From ec67b602199ab889714d5a1fc9fdce99d3c20ad3 Mon Sep 17 00:00:00 2001
From: Jens L <jens.langhammer@beryju.org>
Date: Tue, 10 May 2022 23:47:36 +0200
Subject: [PATCH] policies/hibp: check in prompt data (#2845)

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/policies/hibp/models.py | 8 ++++++--
 authentik/policies/hibp/tests.py  | 5 +++--
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/authentik/policies/hibp/models.py b/authentik/policies/hibp/models.py
index b6e2c4531..d9884f3bf 100644
--- a/authentik/policies/hibp/models.py
+++ b/authentik/policies/hibp/models.py
@@ -9,6 +9,7 @@ from structlog.stdlib import get_logger
 from authentik.lib.utils.http import get_http_session
 from authentik.policies.models import Policy, PolicyResult
 from authentik.policies.types import PolicyRequest
+from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 
 LOGGER = get_logger()
 
@@ -38,14 +39,17 @@ class HaveIBeenPwendPolicy(Policy):
         """Check if password is in HIBP DB. Hashes given Password with SHA1, uses the first 5
         characters of Password in request and checks if full hash is in response. Returns 0
         if Password is not in result otherwise the count of how many times it was used."""
-        if self.password_field not in request.context:
+        password = request.context.get(PLAN_CONTEXT_PROMPT, {}).get(
+            self.password_field, request.context.get(self.password_field)
+        )
+        if not password:
             LOGGER.warning(
                 "Password field not set in Policy Request",
                 field=self.password_field,
                 fields=request.context.keys(),
             )
             return PolicyResult(False, _("Password not set in context"))
-        password = str(request.context[self.password_field])
+        password = str(password)
 
         pw_hash = sha1(password.encode("utf-8")).hexdigest()  # nosec
         url = f"https://api.pwnedpasswords.com/range/{pw_hash[:5]}"
diff --git a/authentik/policies/hibp/tests.py b/authentik/policies/hibp/tests.py
index 0f6339239..89c79bf0b 100644
--- a/authentik/policies/hibp/tests.py
+++ b/authentik/policies/hibp/tests.py
@@ -5,6 +5,7 @@ from guardian.shortcuts import get_anonymous_user
 from authentik.lib.generators import generate_key
 from authentik.policies.hibp.models import HaveIBeenPwendPolicy
 from authentik.policies.types import PolicyRequest, PolicyResult
+from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 
 
 class TestHIBPPolicy(TestCase):
@@ -26,7 +27,7 @@ class TestHIBPPolicy(TestCase):
             name="test_false",
         )
         request = PolicyRequest(get_anonymous_user())
-        request.context["password"] = "password"  # nosec
+        request.context[PLAN_CONTEXT_PROMPT] = {"password": "password"}  # nosec
         result: PolicyResult = policy.passes(request)
         self.assertFalse(result.passing)
         self.assertTrue(result.messages[0].startswith("Password exists on "))
@@ -37,7 +38,7 @@ class TestHIBPPolicy(TestCase):
             name="test_true",
         )
         request = PolicyRequest(get_anonymous_user())
-        request.context["password"] = generate_key()
+        request.context[PLAN_CONTEXT_PROMPT] = {"password": generate_key()}
         result: PolicyResult = policy.passes(request)
         self.assertTrue(result.passing)
         self.assertEqual(result.messages, tuple())