policies/hibp: check in prompt data (#2845)

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/policies/hibp/models.py

@@ -9,6 +9,7 @@ from structlog.stdlib import get_logger
 from authentik.lib.utils.http import get_http_session
 from authentik.policies.models import Policy, PolicyResult
 from authentik.policies.types import PolicyRequest
+from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 
 LOGGER = get_logger()
 
@@ -38,14 +39,17 @@ class HaveIBeenPwendPolicy(Policy):
         """Check if password is in HIBP DB. Hashes given Password with SHA1, uses the first 5
         characters of Password in request and checks if full hash is in response. Returns 0
         if Password is not in result otherwise the count of how many times it was used."""
-        if self.password_field not in request.context:
+        password = request.context.get(PLAN_CONTEXT_PROMPT, {}).get(
+            self.password_field, request.context.get(self.password_field)
+        )
+        if not password:
             LOGGER.warning(
                 "Password field not set in Policy Request",
                 field=self.password_field,
                 fields=request.context.keys(),
             )
             return PolicyResult(False, _("Password not set in context"))
-        password = str(request.context[self.password_field])
+        password = str(password)
 
         pw_hash = sha1(password.encode("utf-8")).hexdigest()  # nosec
         url = f"https://api.pwnedpasswords.com/range/{pw_hash[:5]}"

authentik/policies/hibp/tests.py

@@ -5,6 +5,7 @@ from guardian.shortcuts import get_anonymous_user
 from authentik.lib.generators import generate_key
 from authentik.policies.hibp.models import HaveIBeenPwendPolicy
 from authentik.policies.types import PolicyRequest, PolicyResult
+from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 
 
 class TestHIBPPolicy(TestCase):
@@ -26,7 +27,7 @@ class TestHIBPPolicy(TestCase):
             name="test_false",
         )
         request = PolicyRequest(get_anonymous_user())
-        request.context["password"] = "password"  # nosec
+        request.context[PLAN_CONTEXT_PROMPT] = {"password": "password"}  # nosec
         result: PolicyResult = policy.passes(request)
         self.assertFalse(result.passing)
         self.assertTrue(result.messages[0].startswith("Password exists on "))
@@ -37,7 +38,7 @@ class TestHIBPPolicy(TestCase):
             name="test_true",
         )
         request = PolicyRequest(get_anonymous_user())
-        request.context["password"] = generate_key()
+        request.context[PLAN_CONTEXT_PROMPT] = {"password": generate_key()}
         result: PolicyResult = policy.passes(request)
         self.assertTrue(result.passing)
         self.assertEqual(result.messages, tuple())