new release: 0.1.33-beta

.bumpversion.cfg

@@ -1,10 +1,10 @@
 [bumpversion]
-current_version = 0.1.31-beta
+current_version = 0.1.33-beta
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)
 serialize = {major}.{minor}.{patch}-{release}
-message = bump version: {current_version} -> {new_version}
+message = new release: {new_version}
 tag_name = version/{new_version}
 
 [bumpversion:part:release]

.gitlab-ci.yml

@@ -1,127 +1,133 @@
 # Global Variables
-before_script:
-    - "python3 -m pip install -U virtualenv"
-    - "virtualenv env"
-    - "source env/bin/activate"
-    - "pip3 install -U -r requirements-dev.txt"
 stages:
-    - test
-    - build
-    - docs
-    - deploy
-image: python:3.6
+  - build-buildimage
+  - test
+  - build
+  - docs
+  - deploy
+image: docker.pkg.beryju.org/passbook-build-base:latest
 services:
-    - postgres:latest
-    - redis:latest
+  - postgres:latest
+  - redis:latest
 
 variables:
-    POSTGRES_DB: passbook
-    POSTGRES_USER: passbook
-    POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
+  POSTGRES_DB: passbook
+  POSTGRES_USER: passbook
+  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
 
-include:
-    - /client-packages/allauth/.gitlab-ci.yml
+create-build-image:
+  image:
+    name: gcr.io/kaniko-project/executor:debug
+    entrypoint: [""]
+  before_script:
+    - echo "{\"auths\":{\"docker.$NEXUS_URL\":{\"auth\":\"$NEXUS_AUTH\"}}}" > /kaniko/.docker/config.json
+  script:
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile.build-base --destination docker.pkg.beryju.org/passbook-build-base:latest --destination docker.pkg.beryju.org/passbook-build-base:0.1.33-beta
+  stage: build-buildimage
+  only:
+    refs:
+      - tags
+      - /^version/.*$/
 
 isort:
-    script:
-        - isort -c -sg env
-    stage: test
+  script:
+    - isort -c -sg env
+  stage: test
 migrations:
-    script:
-        - python manage.py migrate
-    stage: test
+  script:
+    - python manage.py migrate
+  stage: test
 prospector:
-    script:
-        - prospector
-    stage: test
+  script:
+    - prospector
+  stage: test
 pylint:
-    script:
-        - pylint passbook
-    stage: test
+  script:
+    - pylint passbook
+  stage: test
 coverage:
-    script:
-        - python manage.py collectstatic --no-input
-        - coverage run manage.py test
-        - coverage report
-    stage: test
+  script:
+    - python manage.py collectstatic --no-input
+    - coverage run manage.py test
+    - coverage report
+  stage: test
 bandit:
-    script:
-        - bandit -r passbook
-    stage: test
+  script:
+    - bandit -r passbook
+  stage: test
 
 package-docker:
-    image:
-        name: gcr.io/kaniko-project/executor:debug
-        entrypoint: [""]
-    before_script:
-        - echo "{\"auths\":{\"docker.$NEXUS_URL\":{\"auth\":\"$NEXUS_AUTH\"}}}" > /kaniko/.docker/config.json
-    script:
-        - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.31-beta
-    stage: build
-    only:
-        - tags
-        - /^version/.*$/
+  image:
+    name: gcr.io/kaniko-project/executor:debug
+    entrypoint: [""]
+  before_script:
+    - echo "{\"auths\":{\"docker.$NEXUS_URL\":{\"auth\":\"$NEXUS_AUTH\"}}}" > /kaniko/.docker/config.json
+  script:
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.1.33-beta
+  stage: build
+  only:
+    - tags
+    - /^version/.*$/
 package-helm:
-    stage: build
-    script:
-        - curl https://raw.githubusercontent.com/helm/helm/master/scripts/get | bash
-        - helm init --client-only
-        - helm package helm/passbook
-        - ./manage.py nexus_upload --method put --url $NEXUS_URL --auth $NEXUS_AUTH --repo helm *.tgz
-    only:
-        - tags
-        - /^version/.*$/
+  stage: build
+  script:
+    - curl https://raw.githubusercontent.com/helm/helm/master/scripts/get | bash
+    - helm init --client-only
+    - helm package helm/passbook
+    - ./manage.py nexus_upload --method put --url $NEXUS_URL --auth $NEXUS_AUTH --repo helm *.tgz
+  only:
+    - tags
+    - /^version/.*$/
 package-debian:
-    before_script:
-        - apt update
-        - apt install -y --no-install-recommends build-essential debhelper devscripts equivs python3 python3-dev python3-pip libsasl2-dev libldap2-dev
-        - mk-build-deps debian/control
-        - apt install ./*build-deps*deb -f -y
-        - python3 -m pip install -U virtualenv pip
-        - virtualenv env
-        - source env/bin/activate
-        - pip3 install -U -r requirements.txt -r requirements-dev.txt
-        - ./manage.py collectstatic --no-input
-    image: ubuntu:18.04
-    script:
-        - debuild -us -uc
-        - cp ../passbook*.deb .
-        - ./manage.py nexus_upload --method post --url $NEXUS_URL --auth $NEXUS_AUTH --repo apt passbook*deb
-    artifacts:
-        paths:
-            - passbook*deb
-        expire_in: 2 days
-    stage: build
-    only:
-        - tags
-        - /^version/.*$/
+  before_script:
+    - apt update
+    - apt install -y --no-install-recommends build-essential debhelper devscripts equivs python3 python3-dev python3-pip libsasl2-dev libldap2-dev
+    - mk-build-deps debian/control
+    - apt install ./*build-deps*deb -f -y
+    - python3 -m pip install -U virtualenv pip
+    - virtualenv env
+    - source env/bin/activate
+    - pip3 install -U -r requirements.txt -r requirements-dev.txt
+    - ./manage.py collectstatic --no-input
+  image: ubuntu:18.04
+  script:
+    - debuild -us -uc
+    - cp ../passbook*.deb .
+    - ./manage.py nexus_upload --method post --url $NEXUS_URL --auth $NEXUS_AUTH --repo apt passbook*deb
+  artifacts:
+    paths:
+      - passbook*deb
+    expire_in: 2 days
+  stage: build
+  only:
+    - tags
+    - /^version/.*$/
 
 package-client-package-allauth:
-    script:
-        - cd client-packages/allauth
-        - python setup.py sdist
-        - twine upload --username $TWINE_USERNAME --password $TWINE_PASSWORD dist/*
-    stage: build
-    only:
-        refs:
-            - tags
-            - /^version/.*$/
-        changes:
-            - client-packages/allauth/**
+  script:
+    - cd client-packages/allauth
+    - python setup.py sdist
+    - twine upload --username $TWINE_USERNAME --password $TWINE_PASSWORD dist/*
+  stage: build
+  only:
+    refs:
+      - tags
+      - /^version/.*$/
+    changes:
+      - client-packages/allauth/**
 
 package-client-package-sentry:
-    script:
-        - cd client-packages/sentry-auth-passbook
-        - python setup.py sdist
-        - twine upload --username $TWINE_USERNAME --password $TWINE_PASSWORD dist/*
-    stage: build
-    only:
-        refs:
-            - tags
-            - /^version/.*$/
-        changes:
-            - client-packages/sentry-auth-passbook/**
-
+  script:
+    - cd client-packages/sentry-auth-passbook
+    - python setup.py sdist
+    - twine upload --username $TWINE_USERNAME --password $TWINE_PASSWORD dist/*
+  stage: build
+  only:
+    refs:
+      - tags
+      - /^version/.*$/
+    changes:
+      - client-packages/sentry-auth-passbook/**
 # docs:
 #   stage: docs
 #   only:

Dockerfile.build-base

@@ -0,0 +1,12 @@
+FROM python:3.6
+
+COPY ./passbook/ /app/passbook
+COPY ./client-packages/ /app/client-packages
+COPY ./requirements.txt /app/
+COPY ./requirements-dev.txt /app/
+
+WORKDIR /app/
+
+RUN apt-get update && apt-get install libssl-dev libffi-dev libpq-dev -y && \
+     pip install -U -r requirements-dev.txt && \
+     rm -rf /app/*

client-packages/allauth/.gitlab-ci.yml

@@ -1,27 +0,0 @@
-# Global Variables
-before_script:
-  - cd allauth/
-  - "python3 -m pip install -U virtualenv"
-  - "virtualenv env"
-  - "source env/bin/activate"
-  - "pip3 install -U -r requirements-dev.txt"
-stages:
-  - test-allauth
-image: python:3.6
-
-isort:
-  script:
-    - isort -c -sg env
-  stage: test-allauth
-prospector:
-  script:
-    - prospector
-  stage: test-allauth
-pylint:
-  script:
-    - pylint passbook
-  stage: test-allauth
-bandit:
-  script:
-    - bandit -r allauth_passbook
-  stage: test-allauth

client-packages/allauth/setup.py

@@ -3,7 +3,7 @@ from setuptools import setup
 
 setup(
     name='django-allauth-passbook',
-    version='0.1.31-beta',
+    version='0.1.33-beta',
     description='passbook support for django-allauth',
     # long_description='\n'.join(read_simple('docs/index.md')[2:]),
     long_description_content_type='text/markdown',

client-packages/sentry-auth-passbook/setup.py

@@ -18,7 +18,7 @@ tests_require = [
 
 setup(
     name='sentry-auth-passbook',
-    version='0.1.31-beta',
+    version='0.1.33-beta',
     author='BeryJu.org',
     author_email='support@beryju.org',
     url='https://passbook.beryju.org',

debian/changelog

@@ -1,3 +1,23 @@
+passbook (0.1.33) stable; urgency=medium
+
+  * bump version: 0.1.31-beta -> 0.1.32-beta
+  * fix EntityID being None in SAML Metadata
+  * fix SAML Request not being parsed all the time
+  * add Rancher SAML processor
+  * remove unused import
+  * fix broken icon for helm chart
+  * switch to custom CI base image with dependencies installed
+  * remove included CI file
+
+  -- Jens Langhammer <jens.langhammer@beryju.org>  Thu, 18 Apr 2019 08:23:55 +0000
+
+passbook (0.1.32) stable; urgency=medium
+
+  * bump version: 0.1.30-beta -> 0.1.31-beta
+  * automatically add response_type if not given in OAuth Request
+
+ -- Jens Langhammer <jens.langhammer@beryju.org>  Wed, 17 Apr 2019 12:25:58 +0000
+
 passbook (0.1.31) stable; urgency=medium
 
   * bump version: 0.1.29-beta -> 0.1.30-beta

helm/passbook/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "0.1.31-beta"
+appVersion: "0.1.33-beta"
 description: A Helm chart for passbook.
 name: passbook
-version: "0.1.31-beta"
-icon: https://passbook.beryju.org/images/logo.png
+version: "0.1.33-beta"
+icon: https://git.beryju.org/uploads/-/system/project/avatar/108/logo.png

helm/passbook/values.yaml

@@ -5,7 +5,7 @@
 replicaCount: 1
 
 image:
-  tag: 0.1.31-beta
+  tag: 0.1.33-beta
 
 nameOverride: ""
 

passbook/__init__.py

@@ -1,2 +1,2 @@
 """passbook"""
-__version__ = '0.1.31-beta'
+__version__ = '0.1.33-beta'

passbook/admin/__init__.py

@@ -1,2 +1,2 @@
 """passbook admin"""
-__version__ = '0.1.31-beta'
+__version__ = '0.1.33-beta'

passbook/api/__init__.py

@@ -1,2 +1,2 @@
 """passbook api"""
-__version__ = '0.1.31-beta'
+__version__ = '0.1.33-beta'

passbook/app_gw/__init__.py

@@ -1,2 +1,2 @@
 """passbook Application Security Gateway Header"""
-__version__ = '0.1.31-beta'
+__version__ = '0.1.33-beta'

passbook/audit/__init__.py

@@ -1,2 +1,2 @@
 """passbook audit Header"""
-__version__ = '0.1.31-beta'
+__version__ = '0.1.33-beta'

passbook/captcha_factor/__init__.py

@@ -1,2 +1,2 @@
 """passbook captcha_factor Header"""
-__version__ = '0.1.31-beta'
+__version__ = '0.1.33-beta'

passbook/core/__init__.py

@@ -1,2 +1,2 @@
 """passbook core"""
-__version__ = '0.1.31-beta'
+__version__ = '0.1.33-beta'

passbook/hibp_policy/__init__.py

@@ -1,2 +1,2 @@
 """passbook hibp_policy"""
-__version__ = '0.1.31-beta'
+__version__ = '0.1.33-beta'

passbook/ldap/__init__.py

@@ -1,2 +1,2 @@
 """Passbook ldap app Header"""
-__version__ = '0.1.31-beta'
+__version__ = '0.1.33-beta'

passbook/lib/__init__.py

@@ -1,2 +1,2 @@
 """passbook lib"""
-__version__ = '0.1.31-beta'
+__version__ = '0.1.33-beta'

passbook/lib/default.yml

@@ -101,3 +101,4 @@ saml_idp:
     - passbook.saml_idp.processors.salesforce
     - passbook.saml_idp.processors.shibboleth
     - passbook.saml_idp.processors.wordpress_orange
+    - passbook.saml_idp.processors.rancher

passbook/oauth_client/__init__.py

@@ -1,2 +1,2 @@
 """passbook oauth_client Header"""
-__version__ = '0.1.31-beta'
+__version__ = '0.1.33-beta'

passbook/oauth_provider/__init__.py

@@ -1,2 +1,2 @@
 """passbook oauth_provider Header"""
-__version__ = '0.1.31-beta'
+__version__ = '0.1.33-beta'

passbook/oauth_provider/views/oauth2.py

@@ -36,6 +36,13 @@ class PassbookAuthorizationView(AccessMixin, AuthorizationView):
 
     _application = None
 
+    def _inject_response_type(self):
+        """Inject response_type into querystring if not set"""
+        LOGGER.debug("response_type not set, defaulting to 'code'")
+        querystring = urlencode(self.request.GET)
+        querystring += '&response_type=code'
+        return redirect(reverse('passbook_oauth_provider:oauth2-ok-authorize') + '?' + querystring)
+
     def dispatch(self, request, *args, **kwargs):
         """Update OAuth2Provider's skip_authorization state"""
         # Get client_id to get provider, so we can update skip_authorization field
@@ -55,6 +62,9 @@ class PassbookAuthorizationView(AccessMixin, AuthorizationView):
             for policy_meaage in policy_meaages:
                 messages.error(request, policy_meaage)
             return redirect('passbook_oauth_provider:oauth2-permission-denied')
+        # Some clients don't pass response_type, so we default to code
+        if 'response_type' not in request.GET:
+            return self._inject_response_type()
         actual_response = super().dispatch(request, *args, **kwargs)
         if actual_response.status_code == 400:
             LOGGER.debug(request.GET.get('redirect_uri'))

passbook/otp/__init__.py

@@ -1,2 +1,2 @@
 """passbook otp Header"""
-__version__ = '0.1.31-beta'
+__version__ = '0.1.33-beta'

passbook/password_expiry_policy/__init__.py

@@ -1,2 +1,2 @@
 """passbook password_expiry"""
-__version__ = '0.1.31-beta'
+__version__ = '0.1.33-beta'

passbook/saml_idp/__init__.py

@@ -1,2 +1,2 @@
 """passbook saml_idp Header"""
-__version__ = '0.1.31-beta'
+__version__ = '0.1.33-beta'

passbook/saml_idp/base.py

@@ -65,7 +65,7 @@ class Processor:
         self._remote = remote
         self._logger = getLogger(__name__)
         self._system_params['ISSUER'] = self._remote.issuer
-        self._logger.info('processor configured')
+        self._logger.debug('processor configured')
 
     def _build_assertion(self):
         """Builds _assertion_params."""
@@ -295,6 +295,7 @@ class Processor:
     def generate_response(self):
         """Processes request and returns template variables suitable for a response."""
         # Build the assertion and response.
+        self.can_handle(self._django_request)
         self._validate_user()
         self._build_assertion()
         self._format_assertion()

passbook/saml_idp/processors/rancher.py

@@ -0,0 +1,11 @@
+"""Rancher Processor"""
+from passbook.saml_idp.base import Processor
+
+
+class RancherProcessor(Processor):
+    """Rancher SAML 2.0 AuthnRequest to Response Handler Processor."""
+
+    def _determine_audience(self):
+        # Rancher expects an audience in this format
+        # https://<host>/v1-saml/adfs/saml/acs
+        self._audience = self._remote.acs_url.replace('acs', 'metadata')

passbook/saml_idp/views.py

@@ -17,7 +17,6 @@ from signxml.util import strip_pem_header
 from passbook.audit.models import AuditEntry
 from passbook.core.models import Application
 from passbook.core.policies import PolicyEngine
-from passbook.lib.config import CONFIG
 from passbook.lib.mixins import CSRFExemptMixin
 from passbook.lib.utils.template import render_to_string
 from passbook.saml_idp import exceptions
@@ -205,7 +204,7 @@ class DescriptorDownloadView(AccessRequiredView):
 
     def get(self, request, application):
         """Replies with the XML Metadata IDSSODescriptor."""
-        entity_id = CONFIG.y('saml_idp.issuer')
+        entity_id = self.provider.issuer
         slo_url = request.build_absolute_uri(reverse('passbook_saml_idp:saml-logout', kwargs={
             'application': application
         }))

passbook/suspicious_policy/__init__.py

@@ -1,2 +1,2 @@
 """passbook suspicious_policy"""
-__version__ = '0.1.31-beta'
+__version__ = '0.1.33-beta'