bump version: 0.1.14-beta -> 0.1.15-beta

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.1.11-beta
+current_version = 0.1.15-beta
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)

.gitlab-ci.yml

@@ -54,7 +54,7 @@ package-docker:
   before_script:
     - echo "{\"auths\":{\"docker.$NEXUS_URL\":{\"auth\":\"$NEXUS_AUTH\"}}}" > /kaniko/.docker/config.json
   script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.11-beta
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.15-beta
   stage: build
   only:
     - tags
@@ -115,17 +115,15 @@ package-debian:
 #     - 'rsync -avh --delete web/* "beryjuorg@ory1-web-prod-1.ory1.beryju.org:passbook.beryju.org/"'
 #     - 'rsync -avh --delete site/* "beryjuorg@ory1-web-prod-1.ory1.beryju.org:passbook.beryju.org/docs/"'
 
-deploy:
-  environment:
-    name: production
-    url: https://passbook-prod.default.k8s.beryju.org/
-  stage: deploy
-  only:
-  - tags
-  - /^version/.*$/
-  script:
-    - curl https://raw.githubusercontent.com/helm/helm/master/scripts/get | bash
-    - helm init --client-only
-    - helm repo add beryju.org https://pkg.beryju.org/repository/helm/
-    - helm repo update
-    - helm upgrade passbook-prod beryju.org/passbook --devel
+# deploy:
+#   environment:
+#     name: production
+#     url: https://passbook-prod.default.k8s.beryju.org/
+#   stage: deploy
+#   only:
+#   - tags
+#   - /^version/.*$/
+#   script:
+#     - curl https://raw.githubusercontent.com/helm/helm/master/scripts/get | bash
+#     - helm init
+#     - helm upgrade passbook-prod helm/passbook --devel

debian/changelog

@@ -1,3 +1,22 @@
+passbook (0.1.14) stable; urgency=medium
+
+  * bump version: 0.1.11-beta -> 0.1.12-beta
+  * Fix DoesNotExist error when running PolicyEngine against None user
+  * allow custom email server for helm installs
+  * fix UserChangePasswordView not requiring Login
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Mon, 11 Mar 2019 10:28:36 +0000
+
+passbook (0.1.12) stable; urgency=medium
+
+  * bump version: 0.1.10-beta -> 0.1.11-beta
+  * rewrite PasswordFactor to use backends setting instead of trying all backends
+  * install updated helm release from local folder
+  * disable automatic k8s deployment for now
+  * fix OAuth Authorization View not requiring authentication
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Mon, 11 Mar 2019 08:50:29 +0000
+
 passbook (0.1.11) stable; urgency=medium
 
   * add group administration

debian/control

@@ -8,7 +8,7 @@ Standards-Version: 3.9.6
 
 Package: passbook
 Architecture: all
-Recommends: mysql-server, redis-server
+Recommends: mysql-server, rabbitmq-server
 Pre-Depends: adduser, libldap2-dev, libsasl2-dev
 Depends: python3 (>= 3.5) | python3.6 | python3.7, python3-pip, dbconfig-pgsql | dbconfig-no-thanks, ${misc:Depends}
 Description: Authentication Provider/Proxy supporting protocols like SAML, OAuth, LDAP and more.

helm/passbook/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "0.1.11-beta"
+appVersion: "0.1.15-beta"
 description: A Helm chart for passbook.
 name: passbook
-version: "0.1.11-beta"
+version: "0.1.15-beta"
 icon: https://passbook.beryju.org/images/logo.png

helm/passbook/requirements.lock

@@ -1,9 +1,9 @@
 dependencies:
-- name: redis
+- name: rabbitmq
   repository: https://kubernetes-charts.storage.googleapis.com/
-  version: 5.1.0
+  version: 4.3.2
 - name: postgresql
   repository: https://kubernetes-charts.storage.googleapis.com/
   version: 3.10.1
-digest: sha256:04bd136761f070e94a2ff32ff48ff87f5e07fbd451e5fd7f65551e3bd4680e5e
-generated: 2019-02-08T12:08:49.090666+01:00
+digest: sha256:c36e054785f7d706d7d3f525eb1b167dbc89b42f84da7fc167a18bbb6542c999
+generated: 2019-03-11T20:36:35.125079+01:00

helm/passbook/requirements.yaml

@@ -1,6 +1,6 @@
 dependencies:
-- name: redis
-  version: 5.1.0
+- name: rabbitmq
+  version: 4.3.2
   repository: https://kubernetes-charts.storage.googleapis.com/
 - name: postgresql
   version: 3.10.1

helm/passbook/templates/passbook-configmap.yaml

@@ -22,7 +22,7 @@ data:
         host: 127.0.0.1
         port: 514
     email:
-      host: localhost
+      host: {{ .Values.config.email.host }}
       port: 25
       user: ''
       password: ''
@@ -36,7 +36,7 @@ data:
     debug: false
     secure_proxy_header:
       HTTP_X_FORWARDED_PROTO: https
-    redis: ":{{ .Values.redis.password }}@{{ .Release.Name }}-redis-master"
+    rabbitmq: "user:{{ .Values.rabbitmq.rabbitmq.password }}@{{ .Release.Name }}-rabbitmq-master"
     # Error reporting, sends stacktrace to sentry.services.beryju.org
     error_report_enabled: {{ .Values.config.error_reporting }}
 

helm/passbook/values.yaml

@@ -5,7 +5,7 @@
 replicaCount: 1
 
 image:
-  tag: 0.1.11-beta
+  tag: 0.1.15-beta
 
 nameOverride: ""
 
@@ -14,10 +14,16 @@ config:
   # secret_key: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o
   # Enable error reporting
   error_reporting: true
+  email:
+    host: localhost
 
 postgresql:
-    postgresqlDatabase: passbook
-    postgresqlPassword: foo
+  postgresqlDatabase: passbook
+  postgresqlPassword: foo
+
+rabbitmq:
+  rabbitmq:
+    password: foo
 
 service:
   type: ClusterIP
@@ -31,7 +37,6 @@ ingress:
   path: /
   hosts:
     - passbook.k8s.local
-    - kubernetes-healthcheck-host
   defaultHost: passbook.k8s.local
   tls: []
   #  - secretName: chart-example-tls

passbook/__init__.py

@@ -1,2 +1,2 @@
 """passbook"""
-__version__ = '0.1.11-beta'
+__version__ = '0.1.15-beta'

passbook/admin/__init__.py

@@ -1,2 +1,2 @@
 """passbook admin"""
-__version__ = '0.1.11-beta'
+__version__ = '0.1.15-beta'

passbook/api/__init__.py

@@ -1,2 +1,2 @@
 """passbook api"""
-__version__ = '0.1.11-beta'
+__version__ = '0.1.15-beta'

passbook/audit/__init__.py

@@ -1,2 +1,2 @@
 """passbook audit Header"""
-__version__ = '0.1.11-beta'
+__version__ = '0.1.15-beta'

passbook/captcha_factor/__init__.py

@@ -1,2 +1,2 @@
 """passbook captcha_factor Header"""
-__version__ = '0.1.11-beta'
+__version__ = '0.1.15-beta'

passbook/core/__init__.py

@@ -1,2 +1,2 @@
 """passbook core"""
-__version__ = '0.1.11-beta'
+__version__ = '0.1.15-beta'

passbook/core/auth/factors/password.py

@@ -1,8 +1,10 @@
 """passbook multi-factor authentication engine"""
+from inspect import Signature
 from logging import getLogger
 
 from django.contrib import messages
-from django.contrib.auth import authenticate
+from django.contrib.auth import _clean_credentials
+from django.contrib.auth.signals import user_login_failed
 from django.core.exceptions import PermissionDenied
 from django.forms.utils import ErrorList
 from django.shortcuts import redirect, reverse
@@ -15,10 +17,40 @@ from passbook.core.forms.authentication import PasswordFactorForm
 from passbook.core.models import Nonce
 from passbook.core.tasks import send_email
 from passbook.lib.config import CONFIG
+from passbook.lib.utils.reflection import path_to_class
 
 LOGGER = getLogger(__name__)
 
 
+def authenticate(request, backends, **credentials):
+    """If the given credentials are valid, return a User object.
+    Customized version of django's authenticate, which accepts a list of backends"""
+    for backend_path in backends:
+        backend = path_to_class(backend_path)()
+        try:
+            signature = Signature.from_callable(backend.authenticate)
+            signature.bind(request, **credentials)
+        except TypeError:
+            LOGGER.debug("Backend %s doesn't accept our arguments", backend)
+            # This backend doesn't accept these credentials as arguments. Try the next one.
+            continue
+        LOGGER.debug('Attempting authentication with %s...', backend)
+        try:
+            user = backend.authenticate(request, **credentials)
+        except PermissionDenied:
+            LOGGER.debug('Backend %r threw PermissionDenied', backend)
+            # This backend says to stop in our tracks - this user should not be allowed in at all.
+            break
+        if user is None:
+            continue
+        # Annotate the user object with the path of the backend.
+        user.backend = backend_path
+        return user
+
+    # The credentials supplied are invalid to all backends, fire signal
+    user_login_failed.send(sender=__name__, credentials=_clean_credentials(
+        credentials), request=request)
+
 class PasswordFactor(FormView, AuthenticationFactor):
     """Authentication factor which authenticates against django's AuthBackend"""
 
@@ -57,7 +89,7 @@ class PasswordFactor(FormView, AuthenticationFactor):
         for uid_field in uid_fields:
             kwargs[uid_field] = getattr(self.authenticator.pending_user, uid_field)
         try:
-            user = authenticate(self.request, **kwargs)
+            user = authenticate(self.request, self.authenticator.current_factor.backends, **kwargs)
             if user:
                 # User instance returned from authenticate() has .backend property set
                 self.authenticator.pending_user = user

passbook/core/forms/factors.py

@@ -1,13 +1,20 @@
 """passbook administration forms"""
 from django import forms
+from django.conf import settings
 from django.contrib.admin.widgets import FilteredSelectMultiple
 from django.utils.translation import gettext as _
 
 from passbook.core.models import DummyFactor, PasswordFactor
-from passbook.lib.fields import DynamicArrayField
+from passbook.lib.utils.reflection import path_to_class
 
 GENERAL_FIELDS = ['name', 'slug', 'order', 'policies', 'enabled']
 
+def get_authentication_backends():
+    """Return all available authentication backends as tuple set"""
+    for backend in settings.AUTHENTICATION_BACKENDS:
+        klass = path_to_class(backend)
+        yield backend, getattr(klass(), 'name', '%s (%s)' % (klass.__name__, klass.__module__))
+
 class PasswordFactorForm(forms.ModelForm):
     """Form to create/edit Password Factors"""
 
@@ -18,10 +25,9 @@ class PasswordFactorForm(forms.ModelForm):
         widgets = {
             'name': forms.TextInput(),
             'order': forms.NumberInput(),
-            'policies': FilteredSelectMultiple(_('policies'), False)
-        }
-        field_classes = {
-            'backends': DynamicArrayField
+            'policies': FilteredSelectMultiple(_('policies'), False),
+            'backends': FilteredSelectMultiple(_('backends'), False,
+                                               choices=get_authentication_backends())
         }
 
 class DummyFactorForm(forms.ModelForm):

passbook/core/migrations/0014_auto_20190226_0850.py

@@ -11,7 +11,7 @@ def create_initial_factor(apps, schema_editor):
             name='password',
             slug='password',
             order=0,
-            backends=[]
+            backends=['django.contrib.auth.backends.ModelBackend']
         )
 
 class Migration(migrations.Migration):

passbook/core/policies.py

@@ -12,6 +12,8 @@ LOGGER = getLogger(__name__)
 @CELERY_APP.task()
 def _policy_engine_task(user_pk, policy_pk, **kwargs):
     """Task wrapper to run policy checking"""
+    if not user_pk:
+        raise ValueError()
     policy_obj = Policy.objects.filter(pk=policy_pk).select_subclasses().first()
     user_obj = User.objects.get(pk=user_pk)
     for key, value in kwargs.items():
@@ -73,7 +75,12 @@ class PolicyEngine:
     def result(self):
         """Get policy-checking result"""
         messages = []
-        for policy_action, policy_result, policy_message in self._group.get():
+        try:
+            # ValueError can be thrown from _policy_engine_task when user is None
+            group_result = self._group.get()
+        except ValueError as exc:
+            return False, str(exc)
+        for policy_action, policy_result, policy_message in group_result:
             passing = (policy_action == Policy.ACTION_ALLOW and policy_result) or \
                       (policy_action == Policy.ACTION_DENY and not policy_result)
             LOGGER.debug('Action=%s, Result=%r => %r', policy_action, policy_result, passing)

passbook/core/requirements.txt

@@ -7,7 +7,6 @@ raven
 markdown
 colorlog
 celery
-redis
 psycopg2
 idna<2.8,>=2.5
 cherrypy

passbook/core/settings.py

@@ -47,8 +47,7 @@ SESSION_COOKIE_NAME = 'passbook_session'
 LANGUAGE_COOKIE_NAME = 'passbook_language'
 
 AUTHENTICATION_BACKENDS = [
-    'django.contrib.auth.backends.ModelBackend',
-    'passbook.oauth_client.backends.AuthorizedServiceBackend'
+    'django.contrib.auth.backends.ModelBackend'
 ]
 
 # Application definition
@@ -185,8 +184,9 @@ CELERY_TIMEZONE = TIME_ZONE
 CELERY_BEAT_SCHEDULE = {}
 CELERY_CREATE_MISSING_QUEUES = True
 CELERY_TASK_DEFAULT_QUEUE = 'passbook'
-CELERY_BROKER_URL = 'redis://%s' % CONFIG.get('redis')
-CELERY_RESULT_BACKEND = 'redis://%s' % CONFIG.get('redis')
+CELERY_BROKER_URL = 'amqp://%s' % CONFIG.get('rabbitmq')
+CELERY_RESULT_BACKEND = 'rpc://'
+CELERY_ACKS_LATE = True
 
 # Raven settings
 RAVEN_CONFIG = {

passbook/core/tests/test_auth_view.py

@@ -18,9 +18,12 @@ class TestFactorAuthentication(TestCase):
         super().setUp()
         self.password = ''.join(SystemRandom().choice(
             string.ascii_uppercase + string.digits) for _ in range(8))
-        self.factor, _ = PasswordFactor.objects.get_or_create(name='password',
-                                                              slug='password',
-                                                              backends=[])
+        self.factor, _ = PasswordFactor.objects.get_or_create(slug='password', defaults={
+            'name': 'password',
+            'slug': 'password',
+            'order': 0,
+            'backends': ['django.contrib.auth.backends.ModelBackend']
+        })
         self.user = User.objects.create_user(username='test',
                                              email='test@test.test',
                                              password=self.password)

passbook/core/tests/test_views_utils.py

@@ -1,7 +1,10 @@
 """passbook util view tests"""
+import string
+from random import SystemRandom
 
 from django.test import RequestFactory, TestCase
 
+from passbook.core.models import User
 from passbook.core.views.utils import LoadingView, PermissionDeniedView
 
 
@@ -9,6 +12,11 @@ class TestUtilViews(TestCase):
     """Test Utility Views"""
 
     def setUp(self):
+        self.user = User.objects.create_superuser(
+            username='unittest user',
+            email='unittest@example.com',
+            password=''.join(SystemRandom().choice(
+                string.ascii_uppercase + string.digits) for _ in range(8)))
         self.factory = RequestFactory()
 
     def test_loading_view(self):
@@ -21,5 +29,6 @@ class TestUtilViews(TestCase):
     def test_permission_denied_view(self):
         """Test PermissionDeniedView"""
         request = self.factory.get('something')
+        request.user = self.user
         response = PermissionDeniedView.as_view()(request)
         self.assertEqual(response.status_code, 200)

passbook/core/views/user.py

@@ -1,6 +1,7 @@
 """passbook core user views"""
 from django.contrib import messages
 from django.contrib.auth import logout, update_session_auth_hash
+from django.contrib.auth.mixins import LoginRequiredMixin
 from django.contrib.messages.views import SuccessMessageMixin
 from django.forms.utils import ErrorList
 from django.shortcuts import redirect, reverse
@@ -13,7 +14,7 @@ from passbook.core.forms.users import PasswordChangeForm, UserDetailForm
 from passbook.lib.config import CONFIG
 
 
-class UserSettingsView(SuccessMessageMixin, UpdateView):
+class UserSettingsView(SuccessMessageMixin, LoginRequiredMixin, UpdateView):
     """Update User settings"""
 
     template_name = 'user/settings.html'
@@ -25,7 +26,8 @@ class UserSettingsView(SuccessMessageMixin, UpdateView):
     def get_object(self):
         return self.request.user
 
-class UserDeleteView(DeleteView):
+
+class UserDeleteView(LoginRequiredMixin, DeleteView):
     """Delete user account"""
 
     template_name = 'generic/delete.html'
@@ -38,7 +40,8 @@ class UserDeleteView(DeleteView):
         logout(self.request)
         return reverse('passbook_core:auth-login')
 
-class UserChangePasswordView(FormView):
+
+class UserChangePasswordView(LoginRequiredMixin, FormView):
     """View for users to update their password"""
 
     form_class = PasswordChangeForm

passbook/core/views/utils.py

@@ -1,5 +1,5 @@
 """passbook core utils view"""
-
+from django.contrib.auth.mixins import LoginRequiredMixin
 from django.utils.translation import ugettext as _
 from django.views.generic import TemplateView
 
@@ -21,7 +21,7 @@ class LoadingView(TemplateView):
         kwargs['target_url'] = self.get_url()
         return super().get_context_data(**kwargs)
 
-class PermissionDeniedView(TemplateView):
+class PermissionDeniedView(LoginRequiredMixin, TemplateView):
     """Generic Permission denied view"""
 
     template_name = 'login/denied.html'

passbook/hibp_policy/__init__.py

@@ -1,2 +1,2 @@
 """passbook hibp_policy"""
-__version__ = '0.1.11-beta'
+__version__ = '0.1.15-beta'

passbook/ldap/__init__.py

@@ -1,2 +1,2 @@
 """Passbook ldap app Header"""
-__version__ = '0.1.11-beta'
+__version__ = '0.1.15-beta'

passbook/lib/__init__.py

@@ -1,2 +1,2 @@
 """passbook lib"""
-__version__ = '0.1.11-beta'
+__version__ = '0.1.15-beta'

passbook/lib/default.yml

@@ -29,7 +29,7 @@ web:
 debug: false
 secure_proxy_header:
   HTTP_X_FORWARDED_PROTO: https
-redis: localhost
+rabbitmq: guest:guest@localhost/passbook
 # Error reporting, sends stacktrace to sentry.services.beryju.org
 error_report_enabled: true
 secret_key: 9$@r!d^1^jrn#fk#1#@ks#9&i$^s#1)_13%$rwjrhd=e8jfi_s

passbook/oauth_client/__init__.py

@@ -1,2 +1,2 @@
 """passbook oauth_client Header"""
-__version__ = '0.1.11-beta'
+__version__ = '0.1.15-beta'

passbook/oauth_provider/__init__.py

@@ -1,2 +1,2 @@
 """passbook oauth_provider Header"""
-__version__ = '0.1.11-beta'
+__version__ = '0.1.15-beta'

passbook/oauth_provider/views/oauth2.py

@@ -2,6 +2,7 @@
 from logging import getLogger
 from urllib.parse import urlencode
 
+from django.contrib.auth.mixins import LoginRequiredMixin
 from django.shortcuts import get_object_or_404, redirect, reverse
 from django.utils.translation import ugettext as _
 from oauth2_provider.views.base import AuthorizationView
@@ -15,7 +16,7 @@ from passbook.oauth_provider.models import OAuth2Provider
 LOGGER = getLogger(__name__)
 
 
-class PassbookAuthorizationLoadingView(LoadingView):
+class PassbookAuthorizationLoadingView(LoginRequiredMixin, LoadingView):
     """Show loading view for permission checks"""
 
     title = _('Checking permissions...')

passbook/otp/__init__.py

@@ -1,2 +1,2 @@
 """passbook otp Header"""
-__version__ = '0.1.11-beta'
+__version__ = '0.1.15-beta'

passbook/password_expiry_policy/__init__.py

@@ -1,2 +1,2 @@
 """passbook password_expiry"""
-__version__ = '0.1.11-beta'
+__version__ = '0.1.15-beta'

passbook/saml_idp/__init__.py

@@ -1,2 +1,2 @@
 """passbook saml_idp Header"""
-__version__ = '0.1.11-beta'
+__version__ = '0.1.15-beta'