.stage])