new release: 0.12.7-stable

Bumps [boto3](https://github.com/boto/boto3) from 1.16.4 to 1.16.5.
- [Release notes](https://github.com/boto/boto3/releases)
- [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst)
- [Commits](https://github.com/boto/boto3/compare/1.16.4...1.16.5)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.11.0-stable
+current_version = 0.12.7-stable
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)

.github/dependabot.yml

@@ -6,12 +6,16 @@ updates:
     interval: daily
     time: "04:00"
   open-pull-requests-limit: 10
+  assignees:
+  - BeryJu
 - package-ecosystem: npm
   directory: "/passbook/static/static"
   schedule:
     interval: daily
     time: "04:00"
   open-pull-requests-limit: 10
+  assignees:
+  - BeryJu
 - package-ecosystem: pip
   directory: "/"
   schedule:
@@ -20,3 +24,19 @@ updates:
   open-pull-requests-limit: 10
   assignees:
   - BeryJu
+- package-ecosystem: docker
+  directory: "/"
+  schedule:
+    interval: daily
+    time: "04:00"
+  open-pull-requests-limit: 10
+  assignees:
+  - BeryJu
+- package-ecosystem: docker
+  directory: "/proxy"
+  schedule:
+    interval: daily
+    time: "04:00"
+  open-pull-requests-limit: 10
+  assignees:
+  - BeryJu

.github/workflows/codeql-analysis.yml

@@ -1,54 +0,0 @@
-name: "CodeQL"
-
-on:
-  push:
-    branches: [master, admin-more-info, ci-deploy-dev, gh-pages, provider-saml-v2]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [master]
-  schedule:
-    - cron: '0 20 * * 2'
-
-jobs:
-  analyse:
-    name: Analyse
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v2
-      with:
-        # We must fetch at least the immediate parents so that if this is
-        # a pull request then we can checkout the head.
-        fetch-depth: 2
-
-    # If this run was triggered by a pull request event, then checkout
-    # the head of the pull request instead of the merge commit.
-    - run: git checkout HEAD^2
-      if: ${{ github.event_name == 'pull_request' }}
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
-      # Override language selection by uncommenting this and choosing your languages
-      # with:
-      #   languages: go, javascript, csharp, python, cpp, java
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1

.github/workflows/release.yml

@@ -18,11 +18,11 @@ jobs:
       - name: Building Docker Image
         run: docker build
           --no-cache
-          -t beryju/passbook:0.11.0-stable
+          -t beryju/passbook:0.12.7-stable
           -t beryju/passbook:latest
           -f Dockerfile .
       - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/passbook:0.11.0-stable
+        run: docker push beryju/passbook:0.12.7-stable
       - name: Push Docker Container to Registry (latest)
         run: docker push beryju/passbook:latest
   build-proxy:
@@ -48,11 +48,11 @@ jobs:
           cd proxy
           docker build \
           --no-cache \
-          -t beryju/passbook-proxy:0.11.0-stable \
+          -t beryju/passbook-proxy:0.12.7-stable \
           -t beryju/passbook-proxy:latest \
           -f Dockerfile .
       - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/passbook-proxy:0.11.0-stable
+        run: docker push beryju/passbook-proxy:0.12.7-stable
       - name: Push Docker Container to Registry (latest)
         run: docker push beryju/passbook-proxy:latest
   build-static:
@@ -77,11 +77,11 @@ jobs:
         run: docker build
           --no-cache
           --network=$(docker network ls | grep github | awk '{print $1}')
-          -t beryju/passbook-static:0.11.0-stable
+          -t beryju/passbook-static:0.12.7-stable
           -t beryju/passbook-static:latest
           -f static.Dockerfile .
       - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/passbook-static:0.11.0-stable
+        run: docker push beryju/passbook-static:0.12.7-stable
       - name: Push Docker Container to Registry (latest)
         run: docker push beryju/passbook-static:latest
   test-release:
@@ -114,5 +114,5 @@ jobs:
           SENTRY_PROJECT: passbook
           SENTRY_URL: https://sentry.beryju.org
         with:
-          tagName: 0.11.0-stable
+          tagName: 0.12.7-stable
           environment: beryjuorg-prod

Dockerfile

@@ -25,7 +25,16 @@ RUN apt-get update && \
     pip install -r /requirements.txt --no-cache-dir && \
     apt-get remove --purge -y build-essential && \
     apt-get autoremove --purge -y && \
-    adduser --system --no-create-home --uid 1000 --group --home /passbook passbook
+    # This is quite hacky, but docker has no guaranteed Group ID
+    # we could instead check for the GID of the socket and add the user dynamically,
+    # but then we have to drop permmissions later
+    groupadd -g 998 docker_998 && \
+    groupadd -g 999 docker_999 && \
+    adduser --system --no-create-home --uid 1000 --group --home /passbook passbook && \
+    usermod -a -G docker_998 passbook && \
+    usermod -a -G docker_999 passbook && \
+    mkdir /backups && \
+    chown passbook:passbook /backups
 
 COPY ./passbook/ /passbook
 COPY ./manage.py /

Makefile

@@ -12,7 +12,7 @@ lint-fix:
 
 lint:
 	pyright passbook e2e lifecycle
-	bandit -r passbook e2e lifecycle
+	bandit -r passbook e2e lifecycle -x node_modules
 	pylint passbook e2e lifecycle
 	prospector
 

Pipfile

@@ -17,10 +17,10 @@ django-otp = "*"
 django-prometheus = "*"
 django-recaptcha = "*"
 django-redis = "*"
-djangorestframework = "==3.11.1"
+djangorestframework = "*"
 django-storages = "*"
 djangorestframework-guardian = "*"
-drf-yasg = "*"
+drf_yasg2 = "*"
 facebook-sdk = "*"
 ldap3 = "*"
 lxml = "*"

Pipfile.lock

@@ -1,7 +1,7 @@
 {
     "_meta": {
         "hash": {
-            "sha256": "77737b63b2469755fd2a3d06b23054ae42b07b3f24cf887472f05fb8ab165cc6"
+            "sha256": "d1a9883d864e25f18e34b298b72b58db333a037571c7a20cefb7ba7a4037a434"
         },
         "pipfile-spec": 6,
         "requires": {
@@ -74,18 +74,17 @@
         },
         "boto3": {
             "hashes": [
-                "sha256:1627f97e050be59cfef839481acc73eba4b29e475a067f374a493e6b7f25601e",
-                "sha256:8aafa1ec72451cf70fe6d8c7e86b1a83d2e195d4dda95e5bf21e40132a38c309"
+                "sha256:163bf25d7c28be24392744485cf180bee4ff5e84c4ee891a32501e89dc352982"
             ],
             "index": "pypi",
-            "version": "==1.15.15"
+            "version": "==1.16.5"
         },
         "botocore": {
             "hashes": [
-                "sha256:3b9179edbba61c96f5d1eaa4328c9cda686bd461e102c5878c4880479c24e268",
-                "sha256:f59437ff69d260faa876a2bb7d76debcbbb3b1a497e9ff49550a1a5501679720"
+                "sha256:2bacdfb1eb66c885be18b7557202160f9eb48d81e16881e1ce5176881cc9d8aa",
+                "sha256:50e6b9b0e082a9af620552b5d1b5966f1da09202d6ccd03fd2c9856ae0578db5"
             ],
-            "version": "==1.18.15"
+            "version": "==1.19.5"
         },
         "cachetools": {
             "hashes": [
@@ -96,11 +95,11 @@
         },
         "celery": {
             "hashes": [
-                "sha256:313930fddde703d8e37029a304bf91429cd11aeef63c57de6daca9d958e1f255",
-                "sha256:72138dc3887f68dc58e1a2397e477256f80f1894c69fa4337f8ed70be460375b"
+                "sha256:7aa4ee46ed318bc177900ae7c01500354aee62d723255b0925db0754bcd4d390",
+                "sha256:e3e8956d74af986b1e9770e0a294338b259618bf70283d6157416328e50c2bd6"
             ],
             "index": "pypi",
-            "version": "==5.0.0"
+            "version": "==5.0.1"
         },
         "certifi": {
             "hashes": [
@@ -310,11 +309,11 @@
         },
         "django-otp": {
             "hashes": [
-                "sha256:2fb1c8dbd7e7ae76a65b63d89d3d8c3e1105a48bc29830b81c6e417a89380658",
-                "sha256:fef1f2de9a52bc37e16211b98b4323e5b34fa24739116fbe3d1ff018c17ebea8"
+                "sha256:8ba5ab9bd2738c7321376c349d7cce49cf4404e79f6804e0a3cc462a91728e18",
+                "sha256:f523fb9dec420f28a29d3e2ad72ac06f64588956ed4f2b5b430d8e957ebb8287"
             ],
             "index": "pypi",
-            "version": "==1.0.1"
+            "version": "==1.0.2"
         },
         "django-prometheus": {
             "hashes": [
@@ -349,11 +348,11 @@
         },
         "djangorestframework": {
             "hashes": [
-                "sha256:6dd02d5a4bd2516fb93f80360673bf540c3b6641fec8766b1da2870a5aa00b32",
-                "sha256:8b1ac62c581dbc5799b03e535854b92fc4053ecfe74bad3f9c05782063d4196b"
+                "sha256:5c5071fcbad6dce16f566d492015c829ddb0df42965d488b878594aabc3aed21",
+                "sha256:d54452aedebb4b650254ca092f9f4f5df947cb1de6ab245d817b08b4f4156249"
             ],
             "index": "pypi",
-            "version": "==3.11.1"
+            "version": "==3.12.1"
         },
         "djangorestframework-guardian": {
             "hashes": [
@@ -371,13 +370,13 @@
             "index": "pypi",
             "version": "==4.3.1"
         },
-        "drf-yasg": {
+        "drf-yasg2": {
             "hashes": [
-                "sha256:5572e9d5baab9f6b49318169df9789f7399d0e3c7bdac8fdb8dfccf1d5d2b1ca",
-                "sha256:7d7af27ad16e18507e9392b2afd6b218fbffc432ec8dbea053099a2241e184ff"
+                "sha256:65826bf19e5222d38b84380468303c8c389d0b9e2335ee6efa4151ba87ca0a3f",
+                "sha256:6c662de6e0ffd4f74c49c06a88b8a9d1eb4bc9d7bfe82dac9f80a51a23cacecb"
             ],
             "index": "pypi",
-            "version": "==1.17.1"
+            "version": "==1.19.3"
         },
         "eight": {
             "hashes": [
@@ -555,11 +554,11 @@
         },
         "kubernetes": {
             "hashes": [
-                "sha256:1a2472f8b01bc6aa87e3a34781f859bded5a5c8ff791a53d889a8bd6cc550430",
-                "sha256:4af81201520977139a143f96123fb789fa351879df37f122916b9b6ed050bbaf"
+                "sha256:72f095a1cd593401ff26b3b8d71749340394ca6d8413770ea28ce18efd5bcf4c",
+                "sha256:9a339a32d6c79e6461cb6050c3662cb4e33058b508d8d34ee5d5206add395828"
             ],
             "index": "pypi",
-            "version": "==11.0.0"
+            "version": "==12.0.0"
         },
         "ldap3": {
             "hashes": [
@@ -571,40 +570,45 @@
         },
         "lxml": {
             "hashes": [
-                "sha256:05a444b207901a68a6526948c7cc8f9fe6d6f24c70781488e32fd74ff5996e3f",
-                "sha256:08fc93257dcfe9542c0a6883a25ba4971d78297f63d7a5a26ffa34861ca78730",
-                "sha256:107781b213cf7201ec3806555657ccda67b1fccc4261fb889ef7fc56976db81f",
-                "sha256:121b665b04083a1e85ff1f5243d4a93aa1aaba281bc12ea334d5a187278ceaf1",
-                "sha256:1fa21263c3aba2b76fd7c45713d4428dbcc7644d73dcf0650e9d344e433741b3",
-                "sha256:2b30aa2bcff8e958cd85d907d5109820b01ac511eae5b460803430a7404e34d7",
-                "sha256:4b4a111bcf4b9c948e020fd207f915c24a6de3f1adc7682a2d92660eb4e84f1a",
-                "sha256:5591c4164755778e29e69b86e425880f852464a21c7bb53c7ea453bbe2633bbe",
-                "sha256:59daa84aef650b11bccd18f99f64bfe44b9f14a08a28259959d33676554065a1",
-                "sha256:5a9c8d11aa2c8f8b6043d845927a51eb9102eb558e3f936df494e96393f5fd3e",
-                "sha256:5dd20538a60c4cc9a077d3b715bb42307239fcd25ef1ca7286775f95e9e9a46d",
-                "sha256:74f48ec98430e06c1fa8949b49ebdd8d27ceb9df8d3d1c92e1fdc2773f003f20",
-                "sha256:786aad2aa20de3dbff21aab86b2fb6a7be68064cbbc0219bde414d3a30aa47ae",
-                "sha256:7ad7906e098ccd30d8f7068030a0b16668ab8aa5cda6fcd5146d8d20cbaa71b5",
-                "sha256:80a38b188d20c0524fe8959c8ce770a8fdf0e617c6912d23fc97c68301bb9aba",
-                "sha256:8f0ec6b9b3832e0bd1d57af41f9238ea7709bbd7271f639024f2fc9d3bb01293",
-                "sha256:92282c83547a9add85ad658143c76a64a8d339028926d7dc1998ca029c88ea6a",
-                "sha256:94150231f1e90c9595ccc80d7d2006c61f90a5995db82bccbca7944fd457f0f6",
-                "sha256:9dc9006dcc47e00a8a6a029eb035c8f696ad38e40a27d073a003d7d1443f5d88",
-                "sha256:a76979f728dd845655026ab991df25d26379a1a8fc1e9e68e25c7eda43004bed",
-                "sha256:aa8eba3db3d8761db161003e2d0586608092e217151d7458206e243be5a43843",
-                "sha256:bea760a63ce9bba566c23f726d72b3c0250e2fa2569909e2d83cda1534c79443",
-                "sha256:c3f511a3c58676147c277eff0224c061dd5a6a8e1373572ac817ac6324f1b1e0",
-                "sha256:c9d317efde4bafbc1561509bfa8a23c5cab66c44d49ab5b63ff690f5159b2304",
-                "sha256:cc411ad324a4486b142c41d9b2b6a722c534096963688d879ea6fa8a35028258",
-                "sha256:cdc13a1682b2a6241080745b1953719e7fe0850b40a5c71ca574f090a1391df6",
-                "sha256:cfd7c5dd3c35c19cec59c63df9571c67c6d6e5c92e0fe63517920e97f61106d1",
-                "sha256:e1cacf4796b20865789083252186ce9dc6cc59eca0c2e79cca332bdff24ac481",
-                "sha256:e70d4e467e243455492f5de463b72151cc400710ac03a0678206a5f27e79ddef",
-                "sha256:ecc930ae559ea8a43377e8b60ca6f8d61ac532fc57efb915d899de4a67928efd",
-                "sha256:f161af26f596131b63b236372e4ce40f3167c1b5b5d459b29d2514bd8c9dc9ee"
+                "sha256:0e89f5d422988c65e6936e4ec0fe54d6f73f3128c80eb7ecc3b87f595523607b",
+                "sha256:189ad47203e846a7a4951c17694d845b6ade7917c47c64b29b86526eefc3adf5",
+                "sha256:1d87936cb5801c557f3e981c9c193861264c01209cb3ad0964a16310ca1b3301",
+                "sha256:211b3bcf5da70c2d4b84d09232534ad1d78320762e2c59dedc73bf01cb1fc45b",
+                "sha256:2358809cc64394617f2719147a58ae26dac9e21bae772b45cfb80baa26bfca5d",
+                "sha256:23c83112b4dada0b75789d73f949dbb4e8f29a0a3511647024a398ebd023347b",
+                "sha256:24e811118aab6abe3ce23ff0d7d38932329c513f9cef849d3ee88b0f848f2aa9",
+                "sha256:2d5896ddf5389560257bbe89317ca7bcb4e54a02b53a3e572e1ce4226512b51b",
+                "sha256:2d6571c48328be4304aee031d2d5046cbc8aed5740c654575613c5a4f5a11311",
+                "sha256:2e311a10f3e85250910a615fe194839a04a0f6bc4e8e5bb5cac221344e3a7891",
+                "sha256:302160eb6e9764168e01d8c9ec6becddeb87776e81d3fcb0d97954dd51d48e0a",
+                "sha256:3a7a380bfecc551cfd67d6e8ad9faa91289173bdf12e9cfafbd2bdec0d7b1ec1",
+                "sha256:3d9b2b72eb0dbbdb0e276403873ecfae870599c83ba22cadff2db58541e72856",
+                "sha256:475325e037fdf068e0c2140b818518cf6bc4aa72435c407a798b2db9f8e90810",
+                "sha256:4b7572145054330c8e324a72d808c8c8fbe12be33368db28c39a255ad5f7fb51",
+                "sha256:4fff34721b628cce9eb4538cf9a73d02e0f3da4f35a515773cce6f5fe413b360",
+                "sha256:56eff8c6fb7bc4bcca395fdff494c52712b7a57486e4fbde34c31bb9da4c6cc4",
+                "sha256:573b2f5496c7e9f4985de70b9bbb4719ffd293d5565513e04ac20e42e6e5583f",
+                "sha256:7ecaef52fd9b9535ae5f01a1dd2651f6608e4ec9dc136fc4dfe7ebe3c3ddb230",
+                "sha256:803a80d72d1f693aa448566be46ffd70882d1ad8fc689a2e22afe63035eb998a",
+                "sha256:8862d1c2c020cb7a03b421a9a7b4fe046a208db30994fc8ff68c627a7915987f",
+                "sha256:9b06690224258db5cd39a84e993882a6874676f5de582da57f3df3a82ead9174",
+                "sha256:a71400b90b3599eb7bf241f947932e18a066907bf84617d80817998cee81e4bf",
+                "sha256:bb252f802f91f59767dcc559744e91efa9df532240a502befd874b54571417bd",
+                "sha256:be1ebf9cc25ab5399501c9046a7dcdaa9e911802ed0e12b7d620cd4bbf0518b3",
+                "sha256:be7c65e34d1b50ab7093b90427cbc488260e4b3a38ef2435d65b62e9fa3d798a",
+                "sha256:c0dac835c1a22621ffa5e5f999d57359c790c52bbd1c687fe514ae6924f65ef5",
+                "sha256:c152b2e93b639d1f36ec5a8ca24cde4a8eefb2b6b83668fcd8e83a67badcb367",
+                "sha256:d182eada8ea0de61a45a526aa0ae4bcd222f9673424e65315c35820291ff299c",
+                "sha256:d18331ea905a41ae71596502bd4c9a2998902328bbabd29e3d0f5f8569fabad1",
+                "sha256:d20d32cbb31d731def4b1502294ca2ee99f9249b63bc80e03e67e8f8e126dea8",
+                "sha256:d4ad7fd3269281cb471ad6c7bafca372e69789540d16e3755dd717e9e5c9d82f",
+                "sha256:d6f8c23f65a4bfe4300b85f1f40f6c32569822d08901db3b6454ab785d9117cc",
+                "sha256:d84d741c6e35c9f3e7406cb7c4c2e08474c2a6441d59322a00dcae65aac6315d",
+                "sha256:e65c221b2115a91035b55a593b6eb94aa1206fa3ab374f47c6dc10d364583ff9",
+                "sha256:f98b6f256be6cec8dd308a8563976ddaff0bdc18b730720f6f4bee927ffe926f"
             ],
             "index": "pypi",
-            "version": "==4.5.2"
+            "version": "==4.6.1"
         },
         "markupsafe": {
             "hashes": [
@@ -691,10 +695,10 @@
         },
         "prompt-toolkit": {
             "hashes": [
-                "sha256:822f4605f28f7d2ba6b0b09a31e25e140871e96364d1d377667b547bb3bf4489",
-                "sha256:83074ee28ad4ba6af190593d4d4c607ff525272a504eb159199b6dd9f950c950"
+                "sha256:25c95d2ac813909f813c93fde734b6e44406d1477a9faef7c915ff37d39c0a8c",
+                "sha256:7debb9a521e0b1ee7d2fe96ee4bd60ef03c6492784de0547337ca4433e46aa63"
             ],
-            "version": "==3.0.7"
+            "version": "==3.0.8"
         },
         "psycopg2-binary": {
             "hashes": [
@@ -708,6 +712,7 @@
                 "sha256:7312e931b90fe14f925729cde58022f5d034241918a5c4f9797cac62f6b3a9dd",
                 "sha256:7d92a09b788cbb1aec325af5fcba9fed7203897bbd9269d5691bb1e3bce29550",
                 "sha256:833709a5c66ca52f1d21d41865a637223b368c0ee76ea54ca5bad6f2526c7679",
+                "sha256:89705f45ce07b2dfa806ee84439ec67c5d9a0ef20154e0e475e2b2ed392a5b83",
                 "sha256:8cd0fb36c7412996859cb4606a35969dd01f4ea34d9812a141cd920c3b18be77",
                 "sha256:950bc22bb56ee6ff142a2cb9ee980b571dd0912b0334aa3fe0fe3788d860bea2",
                 "sha256:a0c50db33c32594305b0ef9abc0cb7db13de7621d2cadf8392a1d9b3c437ef77",
@@ -974,6 +979,8 @@
                 "sha256:a873e4d4954f865dcb60bdc4914af7eaae48fb56b60ed6daa1d6251c72f5337c",
                 "sha256:ab845f1f51f7eb750a78937be9f79baea4a42c7960f5a94dde34e69f3cce1988",
                 "sha256:b1e981fe1aff1fd11627f531524826a4dcc1f26c726235a52fcb62ded27d150f",
+                "sha256:b4b0d31f2052b3f9f9b5327024dc629a253a83d8649d4734ca7f35b60ec3e9e5",
+                "sha256:c6ac7e45367b1317e56f1461719c853fd6825226f45b835df7436bb04031fd8a",
                 "sha256:daf21aa33ee9b351f66deed30a3d450ab55c14242cfdfcd377798e2c0d25c9f1",
                 "sha256:e9f7d1d8c26a6a12c23421061f9022bb62704e38211fe375c645485f38df34a2",
                 "sha256:f6061a31880c1ed6b6ce341215336e2f3d0c1deccd84957b6fa8ca474b41e89f"
@@ -990,11 +997,11 @@
         },
         "sentry-sdk": {
             "hashes": [
-                "sha256:1d91a0059d2d8bb980bec169578035c2f2d4b93cd8a4fb5b85c81904d33e221a",
-                "sha256:6222cf623e404c3e62b8e0e81c6db866ac2d12a663b7c1f7963350e3f397522a"
+                "sha256:0eea248408d36e8e7037c7b73827bea20b13a4375bf1719c406cae6fcbc094e3",
+                "sha256:5cf36eb6b1dc62d55f3c64289792cbaebc8ffa5a9da14474f49b46d20caa7fc8"
             ],
             "index": "pypi",
-            "version": "==0.18.0"
+            "version": "==0.19.1"
         },
         "service-identity": {
             "hashes": [
@@ -1092,23 +1099,23 @@
                 "secure"
             ],
             "hashes": [
-                "sha256:91056c15fa70756691db97756772bb1eb9678fa585d9184f24534b100dc60f4a",
-                "sha256:e7983572181f5e1522d9c98453462384ee92a0be7fac5f1413a1e35c56cc0461"
+                "sha256:8d7eaa5a82a1cac232164990f04874c594c9453ec55eef02eab885aa02fc17a2",
+                "sha256:f5321fbe4bf3fefa0efd0bfe7fb14e90909eb62a48ccda331726b4319897dd5e"
             ],
             "index": "pypi",
             "markers": null,
-            "version": "==1.25.10"
+            "version": "==1.25.11"
         },
         "uvicorn": {
             "extras": [
                 "standard"
             ],
             "hashes": [
-                "sha256:a461e76406088f448f36323f5ac774d50e5a552b6ccb54e4fca8d83ef614a7c2",
-                "sha256:d06a25caa8dc680ad92eb3ec67363f5281c092059613a1cc0100acba37fc0f45"
+                "sha256:8ff7495c74b8286a341526ff9efa3988ebab9a4b2f561c7438c3cb420992d7dd",
+                "sha256:e5dbed4a8a44c7b04376021021d63798d6a7bcfae9c654a0b153577b93854fba"
             ],
             "index": "pypi",
-            "version": "==0.12.1"
+            "version": "==0.12.2"
         },
         "uvloop": {
             "hashes": [
@@ -1300,11 +1307,11 @@
         },
         "colorama": {
             "hashes": [
-                "sha256:7d73d2a99753107a36ac6b455ee49046802e59d9d076ef8e47b61499fa29afff",
-                "sha256:e96da0d330793e2cb9485e9ddfd918d456036c7149416295932478192f4436a1"
+                "sha256:5941b2b48a20143d2267e95b1c2a7603ce057ee39fd88e7329b0c292aa16869b",
+                "sha256:9f47eda37229f68eee03b24b9748937c7dc3868f906e8ba69fbcbdd3bc5dc3e2"
             ],
             "index": "pypi",
-            "version": "==0.4.3"
+            "version": "==0.4.4"
         },
         "coverage": {
             "hashes": [
@@ -1392,17 +1399,17 @@
         },
         "gitpython": {
             "hashes": [
-                "sha256:138016d519bf4dd55b22c682c904ed2fd0235c3612b2f8f65ce218ff358deed8",
-                "sha256:a03f728b49ce9597a6655793207c6ab0da55519368ff5961e4a74ae475b9fa8e"
+                "sha256:6eea89b655917b500437e9668e4a12eabdcf00229a0df1762aabd692ef9b746b",
+                "sha256:befa4d101f91bad1b632df4308ec64555db684c360bd7d2130b4807d49ce86b8"
             ],
-            "version": "==3.1.9"
+            "version": "==3.1.11"
         },
         "iniconfig": {
             "hashes": [
-                "sha256:80cf40c597eb564e86346103f609d74efce0f6b4d4f30ec8ce9e2c26411ba437",
-                "sha256:e5f92f89355a67de0595932a6c6c02ab4afddc6fcdc0bfc5becd0d60884d3f69"
+                "sha256:011e24c64b7f47f6ebd835bb12a743f2fbe9a26d4cecaa7f53bc4f35ee9da8b3",
+                "sha256:bc3af051d7d14b2ee5ef9969666def0cd1a000e121eaea580d4a313df4b37f32"
             ],
-            "version": "==1.0.1"
+            "version": "==1.1.1"
         },
         "isort": {
             "hashes": [
@@ -1468,10 +1475,10 @@
         },
         "pbr": {
             "hashes": [
-                "sha256:14bfd98f51c78a3dd22a1ef45cf194ad79eee4a19e8e1a0d5c7f8e81ffe182ea",
-                "sha256:5adc0f9fc64319d8df5ca1e4e06eea674c26b80e6f00c530b18ce6a6592ead15"
+                "sha256:5fad80b613c402d5b7df7bd84812548b2a61e9977387a80a5fc5c396492b13c9",
+                "sha256:b236cde0ac9a6aedd5e3c34517b423cd4fd97ef723849da6b0d2231142d89c00"
             ],
-            "version": "==5.5.0"
+            "version": "==5.5.1"
         },
         "pep8-naming": {
             "hashes": [
@@ -1574,11 +1581,11 @@
         },
         "pytest-django": {
             "hashes": [
-                "sha256:4de6dbd077ed8606616958f77655fed0d5e3ee45159475671c7fa67596c6dba6",
-                "sha256:c33e3d3da14d8409b125d825d4e74da17bb252191bf6fc3da6856e27a8b73ea4"
+                "sha256:10e384e6b8912ded92db64c58be8139d9ae23fb8361e5fc139d8e4f8fc601bc2",
+                "sha256:26f02c16d36fd4c8672390deebe3413678d89f30720c16efb8b2a6bf63b9041f"
             ],
             "index": "pypi",
-            "version": "==3.10.0"
+            "version": "==4.1.0"
         },
         "pytz": {
             "hashes": [
@@ -1606,35 +1613,35 @@
         },
         "regex": {
             "hashes": [
-                "sha256:088afc8c63e7bd187a3c70a94b9e50ab3f17e1d3f52a32750b5b77dbe99ef5ef",
-                "sha256:1fe0a41437bbd06063aa184c34804efa886bcc128222e9916310c92cd54c3b4c",
-                "sha256:3d20024a70b97b4f9546696cbf2fd30bae5f42229fbddf8661261b1eaff0deb7",
-                "sha256:41bb65f54bba392643557e617316d0d899ed5b4946dccee1cb6696152b29844b",
-                "sha256:4318d56bccfe7d43e5addb272406ade7a2274da4b70eb15922a071c58ab0108c",
-                "sha256:4707f3695b34335afdfb09be3802c87fa0bc27030471dbc082f815f23688bc63",
-                "sha256:49f23ebd5ac073765ecbcf046edc10d63dcab2f4ae2bce160982cb30df0c0302",
-                "sha256:5533a959a1748a5c042a6da71fe9267a908e21eded7a4f373efd23a2cbdb0ecc",
-                "sha256:5d892a4f1c999834eaa3c32bc9e8b976c5825116cde553928c4c8e7e48ebda67",
-                "sha256:5f18875ac23d9aa2f060838e8b79093e8bb2313dbaaa9f54c6d8e52a5df097be",
-                "sha256:60b0e9e6dc45683e569ec37c55ac20c582973841927a85f2d8a7d20ee80216ab",
-                "sha256:816064fc915796ea1f26966163f6845de5af78923dfcecf6551e095f00983650",
-                "sha256:84cada8effefe9a9f53f9b0d2ba9b7b6f5edf8d2155f9fdbe34616e06ececf81",
-                "sha256:84e9407db1b2eb368b7ecc283121b5e592c9aaedbe8c78b1a2f1102eb2e21d19",
-                "sha256:8d69cef61fa50c8133382e61fd97439de1ae623fe943578e477e76a9d9471637",
-                "sha256:9a02d0ae31d35e1ec12a4ea4d4cca990800f66a917d0fb997b20fbc13f5321fc",
-                "sha256:9bc13e0d20b97ffb07821aa3e113f9998e84994fe4d159ffa3d3a9d1b805043b",
-                "sha256:a6f32aea4260dfe0e55dc9733ea162ea38f0ea86aa7d0f77b15beac5bf7b369d",
-                "sha256:ae91972f8ac958039920ef6e8769277c084971a142ce2b660691793ae44aae6b",
-                "sha256:c570f6fa14b9c4c8a4924aaad354652366577b4f98213cf76305067144f7b100",
-                "sha256:c9443124c67b1515e4fe0bb0aa18df640965e1030f468a2a5dc2589b26d130ad",
-                "sha256:d23a18037313714fb3bb5a94434d3151ee4300bae631894b1ac08111abeaa4a3",
-                "sha256:eaf548d117b6737df379fdd53bdde4f08870e66d7ea653e230477f071f861121",
-                "sha256:ebbe29186a3d9b0c591e71b7393f1ae08c83cb2d8e517d2a822b8f7ec99dfd8b",
-                "sha256:eda4771e0ace7f67f58bc5b560e27fb20f32a148cbc993b0c3835970935c2707",
-                "sha256:f1b3afc574a3db3b25c89161059d857bd4909a1269b0b3cb3c904677c8c4a3f7",
-                "sha256:f2388013e68e750eaa16ccbea62d4130180c26abb1d8e5d584b9baf69672b30f"
+                "sha256:0cb23ed0e327c18fb7eac61ebbb3180ebafed5b9b86ca2e15438201e5903b5dd",
+                "sha256:1a065e7a6a1b4aa851a0efa1a2579eabc765246b8b3a5fd74000aaa3134b8b4e",
+                "sha256:1a511470db3aa97432ac8c1bf014fcc6c9fbfd0f4b1313024d342549cf86bcd6",
+                "sha256:1c447b0d108cddc69036b1b3910fac159f2b51fdeec7f13872e059b7bc932be1",
+                "sha256:2278453c6a76280b38855a263198961938108ea2333ee145c5168c36b8e2b376",
+                "sha256:240509721a663836b611fa13ca1843079fc52d0b91ef3f92d9bba8da12e768a0",
+                "sha256:4e21340c07090ddc8c16deebfd82eb9c9e1ec5e62f57bb86194a2595fd7b46e0",
+                "sha256:570e916a44a361d4e85f355aacd90e9113319c78ce3c2d098d2ddf9631b34505",
+                "sha256:59d5c6302d22c16d59611a9fd53556554010db1d47e9df5df37be05007bebe75",
+                "sha256:6a46eba253cedcbe8a6469f881f014f0a98819d99d341461630885139850e281",
+                "sha256:6f567df0601e9c7434958143aebea47a9c4b45434ea0ae0286a4ec19e9877169",
+                "sha256:781906e45ef1d10a0ed9ec8ab83a09b5e0d742de70e627b20d61ccb1b1d3964d",
+                "sha256:8469377a437dbc31e480993399fd1fd15fe26f382dc04c51c9cb73e42965cc06",
+                "sha256:8cd0d587aaac74194ad3e68029124c06245acaeddaae14cb45844e5c9bebeea4",
+                "sha256:97a023f97cddf00831ba04886d1596ef10f59b93df7f855856f037190936e868",
+                "sha256:a973d5a7a324e2a5230ad7c43f5e1383cac51ef4903bf274936a5634b724b531",
+                "sha256:af360e62a9790e0a96bc9ac845d87bfa0e4ee0ee68547ae8b5a9c1030517dbef",
+                "sha256:b706c70070eea03411b1761fff3a2675da28d042a1ab7d0863b3efe1faa125c9",
+                "sha256:bfd7a9fddd11d116a58b62ee6c502fd24cfe22a4792261f258f886aa41c2a899",
+                "sha256:c30d8766a055c22e39dd7e1a4f98f6266169f2de05db737efe509c2fb9c8a3c8",
+                "sha256:c53dc8ee3bb7b7e28ee9feb996a0c999137be6c1d3b02cb6b3c4cba4f9e5ed09",
+                "sha256:c95d514093b80e5309bdca5dd99e51bcf82c44043b57c34594d9d7556bd04d05",
+                "sha256:d43cf21df524283daa80ecad551c306b7f52881c8d0fe4e3e76a96b626b6d8d8",
+                "sha256:d62205f00f461fe8b24ade07499454a3b7adf3def1225e258b994e2215fd15c5",
+                "sha256:e289a857dca3b35d3615c3a6a438622e20d1bf0abcb82c57d866c8d0be3f44c4",
+                "sha256:e5f6aa56dda92472e9d6f7b1e6331f4e2d51a67caafff4d4c5121cadac03941e",
+                "sha256:f4b1c65ee86bfbf7d0c3dfd90592a9e3d6e9ecd36c367c884094c050d4c35d04"
             ],
-            "version": "==2020.9.27"
+            "version": "==2020.10.23"
         },
         "requirements-detector": {
             "hashes": [
@@ -1702,9 +1709,11 @@
             "hashes": [
                 "sha256:0666aa36131496aed8f7be0410ff974562ab7eeac11ef351def9ea6fa28f6355",
                 "sha256:0c2c07682d61a629b68433afb159376e24e5b2fd4641d35424e462169c0a7919",
+                "sha256:0d8110d78a5736e16e26213114a38ca35cb15b6515d535413b090bd50951556d",
                 "sha256:249862707802d40f7f29f6e1aad8d84b5aa9e44552d2cc17384b209f091276aa",
                 "sha256:24995c843eb0ad11a4527b026b4dde3da70e1f2d8806c99b7b4a7cf491612652",
                 "sha256:269151951236b0f9a6f04015a9004084a5ab0d5f19b57de779f908621e7d8b75",
+                "sha256:3742b32cf1c6ef124d57f95be609c473d7ec4c14d0090e5a5e05a15269fb4d0c",
                 "sha256:4083861b0aa07990b619bd7ddc365eb7fa4b817e99cf5f8d9cf21a42780f6e01",
                 "sha256:498b0f36cc7054c1fead3d7fc59d2150f4d5c6c56ba7fb150c013fbc683a8d2d",
                 "sha256:4e3e5da80ccbebfff202a67bf900d081906c358ccc3d5e3c8aea42fdfdfd51c1",
@@ -1713,12 +1722,16 @@
                 "sha256:73d785a950fc82dd2a25897d525d003f6378d1cb23ab305578394694202a58c3",
                 "sha256:8c8aaad94455178e3187ab22c8b01a3837f8ee50e09cf31f1ba129eb293ec30b",
                 "sha256:8ce678dbaf790dbdb3eba24056d5364fb45944f33553dd5869b7580cdbb83614",
+                "sha256:92c325624e304ebf0e025d1224b77dd4e6393f18aab8d829b5b7e04afe9b7a2c",
                 "sha256:aaee9905aee35ba5905cfb3c62f3e83b3bec7b39413f0a7f19be4e547ea01ebb",
+                "sha256:b52ccf7cfe4ce2a1064b18594381bccf4179c2ecf7f513134ec2f993dd4ab395",
                 "sha256:bcd3b13b56ea479b3650b82cabd6b5343a625b0ced5429e4ccad28a8973f301b",
                 "sha256:c9e348e02e4d2b4a8b2eedb48210430658df6951fa484e59de33ff773fbd4b41",
                 "sha256:d205b1b46085271b4e15f670058ce182bd1199e56b317bf2ec004b6a44f911f6",
                 "sha256:d43943ef777f9a1c42bf4e552ba23ac77a6351de620aa9acf64ad54933ad4d34",
                 "sha256:d5d33e9e7af3b34a40dc05f498939f0ebf187f07c385fd58d591c533ad8562fe",
+                "sha256:d648b8e3bf2fe648745c8ffcee3db3ff903d0817a01a12dd6a6ea7a8f4889072",
+                "sha256:fac11badff8313e23717f3dada86a15389d0708275bddf766cca67a84ead3e91",
                 "sha256:fc0fea399acb12edbf8a628ba8d2312f583bdbdb3335635db062fa98cf71fca4",
                 "sha256:fe460b922ec15dd205595c9b5b99e2f056fd98ae8f9f56b888e7a17dc2b757e7"
             ],
@@ -1737,12 +1750,12 @@
                 "secure"
             ],
             "hashes": [
-                "sha256:91056c15fa70756691db97756772bb1eb9678fa585d9184f24534b100dc60f4a",
-                "sha256:e7983572181f5e1522d9c98453462384ee92a0be7fac5f1413a1e35c56cc0461"
+                "sha256:8d7eaa5a82a1cac232164990f04874c594c9453ec55eef02eab885aa02fc17a2",
+                "sha256:f5321fbe4bf3fefa0efd0bfe7fb14e90909eb62a48ccda331726b4319897dd5e"
             ],
             "index": "pypi",
             "markers": null,
-            "version": "==1.25.10"
+            "version": "==1.25.11"
         },
         "wrapt": {
             "hashes": [

SECURITY.md

@@ -6,8 +6,9 @@ As passbook is currently in a pre-stable, only the latest "stable" version is su
 
 | Version  | Supported          |
 | -------- | ------------------ |
-| 0.9.x    | :white_check_mark: |
 | 0.10.x   | :white_check_mark: |
+| 0.11.x   | :white_check_mark: |
+| 0.12.x   | :white_check_mark: |
 
 ## Reporting a Vulnerability
 

azure-pipelines.yml

@@ -89,7 +89,7 @@ stages:
               versionSpec: '3.8'
           - task: CmdLine@2
             inputs:
-              script: npm install -g pyright@1.1.75
+              script: npm install -g pyright@1.1.79
           - task: CmdLine@2
             inputs:
               script: |
@@ -169,6 +169,13 @@ stages:
               dockerComposeFile: 'scripts/ci.docker-compose.yml'
               action: 'Run services'
               buildImages: false
+          - task: CmdLine@2
+            displayName: Install K3d and prepare
+            inputs:
+              script: |
+                wget -q -O - https://raw.githubusercontent.com/rancher/k3d/main/install.sh | bash
+                k3d cluster create
+                k3d kubeconfig write -o ~/.kube/config --overwrite
           - task: CmdLine@2
             inputs:
               script: |
@@ -178,6 +185,7 @@ stages:
             displayName: Run full test suite
             inputs:
               script: |
+                export PB_TEST_K8S=true
                 pipenv run coverage run ./manage.py test passbook -v 3
           - task: CmdLine@2
             inputs:
@@ -203,6 +211,13 @@ stages:
               dockerComposeFile: 'scripts/ci.docker-compose.yml'
               action: 'Run services'
               buildImages: false
+          - task: CmdLine@2
+            displayName: Install K3d and prepare
+            inputs:
+              script: |
+                wget -q -O - https://raw.githubusercontent.com/rancher/k3d/main/install.sh | bash
+                k3d cluster create
+                k3d kubeconfig write -o ~/.kube/config --overwrite
           - task: CmdLine@2
             inputs:
               script: |
@@ -225,6 +240,7 @@ stages:
             displayName: Run full test suite
             inputs:
               script: |
+                export PB_TEST_K8S=true
                 pipenv run coverage run ./manage.py test e2e -v 3 --failfast
           - task: CmdLine@2
             condition: always()
@@ -232,6 +248,7 @@ stages:
             inputs:
               script: |
                 docker stop $(docker ps -aq)
+                docker container prune -f
           - task: CmdLine@2
             displayName: Prepare unittests and coverage for upload
             inputs:

docker-compose.yml

@@ -12,18 +12,14 @@ services:
       - POSTGRES_PASSWORD=${PG_PASS:-thisisnotagoodpassword}
       - POSTGRES_USER=passbook
       - POSTGRES_DB=passbook
-    labels:
-      - traefik.enable=false
     env_file:
       - .env
   redis:
     image: redis
     networks:
       - internal
-    labels:
-      - traefik.enable=false
   server:
-    image: beryju/passbook:${PASSBOOK_TAG:-0.11.0-stable}
+    image: beryju/passbook:${PASSBOOK_TAG:-0.12.7-stable}
     command: server
     environment:
       PASSBOOK_REDIS__HOST: redis
@@ -34,38 +30,50 @@ services:
     networks:
       - internal
     labels:
-      - traefik.port=8000
-      - traefik.docker.network=internal
-      - traefik.frontend.rule=PathPrefix:/
+      traefik.enable: 'true'
+      traefik.docker.network: internal
+      traefik.http.routers.app-router.rule: PathPrefix(`/`)
+      traefik.http.routers.app-router.service: app-service
+      traefik.http.routers.app-router.tls: 'true'
+      traefik.http.services.app-service.loadbalancer.healthcheck.hostname: passbook-healthcheck-host
+      traefik.http.services.app-service.loadbalancer.server.port: '8000'
     env_file:
       - .env
   worker:
-    image: beryju/passbook:${PASSBOOK_TAG:-0.11.0-stable}
+    image: beryju/passbook:${PASSBOOK_TAG:-0.12.7-stable}
     command: worker
     networks:
       - internal
-    labels:
-      - traefik.enable=false
     environment:
       PASSBOOK_REDIS__HOST: redis
       PASSBOOK_POSTGRESQL__HOST: postgresql
       PASSBOOK_POSTGRESQL__PASSWORD: ${PG_PASS}
     volumes:
       - ./backups:/backups
-      - /var/run/docker.socket:/var/run/docker.socket
+      - /var/run/docker.sock:/var/run/docker.sock
     env_file:
       - .env
   static:
-    image: beryju/passbook-static:${PASSBOOK_TAG:-0.11.0-stable}
+    image: beryju/passbook-static:${PASSBOOK_TAG:-0.12.7-stable}
     networks:
       - internal
     labels:
-      - traefik.frontend.rule=PathPrefix:/static, /robots.txt, /favicon.ico
-      - traefik.port=80
-      - traefik.docker.network=internal
+      traefik.enable: 'true'
+      traefik.docker.network: internal
+      traefik.http.routers.static-router.rule: PathPrefix(`/static`, `/robots.txt`, `/favicon.ico`)
+      traefik.http.routers.static-router.tls: 'true'
+      traefik.http.routers.static-router.service: static-service
+      traefik.http.services.static-service.loadbalancer.healthcheck.path: /
+      traefik.http.services.static-service.loadbalancer.server.port: '80'
   traefik:
-    image: traefik:1.7
-    command: --api --docker --defaultentrypoints=https --entryPoints='Name:http Address::80 Redirect.EntryPoint:https' --entryPoints='Name:https Address::443 TLS'
+    image: traefik:2.3
+    command:
+      - "--log.format=json"
+      - "--api.insecure=true"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--entrypoints.http.address=:80"
+      - "--entrypoints.https.address=:443"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
     ports:

docs/flow/examples/enrollment-2-stage.json

@@ -117,7 +117,7 @@
             },
             "model": "passbook_stages_user_login.userloginstage",
             "attrs": {
-                "session_duration": 0
+                "session_duration": "seconds=-1"
             }
         },
         {

docs/flow/examples/enrollment-email-verification.json

@@ -136,7 +136,7 @@
             },
             "model": "passbook_stages_user_login.userloginstage",
             "attrs": {
-                "session_duration": 0
+                "session_duration": "seconds=-1"
             }
         },
         {

docs/flow/examples/login-2fa.json

@@ -20,7 +20,7 @@
             },
             "model": "passbook_stages_user_login.userloginstage",
             "attrs": {
-                "session_duration": 0
+                "session_duration": "seconds=-1"
             }
         },
         {

docs/flow/examples/login-conditional-captcha.json

@@ -20,7 +20,7 @@
             },
             "model": "passbook_stages_user_login.userloginstage",
             "attrs": {
-                "session_duration": 0
+                "session_duration": "seconds=-1"
             }
         },
         {
@@ -95,7 +95,8 @@
             },
             "model": "passbook_flows.flowstagebinding",
             "attrs": {
-                "re_evaluate_policies": false
+                "evaluate_on_plan": false,
+                "re_evaluate_policies": true
             }
         },
         {

docs/flow/examples/recovery-email-verification.json

@@ -101,7 +101,7 @@
         {
             "identifiers": {
                 "pk": "975d5502-1e22-4d10-b560-fbc5bd70ff4d",
-                "name": "default-password-change-prompt"
+                "name": "Change your password"
             },
             "model": "passbook_stages_prompt.promptstage",
             "attrs": {
@@ -118,7 +118,7 @@
             },
             "model": "passbook_stages_user_login.userloginstage",
             "attrs": {
-                "session_duration": 0
+                "session_duration": "seconds=-1"
             }
         },
         {

docs/installation/docker-compose.md

@@ -4,8 +4,8 @@ This installation method is for test-setups and small-scale productive setups.
 
 ## Prerequisites
 
--   docker
--   docker-compose
+- docker
+- docker-compose
 
 ## Install
 
@@ -13,7 +13,7 @@ Download the latest `docker-compose.yml` from [here](https://raw.githubuserconte
 
 To optionally enable error-reporting, run `echo PASSBOOK_ERROR_REPORTING__ENABLED=true >> .env`
 
-To optionally deploy a different version run `echo PASSBOOK_TAG=0.11.0-stable >> .env`
+To optionally deploy a different version run `echo PASSBOOK_TAG=0.12.7-stable >> .env`
 
 If this is a fresh passbook install run the following commands to generate a password:
 

docs/installation/kubernetes.md

@@ -11,29 +11,30 @@ This installation automatically applies database migrations on startup. After th
 image:
   name: beryju/passbook
   name_static: beryju/passbook-static
-  tag: 0.11.0-stable
-
-nameOverride: ""
+  tag: 0.12.7-stable
 
 serverReplicas: 1
 workerReplicas: 1
 
+# Enable the Kubernetes integration which lets passbook deploy outposts into kubernetes
+kubernetesIntegration: true
+
 config:
   # Optionally specify fixed secret_key, otherwise generated automatically
-  # secret_key: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o
+  # secretKey: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o
   # Enable error reporting
-  error_reporting:
+  errorReporting:
     enabled: false
     environment: customer
-    send_pii: false
+    sendPii: false
   # Log level used by web and worker
   # Can be either debug, info, warning, error
-  log_level: warning
+  logLevel: warning
 
 # Enable Database Backups to S3
 # backup:
-#   access_key: access-key
-#   secret_key: secret-key
+#   accessKey: access-key
+#   secretKey: secret-key
 #   bucket: s3-bucket
 #   region: eu-central-1
 #   host: s3-host
@@ -42,7 +43,6 @@ ingress:
   annotations: {}
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
-  path: /
   hosts:
     - passbook.k8s.local
   tls: []

docs/installation/reverse-proxy.md

@@ -34,7 +34,8 @@ server {
         proxy_set_header X-Forwarded-Proto https;
         proxy_set_header X-Forwarded-Port 443;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header Host $http_host;
+        # This needs to be set inside the location block, very important.
+        proxy_set_header Host $host;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection $connection_upgrade;
     }

docs/integrations/services/home-assistant/index.md

@@ -0,0 +1,48 @@
+# Home-Assistant Integration
+
+## What is Home-Assistant
+
+From https://www.home-assistant.io/
+
+!!! note ""
+    Open source home automation that puts local control and privacy first. Powered by a worldwide community of tinkerers and DIY enthusiasts. Perfect to run on a Raspberry Pi or a local server.
+
+
+## Preparation
+
+The following placeholders will be used:
+
+- `hass.company` is the FQDN of the Home-Assistant install.
+- `passbook.company` is the FQDN of the passbook install.
+
+!!! note
+
+    This setup uses https://github.com/BeryJu/hass-auth-header and the passbook proxy for authentication. When this [PR](https://github.com/home-assistant/core/pull/32926) is merged, this will no longer be necessary.
+
+## Home-Assistant
+
+This guide requires https://github.com/BeryJu/hass-auth-header, which can be installed as described in the Readme.
+
+Afterwards, make sure the `trusted_proxies` setting contains the IP(s) of the Host(s) passbook is running on.
+
+## passbook
+
+Create a Proxy Provider with the following values
+
+- Internal host
+
+    If Home-Assistant is running in docker, and you're deploying the passbook proxy on the same host, set the value to `http://homeassistant:8123`, where Home-Assistant is the name of your container.
+
+    If Home-Assistant is running on a different server than where you are deploying the passbook proxy, set the value to `http://hass.company:8123`.
+
+- External host
+
+    Set this to the external URL you will be accessing Home-Assistant from.
+
+Create an application in passbook and select the provider you've created above.
+
+## Deployment
+
+Create an outpost deployment for the provider you've created above, as described [here](../../../outposts/outposts.md). Deploy this Outpost either on the same host or a different host that can access Home-Assistant.
+
+The outpost will connect to passbook and configure itself.

docs/integrations/services/sonarr/index.md

@@ -18,7 +18,7 @@ The following placeholders will be used:
 - `sonarr.company` is the FQDN of the Sonarr install.
 - `passbook.company` is the FQDN of the passbook install.
 
-Create an application in passbook. Create a Proxy Provider with the following values
+Create a Proxy Provider with the following values
 
 - Internal host
 
@@ -30,6 +30,8 @@ Create an application in passbook. Create a Proxy Provider with the following va
 
     Set this to the external URL you will be accessing Sonarr from.
 
+Create an application in passbook and select the provider you've created above.
+
 ## Deployment
 
 Create an outpost deployment for the provider you've created above, as described [here](../../../outposts/outposts.md). Deploy this Outpost either on the same host or a different host that can access Sonarr.

docs/integrations/services/vmware-vcenter/index.md

@@ -16,6 +16,10 @@ From https://en.wikipedia.org/wiki/VCenter
 
     This requires VMware vCenter 7.0.0 or newer.
 
+!!! note
+
+    It seems that the vCenter still needs to be joined to the Active Directory Domain, otherwise group membership does not work correctly. We're working on a fix for this, for the meantime your vCenter should be part of your Domain.
+
 ## Preparation
 
 The following placeholders will be used:

docs/integrations/sources/active-directory/index.md

@@ -0,0 +1,55 @@
+# Active Directory Integration
+
+## Preparation
+
+The following placeholders will be used:
+
+ - `ad.company` is the Name of the Active Directory domain.
+ - `passbook.company` is the FQDN of the passbook install.
+
+## Active Directory Setup
+
+1. Open Active Directory Users and Computers
+
+2. Create a user in Active Directory, matching your naming scheme
+
+    ![](./01_user_create.png)
+
+3. Give the User a password, generated using for example `pwgen 64 1`.
+
+4. Open the Delegation of Control Wizard by right-clicking the domain.
+
+5. Select the passbook service user you've just created.
+
+6. Ensure the "Reset user password and force password change at next logon" Option is checked.
+
+    ![](./02_delegate.png)
+
+## passbook Setup
+
+In passbook, create a new LDAP Source in Administration -> Sources.
+
+Use these settings:
+
+- Server URI: `ldap://ad.company`
+
+    For passbook to be able to write passwords back to Active Directory, make sure to use `ldaps://`
+
+- Bind CN: `<name of your service user>@ad.company`
+- Bind Password: The password you've given the user above
+- Base DN: The base DN which you want passbook to sync
+- Property Mappings: Select all and click the right arrow
+
+The other settings might need to be adjusted based on the setup of your domain.
+
+- Addition User/Group DN: Additional DN which is *prepended* to your Base DN for user synchronization.
+- Addition Group DN: Additional DN which is *prepended* to your Base DN for group synchronization.
+- User object filter: Which objects should be considered users.
+- Group object filter: Which objects should be considered groups.
+- User group membership field: Which user field saves the group membership
+- Object uniqueness field: A user field which contains a unique Identifier
+- Sync parent group: If enabled, all synchronized groups will be given this group as a parent.
+
+After you save the source, a synchronization will start in the background. When its done, you cen see the summary on the System Tasks page.
+
+![](./03_pb_status.png)

docs/maintenance/backups/index.md

@@ -6,6 +6,10 @@
 
 ### Backup
 
+!!! notice
+
+    Local backups are **enabled** by default, and will be run daily at 00:00
+
 Local backups can be created by running the following command in your passbook installation directory
 
 ```
@@ -14,15 +18,6 @@ docker-compose run --rm worker backup
 
 This will dump the current database into the `./backups` folder. By defaults, the last 10 Backups are kept.
 
-To schedule these backups, use the following snippet in a crontab
-
-```
-0 0 * * * bash -c "cd <passbook install location> && docker-compose run --rm worker backup" >/dev/null
-```
-
-!!! notice
-
-    passbook does support automatic backups on a schedule, however this is currently not recommended, as there is no way to monitor these scheduled tasks.
 
 ### Restore
 
@@ -42,11 +37,7 @@ After you've restored the backup, it is recommended to restart all services with
 
 ### S3 Configuration
 
-!!! notice
-
-    To trigger backups with S3 enabled, use the same commands as above.
-
-#### S3 Preparation
+#### Preparation
 
 passbook expects the bucket you select to already exist. The IAM User given to passbook should have the following permissions
 
@@ -101,11 +92,11 @@ Simply enable these options in your values.yaml file
 ```yaml
 # Enable Database Backups to S3
 backup:
-  access_key: access-key
-  secret_key: secret-key
+  accessKey: access-key
+  secretKey: secret-key
   bucket: s3-bucket
   region: eu-central-1
   host: s3-host
 ```
 
-Afterwards, run a `helm upgrade` to update the ConfigMap. Because passbook-scheduled backups are not recommended currently, a Kubernetes CronJob is created that runs the backup daily.
+Afterwards, run a `helm upgrade` to update the ConfigMap. Backups are done automatically as above, at 00:00 every day.

docs/policies/expression.md

@@ -26,7 +26,11 @@ return False
     - `request.obj`: A Django Model instance. This is only set if the policy is ran against an object.
     - `request.context`: A dictionary with dynamic data. This depends on the origin of the execution.
 - `pb_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external provider.
-- `pb_client_ip`: Client's IP Address or '255.255.255.255' if no IP Address could be extracted. Can be [compared](../expressions/index.md#comparing-ip-addresses)
+- `pb_client_ip`: Client's IP Address or 255.255.255.255 if no IP Address could be extracted. Can be [compared](../expressions/index.md#comparing-ip-addresses), for example
+
+    ```python
+    return pb_client_ip in ip_network('10.0.0.0/24')
+    ```
 
 Additionally, when the policy is executed from a flow, every variable from the flow's current context is accessible under the `context` object.
 

docs/upgrading/to-0.11.md

@@ -0,0 +1,20 @@
+# Upgrading to 0.11
+
+This update brings these headline features:
+
+- Add Backup and Restore, currently only externally schedulable, documented [here](https://passbook.beryju.org/maintenance/backups/)
+- New Admin Dashboard with more metrics and Charts
+
+  Shows successful and failed logins from the last 24 hours, as well as the most used applications
+- Add search to all table views
+- Outpost now supports a Docker Controller, which installs the Outpost on the same host as passbook, updates and manages it
+- Add Token Identifier
+
+  Tokens now have an identifier which is used to reference to them, so the Primary key is not shown in URLs
+- `core/applications/list` API now shows applications the user has access to via policies
+
+## Upgrading
+
+This upgrade can be done as with minor upgrades, the only external change is the new docker-compose file, which enabled the Docker Integration for Outposts. To use this feature, please download the latest docker-compose from [here](https://raw.githubusercontent.com/BeryJu/passbook/master/docker-compose.yml).
+
+Afterwards, you can simply run `docker-compose up -d` and then the normal upgrade command of `docker-compose run --rm server migrate`.

docs/upgrading/to-0.12.md

@@ -0,0 +1,63 @@
+# Upgrading to 0.12
+
+This update brings these headline features:
+
+- Rewrite Outpost state Logic, which now supports multiple concurrent Outpost instances.
+- Add Kubernetes Integration for Outposts, which deploys and maintains Outposts with High Availability in a Kubernetes Cluster
+- Add System Task Overview to see all background tasks, their status, the log output, and retry them
+- Alerts now disappear automatically
+- Audit Logs are now searchable
+- Users can now create their own Tokens to access the API
+- docker-compose deployment now uses traefik 2.3
+
+Fixes:
+
+- Fix high CPU Usage of the proxy when Websocket connections fail
+
+## Upgrading
+
+### docker-compose
+
+Docker-compose users should download the latest docker-compose file from [here](https://raw.githubusercontent.com/BeryJu/passbook/master/docker-compose.yml). This includes the new traefik 2.3.
+
+Afterwards, you can simply run `docker-compose up -d` and then the normal upgrade command of `docker-compose run --rm server migrate`.
+
+### Kubernetes
+
+For Kubernetes users, there are some changes to the helm values.
+
+The values change from
+
+```yaml
+config:
+  # Optionally specify fixed secret_key, otherwise generated automatically
+  # secret_key: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o
+  # Enable error reporting
+  error_reporting:
+    enabled: false
+    environment: customer
+    send_pii: false
+  # Log level used by web and worker
+  # Can be either debug, info, warning, error
+  log_level: warning
+```
+
+to
+
+```yaml
+config:
+  # Optionally specify fixed secret_key, otherwise generated automatically
+  # secretKey: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o
+  # Enable error reporting
+  errorReporting:
+    enabled: false
+    environment: customer
+    sendPii: false
+  # Log level used by web and worker
+  # Can be either debug, info, warning, error
+  logLevel: warning
+```
+
+in order to be consistent with the rest of the settings.
+
+There is also a new setting called `kubernetesIntegration`, which controls the Kubernetes integration for passbook. When enabled (the default), a Service Account is created, which allows passbook to deploy and update Outposts.

e2e/test_flows_enroll.py

@@ -8,7 +8,7 @@ from docker.types import Healthcheck
 from selenium.webdriver.common.by import By
 from selenium.webdriver.support import expected_conditions as ec
 
-from e2e.utils import USER, SeleniumTestCase
+from e2e.utils import USER, SeleniumTestCase, retry
 from passbook.flows.models import Flow, FlowDesignation, FlowStageBinding
 from passbook.stages.email.models import EmailStage, EmailTemplates
 from passbook.stages.identification.models import IdentificationStage
@@ -23,7 +23,7 @@ class TestFlowsEnroll(SeleniumTestCase):
 
     def get_container_specs(self) -> Optional[Dict[str, Any]]:
         return {
-            "image": "mailhog/mailhog:v1.0.1",
+            "image": "docker.beryju.org/proxy/mailhog/mailhog:v1.0.1",
             "detach": True,
             "network_mode": "host",
             "auto_remove": True,
@@ -34,6 +34,7 @@ class TestFlowsEnroll(SeleniumTestCase):
             ),
         }
 
+    @retry()
     def test_enroll_2_step(self):
         """Test 2-step enroll flow"""
         # First stage fields
@@ -119,6 +120,7 @@ class TestFlowsEnroll(SeleniumTestCase):
             "foo@bar.baz",
         )
 
+    @retry()
     @override_settings(EMAIL_BACKEND="django.core.mail.backends.smtp.EmailBackend")
     def test_enroll_email(self):
         """Test enroll with Email verification"""

e2e/test_flows_login.py

@@ -5,13 +5,14 @@ from unittest.case import skipUnless
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
 
-from e2e.utils import USER, SeleniumTestCase
+from e2e.utils import USER, SeleniumTestCase, retry
 
 
 @skipUnless(platform.startswith("linux"), "requires local docker")
 class TestFlowsLogin(SeleniumTestCase):
     """test default login flow"""
 
+    @retry()
     def test_login(self):
         """test default login flow"""
         self.driver.get(f"{self.live_server_url}/flows/default-authentication-flow/")

e2e/test_flows_otp.py

@@ -12,7 +12,7 @@ from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
 from selenium.webdriver.support import expected_conditions as ec
 
-from e2e.utils import USER, SeleniumTestCase
+from e2e.utils import USER, SeleniumTestCase, retry
 from passbook.flows.models import Flow, FlowStageBinding
 from passbook.stages.otp_validate.models import OTPValidateStage
 
@@ -21,6 +21,7 @@ from passbook.stages.otp_validate.models import OTPValidateStage
 class TestFlowsOTP(SeleniumTestCase):
     """test flow with otp stages"""
 
+    @retry()
     def test_otp_validate(self):
         """test flow with otp stages"""
         sleep(1)
@@ -52,6 +53,7 @@ class TestFlowsOTP(SeleniumTestCase):
             USER().username,
         )
 
+    @retry()
     def test_otp_totp_setup(self):
         """test TOTP Setup stage"""
         flow: Flow = Flow.objects.get(slug="default-authentication-flow")
@@ -98,6 +100,7 @@ class TestFlowsOTP(SeleniumTestCase):
 
         self.assertTrue(TOTPDevice.objects.filter(user=USER(), confirmed=True).exists())
 
+    @retry()
     def test_otp_static_setup(self):
         """test Static OTP Setup stage"""
         flow: Flow = Flow.objects.get(slug="default-authentication-flow")

e2e/test_flows_stage_setup.py

@@ -5,7 +5,7 @@ from unittest.case import skipUnless
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
 
-from e2e.utils import USER, SeleniumTestCase
+from e2e.utils import USER, SeleniumTestCase, retry
 from passbook.core.models import User
 from passbook.flows.models import Flow, FlowDesignation
 from passbook.providers.oauth2.generators import generate_client_secret
@@ -16,6 +16,7 @@ from passbook.stages.password.models import PasswordStage
 class TestFlowsStageSetup(SeleniumTestCase):
     """test stage setup flows"""
 
+    @retry()
     def test_password_change(self):
         """test password change flow"""
         # Ensure that password stage has change_flow set

e2e/test_provider_oauth2_github.py

@@ -9,7 +9,7 @@ from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
 from selenium.webdriver.support import expected_conditions as ec
 
-from e2e.utils import USER, SeleniumTestCase
+from e2e.utils import USER, SeleniumTestCase, retry
 from passbook.core.models import Application
 from passbook.flows.models import Flow
 from passbook.policies.expression.models import ExpressionPolicy
@@ -33,7 +33,7 @@ class TestProviderOAuth2Github(SeleniumTestCase):
     def get_container_specs(self) -> Optional[Dict[str, Any]]:
         """Setup client grafana container which we test OAuth against"""
         return {
-            "image": "grafana/grafana:7.1.0",
+            "image": "docker.beryju.org/proxy/grafana/grafana:7.1.0",
             "detach": True,
             "network_mode": "host",
             "auto_remove": True,
@@ -61,6 +61,7 @@ class TestProviderOAuth2Github(SeleniumTestCase):
             },
         }
 
+    @retry()
     def test_authorization_consent_implied(self):
         """test OAuth Provider flow (default authorization flow with implied consent)"""
         # Bootstrap all needed objects
@@ -115,6 +116,7 @@ class TestProviderOAuth2Github(SeleniumTestCase):
             USER().username,
         )
 
+    @retry()
     def test_authorization_consent_explicit(self):
         """test OAuth Provider flow (default authorization flow with explicit consent)"""
         # Bootstrap all needed objects
@@ -184,6 +186,7 @@ class TestProviderOAuth2Github(SeleniumTestCase):
             USER().username,
         )
 
+    @retry()
     def test_denied(self):
         """test OAuth Provider flow (default authorization flow, denied)"""
         # Bootstrap all needed objects

e2e/test_provider_oauth2_grafana.py

@@ -10,7 +10,7 @@ from selenium.webdriver.common.keys import Keys
 from selenium.webdriver.support import expected_conditions as ec
 from structlog import get_logger
 
-from e2e.utils import USER, SeleniumTestCase
+from e2e.utils import USER, SeleniumTestCase, retry
 from passbook.core.models import Application
 from passbook.crypto.models import CertificateKeyPair
 from passbook.flows.models import Flow
@@ -47,7 +47,7 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
 
     def get_container_specs(self) -> Optional[Dict[str, Any]]:
         return {
-            "image": "grafana/grafana:7.1.0",
+            "image": "docker.beryju.org/proxy/grafana/grafana:7.1.0",
             "detach": True,
             "network_mode": "host",
             "auto_remove": True,
@@ -80,6 +80,7 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
             },
         }
 
+    @retry()
     def test_redirect_uri_error(self):
         """test OpenID Provider flow (invalid redirect URI, check error message)"""
         sleep(1)
@@ -122,6 +123,7 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
             "Redirect URI Error",
         )
 
+    @retry()
     def test_authorization_consent_implied(self):
         """test OpenID Provider flow (default authorization flow with implied consent)"""
         sleep(1)
@@ -183,6 +185,7 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
             USER().email,
         )
 
+    @retry()
     def test_authorization_logout(self):
         """test OpenID Provider flow with logout"""
         sleep(1)
@@ -252,6 +255,7 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
         )
         self.driver.find_element(By.ID, "logout").click()
 
+    @retry()
     def test_authorization_consent_explicit(self):
         """test OpenID Provider flow (default authorization flow with explicit consent)"""
         sleep(1)
@@ -325,6 +329,7 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
             USER().email,
         )
 
+    @retry()
     def test_authorization_denied(self):
         """test OpenID Provider flow (default authorization with access deny)"""
         sleep(1)

e2e/test_provider_oauth2_oidc.py

@@ -12,7 +12,7 @@ from selenium.webdriver.common.keys import Keys
 from selenium.webdriver.support import expected_conditions as ec
 from structlog import get_logger
 
-from e2e.utils import USER, SeleniumTestCase
+from e2e.utils import USER, SeleniumTestCase, retry
 from passbook.core.models import Application
 from passbook.crypto.models import CertificateKeyPair
 from passbook.flows.models import Flow
@@ -53,7 +53,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
         client: DockerClient = from_env()
         client.images.pull("beryju/oidc-test-client")
         container = client.containers.run(
-            image="beryju/oidc-test-client",
+            image="docker.beryju.org/proxy/beryju/oidc-test-client",
             detach=True,
             network_mode="host",
             auto_remove=True,
@@ -76,6 +76,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
             LOGGER.info("Container failed healthcheck")
             sleep(1)
 
+    @retry()
     def test_redirect_uri_error(self):
         """test OpenID Provider flow (invalid redirect URI, check error message)"""
         sleep(1)
@@ -119,6 +120,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
             "Redirect URI Error",
         )
 
+    @retry()
     def test_authorization_consent_implied(self):
         """test OpenID Provider flow (default authorization flow with implied consent)"""
         sleep(1)
@@ -169,6 +171,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
         self.assertEqual(body["IDTokenClaims"]["email"], USER().email)
         self.assertEqual(body["UserInfo"]["email"], USER().email)
 
+    @retry()
     def test_authorization_consent_explicit(self):
         """test OpenID Provider flow (default authorization flow with explicit consent)"""
         sleep(1)
@@ -229,6 +232,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
         self.assertEqual(body["IDTokenClaims"]["email"], USER().email)
         self.assertEqual(body["UserInfo"]["email"], USER().email)
 
+    @retry()
     def test_authorization_denied(self):
         """test OpenID Provider flow (default authorization with access deny)"""
         sleep(1)

e2e/test_provider_proxy.py

@@ -1,4 +1,5 @@
 """Proxy and Outpost e2e tests"""
+from dataclasses import asdict
 from sys import platform
 from time import sleep
 from typing import Any, Dict, Optional
@@ -10,11 +11,16 @@ from docker.models.containers import Container
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
 
-from e2e.utils import USER, SeleniumTestCase
+from e2e.utils import USER, SeleniumTestCase, retry
 from passbook import __version__
 from passbook.core.models import Application
 from passbook.flows.models import Flow
-from passbook.outposts.models import Outpost, OutpostDeploymentType, OutpostType
+from passbook.outposts.models import (
+    Outpost,
+    OutpostConfig,
+    OutpostDeploymentType,
+    OutpostType,
+)
 from passbook.providers.proxy.models import ProxyProvider
 
 
@@ -30,7 +36,7 @@ class TestProviderProxy(SeleniumTestCase):
 
     def get_container_specs(self) -> Optional[Dict[str, Any]]:
         return {
-            "image": "traefik/whoami:latest",
+            "image": "docker.beryju.org/proxy/traefik/whoami:latest",
             "detach": True,
             "network_mode": "host",
             "auto_remove": True,
@@ -46,11 +52,12 @@ class TestProviderProxy(SeleniumTestCase):
             auto_remove=True,
             environment={
                 "PASSBOOK_HOST": self.live_server_url,
-                "PASSBOOK_TOKEN": outpost.token.token_uuid.hex,
+                "PASSBOOK_TOKEN": outpost.token.key,
             },
         )
         return container
 
+    @retry()
     def test_proxy_simple(self):
         """Test simple outpost setup with single provider"""
         proxy: ProxyProvider = ProxyProvider.objects.create(
@@ -79,8 +86,10 @@ class TestProviderProxy(SeleniumTestCase):
         # Wait until outpost healthcheck succeeds
         healthcheck_retries = 0
         while healthcheck_retries < 50:
-            if outpost.deployment_health:
-                break
+            if len(outpost.state) > 0:
+                state = outpost.state[0]
+                if state.last_seen:
+                    break
             healthcheck_retries += 1
             sleep(0.5)
 
@@ -102,27 +111,7 @@ class TestProviderProxy(SeleniumTestCase):
 class TestProviderProxyConnect(ChannelsLiveServerTestCase):
     """Test Proxy connectivity over websockets"""
 
-    proxy_container: Container
-
-    def tearDown(self) -> None:
-        self.proxy_container.kill()
-        super().tearDown()
-
-    def start_proxy(self, outpost: Outpost) -> Container:
-        """Start proxy container based on outpost created"""
-        client: DockerClient = from_env()
-        container = client.containers.run(
-            image=f"beryju/passbook-proxy:{__version__}",
-            detach=True,
-            network_mode="host",
-            auto_remove=True,
-            environment={
-                "PASSBOOK_HOST": self.live_server_url,
-                "PASSBOOK_TOKEN": outpost.token.token_uuid.hex,
-            },
-        )
-        return container
-
+    @retry()
     def test_proxy_connectivity(self):
         """Test proxy connectivity over websocket"""
         SeleniumTestCase().apply_default_data()
@@ -142,20 +131,27 @@ class TestProviderProxyConnect(ChannelsLiveServerTestCase):
         outpost: Outpost = Outpost.objects.create(
             name="proxy_outpost",
             type=OutpostType.PROXY,
-            deployment_type=OutpostDeploymentType.CUSTOM,
+            deployment_type=OutpostDeploymentType.DOCKER,
+            _config=asdict(
+                OutpostConfig(passbook_host=self.live_server_url, log_level="debug")
+            ),
         )
         outpost.providers.add(proxy)
         outpost.save()
 
-        self.proxy_container = self.start_proxy(outpost)
-
         # Wait until outpost healthcheck succeeds
         healthcheck_retries = 0
         while healthcheck_retries < 50:
-            if outpost.deployment_health:
-                break
+            if len(outpost.state) > 0:
+                state = outpost.state[0]
+                if state.last_seen and state.version:
+                    break
             healthcheck_retries += 1
             sleep(0.5)
 
-        self.assertIsNotNone(outpost.deployment_health)
-        self.assertEqual(outpost.deployment_version.get("version"), __version__)
+        state = outpost.state
+        self.assertTrue(len(state), 1)
+        self.assertEqual(state[0].version, __version__)
+
+        # Make sure to delete the outpost to remove the container
+        outpost.delete()

e2e/test_provider_saml.py

@@ -12,7 +12,7 @@ from selenium.webdriver.common.keys import Keys
 from selenium.webdriver.support import expected_conditions as ec
 from structlog import get_logger
 
-from e2e.utils import USER, SeleniumTestCase
+from e2e.utils import USER, SeleniumTestCase, retry
 from passbook.core.models import Application
 from passbook.crypto.models import CertificateKeyPair
 from passbook.flows.models import Flow
@@ -38,7 +38,7 @@ class TestProviderSAML(SeleniumTestCase):
         client: DockerClient = from_env()
         client.images.pull("beryju/oidc-test-client")
         container = client.containers.run(
-            image="beryju/saml-test-sp",
+            image="docker.beryju.org/proxy/beryju/saml-test-sp",
             detach=True,
             network_mode="host",
             auto_remove=True,
@@ -66,6 +66,7 @@ class TestProviderSAML(SeleniumTestCase):
             LOGGER.info("Container failed healthcheck")
             sleep(1)
 
+    @retry()
     def test_sp_initiated_implicit(self):
         """test SAML Provider flow SP-initiated flow (implicit consent)"""
         # Bootstrap all needed objects
@@ -105,6 +106,7 @@ class TestProviderSAML(SeleniumTestCase):
         self.assertEqual(body["attr"]["mail"], [USER().email])
         self.assertEqual(body["attr"]["uid"], [str(USER().pk)])
 
+    @retry()
     def test_sp_initiated_explicit(self):
         """test SAML Provider flow SP-initiated flow (explicit consent)"""
         # Bootstrap all needed objects
@@ -150,6 +152,7 @@ class TestProviderSAML(SeleniumTestCase):
         self.assertEqual(body["attr"]["mail"], [USER().email])
         self.assertEqual(body["attr"]["uid"], [str(USER().pk)])
 
+    @retry()
     def test_idp_initiated_implicit(self):
         """test SAML Provider flow IdP-initiated flow (implicit consent)"""
         # Bootstrap all needed objects
@@ -195,6 +198,7 @@ class TestProviderSAML(SeleniumTestCase):
         self.assertEqual(body["attr"]["mail"], [USER().email])
         self.assertEqual(body["attr"]["uid"], [str(USER().pk)])
 
+    @retry()
     def test_sp_initiated_denied(self):
         """test SAML Provider flow SP-initiated flow (Policy denies access)"""
         # Bootstrap all needed objects

e2e/test_source_oauth.py

@@ -14,7 +14,7 @@ from selenium.webdriver.support import expected_conditions as ec
 from structlog import get_logger
 from yaml import safe_dump
 
-from e2e.utils import SeleniumTestCase
+from e2e.utils import SeleniumTestCase, retry
 from passbook.flows.models import Flow
 from passbook.providers.oauth2.generators import (
     generate_client_id,
@@ -106,6 +106,7 @@ class TestSourceOAuth2(SeleniumTestCase):
             consumer_secret=self.client_secret,
         )
 
+    @retry()
     def test_oauth_enroll(self):
         """test OAuth Source With With OIDC"""
         self.create_objects()
@@ -159,6 +160,7 @@ class TestSourceOAuth2(SeleniumTestCase):
             "admin@example.com",
         )
 
+    @retry()
     @override_settings(SESSION_COOKIE_SAMESITE="strict")
     def test_oauth_samesite_strict(self):
         """test OAuth Source With SameSite set to strict
@@ -195,6 +197,7 @@ class TestSourceOAuth2(SeleniumTestCase):
             "Authentication Failed.",
         )
 
+    @retry()
     def test_oauth_enroll_auth(self):
         """test OAuth Source With With OIDC (enroll and authenticate again)"""
         self.test_oauth_enroll()
@@ -255,7 +258,7 @@ class TestSourceOAuth1(SeleniumTestCase):
 
     def get_container_specs(self) -> Optional[Dict[str, Any]]:
         return {
-            "image": "beryju/oauth1-test-server",
+            "image": "docker.beryju.org/proxy/beryju/oauth1-test-server",
             "detach": True,
             "network_mode": "host",
             "auto_remove": True,
@@ -291,6 +294,7 @@ class TestSourceOAuth1(SeleniumTestCase):
             consumer_secret=self.client_secret,
         )
 
+    @retry()
     def test_oauth_enroll(self):
         """test OAuth Source With With OIDC"""
         self.create_objects()
@@ -317,6 +321,7 @@ class TestSourceOAuth1(SeleniumTestCase):
         self.driver.find_element(By.CSS_SELECTOR, "[name='confirm']").click()
 
         # Wait until we've loaded the user info page
+        sleep(2)
         self.wait.until(ec.presence_of_element_located((By.ID, "user-settings")))
         self.driver.get(self.url("passbook_core:user-settings"))
 

e2e/test_source_saml.py

@@ -10,7 +10,7 @@ from selenium.webdriver.common.keys import Keys
 from selenium.webdriver.support import expected_conditions as ec
 from structlog import get_logger
 
-from e2e.utils import SeleniumTestCase
+from e2e.utils import SeleniumTestCase, retry
 from passbook.crypto.models import CertificateKeyPair
 from passbook.flows.models import Flow
 from passbook.sources.saml.models import SAMLBindingTypes, SAMLSource
@@ -75,7 +75,7 @@ class TestSourceSAML(SeleniumTestCase):
 
     def get_container_specs(self) -> Optional[Dict[str, Any]]:
         return {
-            "image": "kristophjunge/test-saml-idp:1.15",
+            "image": "docker.beryju.org/proxy/kristophjunge/test-saml-idp:1.15",
             "detach": True,
             "network_mode": "host",
             "auto_remove": True,
@@ -92,6 +92,7 @@ class TestSourceSAML(SeleniumTestCase):
             },
         }
 
+    @retry()
     def test_idp_redirect(self):
         """test SAML Source With redirect binding"""
         # Bootstrap all needed objects
@@ -141,6 +142,7 @@ class TestSourceSAML(SeleniumTestCase):
             self.driver.find_element(By.ID, "id_username").get_attribute("value"), ""
         )
 
+    @retry()
     def test_idp_post(self):
         """test SAML Source With post binding"""
         # Bootstrap all needed objects
@@ -192,6 +194,7 @@ class TestSourceSAML(SeleniumTestCase):
             self.driver.find_element(By.ID, "id_username").get_attribute("value"), ""
         )
 
+    @retry()
     def test_idp_post_auto(self):
         """test SAML Source With post binding (auto redirect)"""
         # Bootstrap all needed objects

e2e/utils.py

@@ -1,19 +1,22 @@
 """passbook e2e testing utilities"""
+from functools import wraps
 from glob import glob
 from importlib.util import module_from_spec, spec_from_file_location
 from inspect import getmembers, isfunction
 from os import environ, makedirs
 from time import sleep, time
-from typing import Any, Dict, Optional
+from typing import Any, Callable, Dict, Optional
 
 from django.apps import apps
 from django.contrib.staticfiles.testing import StaticLiveServerTestCase
 from django.db import connection, transaction
 from django.db.utils import IntegrityError
 from django.shortcuts import reverse
+from django.test.testcases import TransactionTestCase
 from docker import DockerClient, from_env
 from docker.models.containers import Container
 from selenium import webdriver
+from selenium.common.exceptions import NoSuchElementException, TimeoutException
 from selenium.webdriver.common.desired_capabilities import DesiredCapabilities
 from selenium.webdriver.remote.webdriver import WebDriver
 from selenium.webdriver.support.ui import WebDriverWait
@@ -123,3 +126,41 @@ class SeleniumTestCase(StaticLiveServerTestCase):
                             func(apps, schema_editor)
                         except IntegrityError:
                             pass
+
+
+def retry(max_retires=3, exceptions=None):
+    """Retry test multiple times. Default to catching Selenium Timeout Exception"""
+
+    if not exceptions:
+        exceptions = [TimeoutException, NoSuchElementException]
+
+    logger = get_logger()
+
+    def retry_actual(func: Callable):
+        """Retry test multiple times"""
+        count = 1
+
+        @wraps(func)
+        def wrapper(self: TransactionTestCase, *args, **kwargs):
+            """Run test again if we're below max_retries, including tearDown and
+            setUp. Otherwise raise the error"""
+            nonlocal count
+            try:
+                return func(self, *args, **kwargs)
+            # pylint: disable=catching-non-exception
+            except tuple(exceptions) as exc:
+                count += 1
+                if count > max_retires:
+                    logger.debug("Exceeded retry count", exc=exc, test=self)
+                    # pylint: disable=raising-non-exception
+                    raise exc
+                logger.debug("Retrying on error", exc=exc, test=self)
+                self.tearDown()
+                # pylint: disable=protected-access
+                self._post_teardown()
+                self.setUp()
+                return wrapper(self, *args, **kwargs)
+
+        return wrapper
+
+    return retry_actual

helm/Chart.yaml

@@ -1,9 +1,11 @@
 apiVersion: v2
-appVersion: "0.11.0-stable"
-description: A Helm chart for passbook.
+description: passbook is an open-source Identity Provider focused on flexibility and versatility. You can use passbook in an existing environment to add support for new protocols. passbook is also a great solution for implementing signup/recovery/etc in your application, so you don't have to deal with it.
 name: passbook
-version: "0.11.0-stable"
-icon: https://github.com/BeryJu/passbook/blob/master/docs/images/logo.svg
+home: https://passbook.beryju.org
+sources:
+  - https://github.com/BeryJu/passbook
+version: "0.12.7-stable"
+icon: https://raw.githubusercontent.com/BeryJu/passbook/master/docs/images/logo.svg
 dependencies:
   - name: postgresql
     version: 9.4.1

helm/README.md

@@ -0,0 +1,28 @@
+# passbook Helm Chart
+
+| Name                              | Default                 | Description |
+|-----------------------------------|-------------------------|-------------|
+| image.name                        | beryju/passbook         | Image used to run the passbook server and worker |
+| image.name_static                 | beryju/passbook-static  | Image used to run the passbook static server (CSS and JS Files) |
+| image.tag                         | 0.12.5-stable           | Image tag |
+| serverReplicas                    | 1                       | Replicas for the Server deployment |
+| workerReplicas                    | 1                       | Replicas for the Worker deployment |
+| kubernetesIntegration             | true                    | Enable/disable the Kubernetes integration for passbook. This will create a service account for passbook to create and update outposts in passbook |
+| config.secretKey                  |                         | Secret key used to sign session cookies, generate with `pwgen 50 1` for example. |
+| config.errorReporting.enabled     | false                   | Enable/disable error reporting |
+| config.errorReporting.environment | customer                | Environment sent with the error reporting |
+| config.errorReporting.sendPii     | false                   | Whether to send Personally-identifiable data with the error reporting |
+| config.logLevel                   | warning                 | Log level of passbook |
+| backup.accessKey                  |                         | Optionally enable S3 Backup, Access Key |
+| backup.secretKey                  |                         | Optionally enable S3 Backup, Secret Key |
+| backup.bucket                     |                         | Optionally enable S3 Backup, Bucket |
+| backup.region                     |                         | Optionally enable S3 Backup, Region |
+| backup.host                       |                         | Optionally enable S3 Backup, to custom Endpoint like minio |
+| ingress.annotations               | {}                      | Annotations for the ingress object |
+| ingress.hosts                     | [passbook.k8s.local]    | Hosts which the ingress will match |
+| ingress.tls                       | []                      | TLS Configuration, same as Ingress objects |
+| install.postgresql                | true                    | Enables/disables the packaged PostgreSQL Chart
+| install.redis                     | true                    | Enables/disables the packaged Redis Chart
+| postgresql.postgresqlPassword     |                         | Password used for PostgreSQL, generated automatically.
+
+For more info, see https://passbook.beryju.org/ and https://passbook.beryju.org/installation/kubernetes/

helm/templates/_helpers.tpl

@@ -3,7 +3,7 @@
 Expand the name of the chart.
 */}}
 {{- define "passbook.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- default .Chart.Name | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
 {{/*
@@ -12,17 +12,13 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 If release name contains chart name it will be used as a full name.
 */}}
 {{- define "passbook.fullname" -}}
-{{- if .Values.fullnameOverride -}}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- $name := default .Chart.Name -}}
 {{- if contains $name .Release.Name -}}
 {{- .Release.Name | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{- end -}}
-{{- end -}}
 
 {{/*
 Create chart name and version as used by the chart label.

helm/templates/configmap.yaml

@@ -7,14 +7,14 @@ data:
   POSTGRESQL__NAME: "{{ .Values.postgresql.postgresqlDatabase }}"
   POSTGRESQL__USER: "{{ .Values.postgresql.postgresqlUsername }}"
   {{- if .Values.backup }}
-  POSTGRESQL__S3_BACKUP__ACCESS_KEY: "{{ .Values.backup.access_key }}"
-  POSTGRESQL__S3_BACKUP__SECRET_KEY: "{{ .Values.backup.secret_key }}"
+  POSTGRESQL__S3_BACKUP__ACCESS_KEY: "{{ .Values.backup.accessKey }}"
+  POSTGRESQL__S3_BACKUP__SECRET_KEY: "{{ .Values.backup.secretKey }}"
   POSTGRESQL__S3_BACKUP__BUCKET: "{{ .Values.backup.bucket }}"
   POSTGRESQL__S3_BACKUP__REGION: "{{ .Values.backup.region }}"
   POSTGRESQL__S3_BACKUP__HOST: "{{ .Values.backup.host }}"
   {{- end}}
   REDIS__HOST: "{{ .Release.Name }}-redis-master"
-  ERROR_REPORTING__ENABLED: "{{ .Values.config.error_reporting.enabled }}"
-  ERROR_REPORTING__ENVIRONMENT: "{{ .Values.config.error_reporting.environment }}"
-  ERROR_REPORTING__SEND_PII: "{{ .Values.config.error_reporting.send_pii }}"
-  LOG_LEVEL: "{{ .Values.config.log_level }}"
+  ERROR_REPORTING__ENABLED: "{{ .Values.config.errorReporting.enabled }}"
+  ERROR_REPORTING__ENVIRONMENT: "{{ .Values.config.errorReporting.environment }}"
+  ERROR_REPORTING__SEND_PII: "{{ .Values.config.errorReporting.sendPii }}"
+  LOG_LEVEL: "{{ .Values.config.logLevel }}"

helm/templates/cronjob-backup.yaml

@@ -1,42 +0,0 @@
-{{- if .Values.backup }}
-apiVersion: batch/v1beta1
-kind: CronJob
-metadata:
-  name: {{ include "passbook.fullname" . }}-backup
-  labels:
-    app.kubernetes.io/name: {{ include "passbook.name" . }}
-    helm.sh/chart: {{ include "passbook.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-spec:
-  schedule: "0 0 * * *"
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          restartPolicy: Never
-          containers:
-          - name: {{ .Chart.Name }}
-            image: "{{ .Values.image.name }}:{{ .Values.image.tag }}"
-            args: [server]
-            envFrom:
-              - configMapRef:
-                  name: {{ include "passbook.fullname" . }}-config
-                prefix: PASSBOOK_
-            env:
-              - name: PASSBOOK_SECRET_KEY
-                valueFrom:
-                  secretKeyRef:
-                    name: "{{ include "passbook.fullname" . }}-secret-key"
-                    key: "secret_key"
-              - name: PASSBOOK_REDIS__PASSWORD
-                valueFrom:
-                  secretKeyRef:
-                    name: "{{ .Release.Name }}-redis"
-                    key: "redis-password"
-              - name: PASSBOOK_POSTGRESQL__PASSWORD
-                valueFrom:
-                  secretKeyRef:
-                    name: "{{ .Release.Name }}-postgresql"
-                    key: "postgresql-password"
-{{- end}}

helm/templates/secret.yaml

@@ -5,8 +5,8 @@ metadata:
   name: {{ include "passbook.fullname" . }}-secret-key
 data:
   monitoring_username: bW9uaXRvcg== # monitor in base64
-  {{- if .Values.config.secret_key }}
-  secret_key: {{ .Values.config.secret_key | b64enc | quote }}
+  {{- if .Values.config.secretKey }}
+  secret_key: {{ .Values.config.secretKey | b64enc | quote }}
   {{- else }}
   secret_key: {{ randAlphaNum 50 | b64enc | quote}}
   {{- end }}

helm/templates/service-account.yaml

@@ -0,0 +1,64 @@
+{{- if .Values.kubernetesIntegration }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "passbook.fullname" . }}-sa-role
+rules:
+- apiGroups:
+    - ""
+  resources:
+    - secrets
+    - services
+  verbs:
+    - "get"
+    - "create"
+    - "delete"
+    - "read"
+    - "patch"
+- apiGroups:
+    - "extensions"
+    - "apps"
+  resources:
+    - "deployments"
+  verbs:
+    - "get"
+    - "create"
+    - "delete"
+    - "read"
+    - "patch"
+- apiGroups:
+    - "extensions"
+    - "networking.k8s.io"
+  resources:
+    - "ingresses"
+  verbs:
+    - "get"
+    - "create"
+    - "delete"
+    - "read"
+    - "patch"
+- apiGroups:
+    - ""
+  resources:
+    - namespaces
+  verbs:
+    - list
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "passbook.fullname" . }}-sa
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "passbook.fullname" . }}-sa-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "passbook.fullname" . }}-sa-role
+subjects:
+- kind: ServiceAccount
+  name: {{ include "passbook.fullname" . }}-sa
+  namespace: {{ .Release.Namespace }}
+{{- end }}

helm/templates/web-deployment.yaml

@@ -100,14 +100,14 @@ spec:
               port: http
               httpHeaders:
                 - name: Host
-                  value: kubernetes-healthcheck-host
+                  value: passbook-healthcheck-host
           readinessProbe:
             httpGet:
               path: /
               port: http
               httpHeaders:
                 - name: Host
-                  value: kubernetes-healthcheck-host
+                  value: passbook-healthcheck-host
           resources:
             requests:
               cpu: 100m

helm/templates/worker-deployment.yaml

@@ -22,6 +22,9 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name }}
         k8s.passbook.beryju.org/component: worker
     spec:
+      {{- if .Values.kubernetesIntegration }}
+      serviceAccountName: {{ include "passbook.fullname" . }}-sa
+      {{- end }}
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:

helm/values.test.yaml

@@ -0,0 +1,21 @@
+image:
+  tag: gh-master
+
+serverReplicas: 1
+workerReplicas: 1
+
+config:
+  # Log level used by web and worker
+  # Can be either debug, info, warning, error
+  logLevel: debug
+
+ingress:
+  hosts:
+    - passbook.127.0.0.1.nip.io
+
+# These values influence the bundled postgresql and redis charts, but are also used by passbook to connect
+postgresql:
+  postgresqlPassword: EK-5jnKfjrGRm<77
+
+redis:
+  password: password

helm/values.yaml

@@ -4,29 +4,30 @@
 image:
   name: beryju/passbook
   name_static: beryju/passbook-static
-  tag: 0.11.0-stable
-
-nameOverride: ""
+  tag: 0.12.7-stable
 
 serverReplicas: 1
 workerReplicas: 1
 
+# Enable the Kubernetes integration which lets passbook deploy outposts into kubernetes
+kubernetesIntegration: true
+
 config:
   # Optionally specify fixed secret_key, otherwise generated automatically
-  # secret_key: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o
+  # secretKey: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o
   # Enable error reporting
-  error_reporting:
+  errorReporting:
     enabled: false
     environment: customer
-    send_pii: false
+    sendPii: false
   # Log level used by web and worker
   # Can be either debug, info, warning, error
-  log_level: warning
+  logLevel: warning
 
 # Enable Database Backups to S3
 # backup:
-#   access_key: access-key
-#   secret_key: secret-key
+#   accessKey: access-key
+#   secretKey: secret-key
 #   bucket: s3-bucket
 #   region: eu-central-1
 #   host: s3-host
@@ -35,7 +36,6 @@ ingress:
   annotations: {}
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
-  path: /
   hosts:
     - passbook.k8s.local
   tls: []
@@ -59,7 +59,5 @@ redis:
   cluster:
     enabled: false
   master:
-    persistence:
-      enabled: false
     # https://stackoverflow.com/a/59189742
     disableCommands: []

lifecycle/bootstrap.sh

@@ -4,7 +4,7 @@ printf '{"event": "Bootstrap completed", "level": "info", "logger": "bootstrap",
 if [[ "$1" == "server" ]]; then
     gunicorn -c /lifecycle/gunicorn.conf.py passbook.root.asgi:application
 elif [[ "$1" == "worker" ]]; then
-    celery -A passbook.root.celery worker --autoscale 10,3 -E -B -s /tmp/celerybeat-schedule -Q passbook,passbook_scheduled
+    celery -A passbook.root.celery worker --autoscale 3,1 -E -B -s /tmp/celerybeat-schedule -Q passbook,passbook_scheduled
 elif [[ "$1" == "migrate" ]]; then
     # Run system migrations first, run normal migrations after
     python -m lifecycle.migrate

lifecycle/migrate.py

@@ -47,7 +47,9 @@ if __name__ == "__main__":
         # pyright: reportGeneralTypeIssues=false
         spec.loader.exec_module(mod)
 
-        for _, sub in getmembers(mod, isclass):
+        for name, sub in getmembers(mod, isclass):
+            if name != "Migration":
+                continue
             migration = sub(curr, conn)
             if migration.needs_migration():
                 LOGGER.info("Migration needs to be applied", migration=sub)

lifecycle/system_migrations/to_0_10.py

@@ -25,7 +25,7 @@ delete from django_migrations where app = 'passbook_stages_password' and
 name = '0002_passwordstage_change_flow';"""
 
 
-class To010Migration(BaseMigration):
+class Migration(BaseMigration):
     def needs_migration(self) -> bool:
         self.cur.execute(
             "select * from information_schema.tables where table_name='oidc_provider_client'"

mkdocs.yml

@@ -47,22 +47,26 @@ nav:
     - Overview: policies/index.md
     - Expression: policies/expression.md
   - Integrations:
+    - as Source:
+      - Active Directory: integrations/sources/active-directory/index.md
     - as Provider:
-        - Amazon Web Services: integrations/services/aws/index.md
-        - GitLab: integrations/services/gitlab/index.md
-        - Rancher: integrations/services/rancher/index.md
-        - Harbor: integrations/services/harbor/index.md
-        - Sentry: integrations/services/sentry/index.md
-        - Ansible Tower/AWX: integrations/services/tower-awx/index.md
-        - VMware vCenter: integrations/services/vmware-vcenter/index.md
-        - Ubuntu Landscape: integrations/services/ubuntu-landscape/index.md
-        - Sonarr: integrations/services/sonarr/index.md
-        - Tautulli: integrations/services/tautulli/index.md
+      - Amazon Web Services: integrations/services/aws/index.md
+      - GitLab: integrations/services/gitlab/index.md
+      - Rancher: integrations/services/rancher/index.md
+      - Harbor: integrations/services/harbor/index.md
+      - Sentry: integrations/services/sentry/index.md
+      - Ansible Tower/AWX: integrations/services/tower-awx/index.md
+      - VMware vCenter: integrations/services/vmware-vcenter/index.md
+      - Ubuntu Landscape: integrations/services/ubuntu-landscape/index.md
+      - Sonarr: integrations/services/sonarr/index.md
+      - Tautulli: integrations/services/tautulli/index.md
   - Maintenance:
     - Backups: maintenance/backups/index.md
   - Upgrading:
     - to 0.9: upgrading/to-0.9.md
     - to 0.10: upgrading/to-0.10.md
+    - to 0.11: upgrading/to-0.11.md
+    - to 0.12: upgrading/to-0.12.md
   - Troubleshooting:
     - Access problems: troubleshooting/access.md
 

passbook/__init__.py

@@ -1,2 +1,2 @@
 """passbook"""
-__version__ = "0.11.0-stable"
+__version__ = "0.12.7-stable"

passbook/admin/api/overview.py

@@ -1,7 +1,7 @@
 """passbook administration overview"""
 from django.core.cache import cache
 from django.http import response
-from drf_yasg.utils import swagger_auto_schema
+from drf_yasg2.utils import swagger_auto_schema
 from rest_framework.fields import SerializerMethodField
 from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request

passbook/admin/api/overview_metrics.py

@@ -9,7 +9,7 @@ from django.db.models.fields import DurationField
 from django.db.models.functions import ExtractHour
 from django.http import response
 from django.utils.timezone import now
-from drf_yasg.utils import swagger_auto_schema
+from drf_yasg2.utils import swagger_auto_schema
 from rest_framework.fields import SerializerMethodField
 from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request

passbook/admin/api/tasks.py

@@ -0,0 +1,72 @@
+"""Tasks API"""
+from importlib import import_module
+
+from django.contrib import messages
+from django.http.response import Http404
+from django.utils.translation import gettext_lazy as _
+from drf_yasg2.utils import swagger_auto_schema
+from rest_framework.decorators import action
+from rest_framework.fields import CharField, DateTimeField, IntegerField, ListField
+from rest_framework.permissions import IsAdminUser
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.serializers import Serializer
+from rest_framework.viewsets import ViewSet
+
+from passbook.lib.tasks import TaskInfo
+
+
+class TaskSerializer(Serializer):
+    """Serialize TaskInfo and TaskResult"""
+
+    task_name = CharField()
+    task_description = CharField()
+    task_finish_timestamp = DateTimeField(source="finish_timestamp")
+
+    status = IntegerField(source="result.status.value")
+    messages = ListField(source="result.messages")
+
+    def create(self, request: Request) -> Response:
+        raise NotImplementedError
+
+    def update(self, request: Request) -> Response:
+        raise NotImplementedError
+
+
+class TaskViewSet(ViewSet):
+    """Read-only view set that returns all background tasks"""
+
+    permission_classes = [IsAdminUser]
+
+    @swagger_auto_schema(responses={200: TaskSerializer(many=True)})
+    def list(self, request: Request) -> Response:
+        """List current messages and pass into Serializer"""
+        return Response(TaskSerializer(TaskInfo.all().values(), many=True).data)
+
+    @action(detail=True, methods=["post"])
+    # pylint: disable=invalid-name
+    def retry(self, request: Request, pk=None) -> Response:
+        """Retry task"""
+        task = TaskInfo.by_name(pk)
+        if not task:
+            raise Http404
+        try:
+            task_module = import_module(task.task_call_module)
+            task_func = getattr(task_module, task.task_call_func)
+            task_func.delay(*task.task_call_args, **task.task_call_kwargs)
+            messages.success(
+                self.request,
+                _(
+                    "Successfully re-scheduled Task %(name)s!"
+                    % {"name": task.task_name}
+                ),
+            )
+            return Response(
+                {
+                    "successful": True,
+                }
+            )
+        except ImportError:
+            # if we get an import error, the module path has probably changed
+            task.delete()
+            return Response({"successful": False})

passbook/admin/tasks.py

@@ -3,6 +3,7 @@ from django.core.cache import cache
 from requests import RequestException, get
 from structlog import get_logger
 
+from passbook.lib.tasks import MonitoredTask, TaskResult, TaskResultStatus
 from passbook.root.celery import CELERY_APP
 
 LOGGER = get_logger()
@@ -10,8 +11,8 @@ VERSION_CACHE_KEY = "passbook_latest_version"
 VERSION_CACHE_TIMEOUT = 2 * 60 * 60  # 2 hours
 
 
-@CELERY_APP.task()
-def update_latest_version():
+@CELERY_APP.task(bind=True, base=MonitoredTask)
+def update_latest_version(self: MonitoredTask):
     """Update latest version info"""
     try:
         data = get(
@@ -19,5 +20,11 @@ def update_latest_version():
         ).json()
         tag_name = data.get("tag_name")
         cache.set(VERSION_CACHE_KEY, tag_name.split("/")[1], VERSION_CACHE_TIMEOUT)
-    except (RequestException, IndexError):
+        self.set_status(
+            TaskResult(
+                TaskResultStatus.SUCCESSFUL, ["Successfully updated latest Version"]
+            )
+        )
+    except (RequestException, IndexError) as exc:
         cache.set(VERSION_CACHE_KEY, "0.0.0", VERSION_CACHE_TIMEOUT)
+        self.set_status(TaskResult(TaskResultStatus.ERROR).with_error(exc))

passbook/admin/templates/administration/base.html

@@ -146,6 +146,12 @@
                         {% trans 'Groups' %}
                     </a>
                 </li>
+                <li class="pf-c-nav__item">
+                    <a href="{% url 'passbook_admin:tasks' %}"
+                        class="pf-c-nav__link {% is_active 'passbook_admin:tasks' %}">
+                        {% trans 'System Tasks' %}
+                    </a>
+                </li>
             </ul>
         </nav>
     </div>

passbook/admin/templates/administration/outpost/list.html

@@ -48,28 +48,41 @@
                             {{ outpost.providers.all.select_subclasses|join:", " }}
                         </span>
                     </td>
-                    <td role="cell">
-                        {% with health=outpost.deployment_health %}
-                        {% if health %}
-                            <i class="fas fa-check pf-m-success"></i> {{ health|naturaltime }}
-                        {% else %}
-                            <i class="fas fa-times pf-m-danger"></i> Unhealthy
-                        {% endif %}
-                        {% endwith %}
-                    </td>
-                    <td role="cell">
-                        <span>
-                            {% with ver=outpost.deployment_version %}
-                            {% if not ver.version %}
+                    {% with states=outpost.state %}
+                    {% if states|length > 0 %}
+                        <td role="cell">
+                            {% for state in states %}
+                            <div>
+                                {% if state.last_seen %}
+                                <i class="fas fa-check pf-m-success"></i> {{ state.last_seen|naturaltime }}
+                                {% else %}
+                                <i class="fas fa-times pf-m-danger"></i> {% trans 'Unhealthy' %}
+                                {% endif %}
+                            </div>
+                            {% endfor %}
+                        </td>
+                        <td role="cell">
+                            {% for state in states %}
+                                <div>
+                                    {% if not state.version %}
+                                    <i class="fas fa-question-circle"></i>
+                                    {% elif state.version_outdated %}
+                                    <i class="fas fa-times pf-m-danger"></i> {% blocktrans with is=state.version should=state.version_should %}{{ is }}, should be {{ should }}{% endblocktrans %}
+                                    {% else %}
+                                    <i class="fas fa-check pf-m-success"></i> {{ state.version }}
+                                    {% endif %}
+                                </div>
+                            {% endfor %}
+                        </td>
+                    {% else %}
+                        <td role="cell">
                             <i class="fas fa-question-circle"></i>
-                            {% elif ver.outdated %}
-                            <i class="fas fa-times pf-m-danger"></i> {% blocktrans with is=ver.version should=ver.should %}{{ is }}, should be {{ should }}{% endblocktrans %}
-                            {% else %}
-                            <i class="fas fa-check pf-m-success"></i> {{ ver.version }}
-                            {% endif %}
-                            {% endwith %}
-                        </span>
-                    </td>
+                        </td>
+                        <td role="cell">
+                            <i class="fas fa-question-circle"></i>
+                        </td>
+                    {% endif %}
+                    {% endwith %}
                     <td>
                         <a class="pf-c-button pf-m-secondary" href="{% url 'passbook_admin:outpost-update' pk=outpost.pk %}?back={{ request.get_full_path }}">{% trans 'Edit' %}</a>
                         <a class="pf-c-button pf-m-danger" href="{% url 'passbook_admin:outpost-delete' pk=outpost.pk %}?back={{ request.get_full_path }}">{% trans 'Delete' %}</a>

passbook/admin/templates/administration/overview.html

@@ -56,19 +56,22 @@
         </div>
 
         <div class="pf-c-card pf-c-card-aggregate pf-l-gallery__item pf-m-compact">
-            <div class="pf-c-card__header">
+            <div class="pf-c-card__header pf-l-flex pf-m-justify-content-space-between">
                 <div class="pf-c-card__header-main">
                     <i class="pf-icon pf-icon-plugged"></i> {% trans 'Providers' %}
                 </div>
+                <a href="{% url 'passbook_admin:providers' %}">
+                    <i class="fa fa-external-link-alt"> </i>
+                </a>
             </div>
             <div class="pf-c-card__body">
                 {% if providers_without_application.exists %}
-                <p class="aggregate-status">
+                <p class="pb-aggregate-card">
                     <i class="fa fa-exclamation-triangle"></i> {{ provider_count }}
                 </p>
                 <p>{% trans 'Warning: At least one Provider has no application assigned.' %}</p>
                 {% else %}
-                <p class="aggregate-status">
+                <p class="pb-aggregate-card">
                     <i class="fa fa-check-circle"></i> {{ provider_count }}
                 </p>
                 {% endif %}
@@ -76,19 +79,22 @@
         </div>
 
         <div class="pf-c-card pf-c-card-aggregate pf-l-gallery__item pf-m-compact">
-            <div class="pf-c-card__header">
+            <div class="pf-c-card__header pf-l-flex pf-m-justify-content-space-between">
                 <div class="pf-c-card__header-main">
                     <i class="pf-icon pf-icon-infrastructure"></i> {% trans 'Policies' %}
                 </div>
+                <a href="{% url 'passbook_admin:policies' %}">
+                    <i class="fa fa-external-link-alt"> </i>
+                </a>
             </div>
             <div class="pf-c-card__body">
                 {% if policies_without_binding %}
-                <p class="aggregate-status">
+                <p class="pb-aggregate-card">
                     <i class="fa fa-exclamation-triangle"></i> {{ policy_count }}
                 </p>
                 <p>{% trans 'Policies without binding exist.' %}</p>
                 {% else %}
-                <p class="aggregate-status">
+                <p class="pb-aggregate-card">
                     <i class="fa fa-check-circle"></i> {{ policy_count }}
                 </p>
                 {% endif %}
@@ -96,26 +102,32 @@
         </div>
 
         <div class="pf-c-card pf-c-card-aggregate pf-l-gallery__item pf-m-compact">
-            <div class="pf-c-card__header">
+            <div class="pf-c-card__header pf-l-flex pf-m-justify-content-space-between">
                 <div class="pf-c-card__header-main">
                     <i class="pf-icon pf-icon-user"></i> {% trans 'Users' %}
                 </div>
+                <a href="{% url 'passbook_admin:users' %}">
+                    <i class="fa fa-external-link-alt"> </i>
+                </a>
             </div>
             <div class="pf-c-card__body">
-                <p class="aggregate-status">
+                <p class="pb-aggregate-card">
                     <i class="fa fa-check-circle"></i> {{ user_count }}
                 </p>
             </div>
         </div>
 
         <div class="pf-c-card pf-c-card-aggregate pf-l-gallery__item pf-m-compact">
-            <div class="pf-c-card__header">
+            <div class="pf-c-card__header pf-l-flex pf-m-justify-content-space-between">
                 <div class="pf-c-card__header-main">
                     <i class="pf-icon pf-icon-bundle"></i> {% trans 'Version' %}
                 </div>
+                <a href="https://github.com/BeryJu/passbook/releases" target="_blank">
+                    <i class="fa fa-external-link-alt"> </i>
+                </a>
             </div>
             <div class="pf-c-card__body">
-                <p class="aggregate-status">
+                <p class="pb-aggregate-card">
                     {% if version >= version_latest %}
                     <i class="fa fa-check-circle"></i> {{ version }}
                     {% else %}
@@ -142,13 +154,13 @@
             </div>
             <fetch-fill-slot class="pf-c-card__body" url="{% url 'passbook_api:admin_overview-list' %}" key="worker_count">
                 <div slot="value < 1">
-                    <p class="aggregate-status">
+                    <p class="pb-aggregate-card">
                         <i class="fa fa-exclamation-triangle"></i> <span data-value></span>
                     </p>
                     <p>{% trans 'No workers connected.' %}</p>
                 </div>
                 <div slot="value >= 1">
-                    <p class="aggregate-status">
+                    <p class="pb-aggregate-card">
                         <i class="fa fa-check-circle"></i> <span data-value></span>
                     </p>
                 </div>
@@ -162,74 +174,104 @@
             </fetch-fill-slot>
         </div>
 
-        <a class="pf-c-card pf-c-card-aggregate pf-l-gallery__item pf-m-hoverable pf-m-compact" data-target="modal" data-modal="clearCacheModalRoot">
-            <div class="pf-c-card__header">
+        <div class="pf-c-card pf-c-card-aggregate pf-l-gallery__item pf-m-compact">
+            <div class="pf-c-card__header pf-l-flex pf-m-justify-content-space-between">
                 <div class="pf-c-card__header-main">
                     <i class="pf-icon pf-icon-server"></i> {% trans 'Cached Policies' %}
                 </div>
+                <a data-target="modal" data-modal="clearPolicyCache">
+                    <i class="fa fa-trash"> </i>
+                </a>
             </div>
             <div class="pf-c-card__body">
                 {% if cached_policies < 1 %}
-                <p class="aggregate-status">
+                <p class="pb-aggregate-card">
                     <i class="fa fa-exclamation-triangle"></i> {{ cached_policies }}
                 </p>
                 <p>{% trans 'No policies cached. Users may experience slow response times.' %}</p>
                 {% else %}
-                <p class="aggregate-status">
+                <p class="pb-aggregate-card">
                     <i class="fa fa-check-circle"></i> {{ cached_policies }}
                 </p>
                 {% endif %}
             </div>
-        </a>
+        </div>
 
         <div class="pf-c-card pf-c-card-aggregate pf-l-gallery__item pf-m-compact">
-            <div class="pf-c-card__header">
+            <div class="pf-c-card__header pf-l-flex pf-m-justify-content-space-between">
                 <div class="pf-c-card__header-main">
                     <i class="pf-icon pf-icon-server"></i> {% trans 'Cached Flows' %}
                 </div>
+                <a data-target="modal" data-modal="clearFlowCache">
+                    <i class="fa fa-trash"> </i>
+                </a>
             </div>
             <div class="pf-c-card__body">
                 {% if cached_flows < 1 %}
-                <p class="aggregate-status">
+                <p class="pb-aggregate-card">
                     <span class="fa fa-exclamation-triangle"></span> {{ cached_flows }}
                 </p>
                 <p>{% trans 'No flows cached.' %}</p>
                 {% else %}
-                <p class="aggregate-status">
+                <p class="pb-aggregate-card">
                     <i class="fa fa-check-circle"></i> {{ cached_flows }}
                 </p>
                 {% endif %}
             </div>
         </div>
-    </section>
-</div>
-<div class="pf-c-backdrop" id="clearCacheModalRoot" hidden>
+    </div>
+</section>
+
+<div class="pf-c-backdrop" id="clearPolicyCache" hidden>
     <div class="pf-l-bullseye">
         <div class="pf-c-modal-box pf-m-sm" role="dialog">
             <button data-modal-close class="pf-c-button pf-m-plain" type="button" aria-label="Close dialog">
                 <i class="fas fa-times" aria-hidden="true"></i>
             </button>
             <div class="pf-c-modal-box__header">
-                <h1 class="pf-c-title pf-m-2xl" id="modal-title">{% trans 'Clear Cache' %}?</h1>
+                <h1 class="pf-c-title pf-m-2xl" id="modal-title">{% trans 'Clear Policy Cache' %}?</h1>
             </div>
             <div class="pf-c-modal-box__body" id="modal-description">
-                <form method="post" id="clearForm">
+                <form method="post" id="clear_policies">
                     {% csrf_token %}
-                    <input type="hidden" name="clear">
+                    <input type="hidden" name="clear_policies">
                     <p>
                         {% blocktrans %}
-                        Are you sure you want to clear the cache? This includes all user sessions and all cached Policy results.
+                        Are you sure you want to clear the policy cache? This will cause all policies to be re-evaluated on their next usage.
                         {% endblocktrans %}
                     </p>
-                    <h3>
-                        {% blocktrans %}
-                        This will also log you out.
-                        {% endblocktrans %}
-                    </h3>
                 </form>
             </div>
             <footer class="pf-c-modal-box__footer pf-m-align-left">
-                <button form="clearForm" class="pf-c-button pf-m-primary" type="submit">{% trans 'Clear' %}</button>
+                <button form="clear_policies" class="pf-c-button pf-m-primary" type="submit">{% trans 'Clear' %}</button>
+                <button data-modal-close class="pf-c-button pf-m-link" type="button">{% trans 'Cancel' %}</button>
+            </footer>
+        </div>
+    </div>
+</div>
+
+<div class="pf-c-backdrop" id="clearFlowCache" hidden>
+    <div class="pf-l-bullseye">
+        <div class="pf-c-modal-box pf-m-sm" role="dialog">
+            <button data-modal-close class="pf-c-button pf-m-plain" type="button" aria-label="Close dialog">
+                <i class="fas fa-times" aria-hidden="true"></i>
+            </button>
+            <div class="pf-c-modal-box__header">
+                <h1 class="pf-c-title pf-m-2xl" id="modal-title">{% trans 'Clear Flow Cache' %}?</h1>
+            </div>
+            <div class="pf-c-modal-box__body" id="modal-description">
+                <form method="post" id="clear_flows">
+                    {% csrf_token %}
+                    <input type="hidden" name="clear_flows">
+                    <p>
+                        {% blocktrans %}
+                        Are you sure you want to clear the flow cache? This will cause all flows to be re-evaluated on their next usage.
+                        {% endblocktrans %}
+                    </p>
+                </form>
+            </div>
+            <footer class="pf-c-modal-box__footer pf-m-align-left">
+                <button form="clear_flows" class="pf-c-button pf-m-primary" type="submit">{% trans 'Clear' %}</button>
                 <button data-modal-close class="pf-c-button pf-m-link" type="button">{% trans 'Cancel' %}</button>
             </footer>
         </div>
@@ -274,7 +316,6 @@ fetch("{% url 'passbook_api:admin_metrics-list' %}").then(r => r.json()).then(r
                             const date = new Date();
                             const delta = (date - values[index].value);
                             const ago = Math.round(delta / 1000 / 3600);
-                            console.log(ago);
                             return `${ago} Hours ago`;
                         },
                         autoSkip: true,
@@ -282,9 +323,6 @@ fetch("{% url 'passbook_api:admin_metrics-list' %}").then(r => r.json()).then(r
                     }
                 }],
                 yAxes: [{
-                    ticks: {
-                        stepSize: 1
-                    },
                     stacked: true,
                     gridLines: {
                         color: "rgba(0, 0, 0, 0)",

passbook/admin/templates/administration/task/list.html

@@ -0,0 +1,77 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load humanize %}
+{% load passbook_utils %}
+
+{% block content %}
+<section class="pf-c-page__main-section pf-m-light">
+    <div class="pf-c-content">
+        <h1>
+            <i class="pf-icon pf-icon-automation"></i>
+            {% trans 'System Tasks' %}
+        </h1>
+        <p>{% trans "Long-running operations which passbook executes in the background." %}</p>
+    </div>
+</section>
+<section class="pf-c-page__main-section pf-m-no-padding-mobile">
+    <div class="pf-c-card">
+        <table class="pf-c-table pf-m-compact pf-m-grid-xl" role="grid">
+            <thead>
+                <tr role="row">
+                    <th role="columnheader" scope="col">{% trans 'Identifier' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Description' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Last Run' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Status' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Messages' %}</th>
+                    <th role="cell"></th>
+                </tr>
+            </thead>
+            <tbody role="rowgroup">
+                {% for task in object_list %}
+                <tr role="row">
+                    <th role="columnheader">
+                        <pre>{{ task.task_name }}</pre>
+                    </th>
+                    <td role="cell">
+                        <span>
+                            {{ task.task_description }}
+                        </span>
+                    </td>
+                    <td role="cell">
+                        <span>
+                            {{ task.finish_timestamp|naturaltime }}
+                        </span>
+                    </td>
+                    <td role="cell">
+                        <span>
+                            {% if task.result.status == task_successful %}
+                            <i class="fas fa-check pf-m-success"></i> {% trans 'Successful' %}
+                            {% elif task.result.status == task_warning %}
+                            <i class="fas fa-exclamation-triangle pf-m-warning"></i> {% trans 'Warning' %}
+                            {% elif task.result.status == task_error %}
+                            <i class="fas fa-times pf-m-danger"></i> {% trans 'Error' %}
+                            {% else %}
+                            <i class="fas fa-question-circle"></i> {% trans 'Unknown' %}
+                            {% endif %}
+                        </span>
+                    </td>
+                    <td>
+                        {% for message in task.result.messages %}
+                        <div>
+                            {{ message }}
+                        </div>
+                        {% endfor %}
+                    </td>
+                    <td>
+                        <button is="action-button" class="pf-c-button pf-m-primary" url="{% url 'passbook_api:admin_system_tasks-retry' pk=task.task_name %}">
+                            {% trans 'Retry Task' %}
+                        </button>
+                    </td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+    </div>
+</section>
+{% endblock %}

passbook/admin/templates/administration/user/disable.html

@@ -0,0 +1,42 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load passbook_utils %}
+
+{% block content %}
+<section class="pf-c-page__main-section pf-m-light">
+    <div class="pf-c-content">
+        {% block above_form %}
+        <h1>
+            {% blocktrans with object_type=object|verbose_name %}
+            Disable {{ object_type }}
+            {% endblocktrans %}
+        </h1>
+        {% endblock %}
+    </div>
+</section>
+<section class="pf-c-page__main-section">
+    <div class="pf-l-stack">
+        <div class="pf-l-stack__item">
+            <div class="pf-c-card">
+                <div class="pf-c-card__body">
+                    <form action="" method="post" class="pf-c-form">
+                        {% csrf_token %}
+                        <p>
+                            {% blocktrans with object_type=object|verbose_name name=object %}
+                            Are you sure you want to disable {{ object_type }} "{{ object }}"?
+                            {% endblocktrans %}
+                        </p>
+                        <div class="pf-c-form__group pf-m-action">
+                            <div class="pf-c-form__actions">
+                                <input class="pf-c-button pf-m-danger" type="submit" value="{% trans 'Disable' %}" />
+                                <a class="pf-c-button pf-m-secondary" href="{% back %}">{% trans "Back" %}</a>
+                            </div>
+                        </div>
+                    </form>
+                </div>
+            </div>
+        </div>
+    </div>
+</section>
+{% endblock %}

passbook/admin/templates/administration/user/list.html

@@ -54,7 +54,11 @@
                     </td>
                     <td>
                         <a class="pf-c-button pf-m-secondary" href="{% url 'passbook_admin:user-update' pk=user.pk %}?back={{ request.get_full_path }}">{% trans 'Edit' %}</a>
-                        <a class="pf-c-button pf-m-danger" href="{% url 'passbook_admin:user-delete' pk=user.pk %}?back={{ request.get_full_path }}">{% trans 'Delete' %}</a>
+                        {% if user.is_active %}
+                        <a class="pf-c-button pf-m-warning" href="{% url 'passbook_admin:user-disable' pk=user.pk %}?back={{ request.get_full_path }}">{% trans 'Disable' %}</a>
+                        {% else %}
+                        <a class="pf-c-button pf-m-primary" href="{% url 'passbook_admin:user-enable' pk=user.pk %}?back={{ request.get_full_path }}">{% trans 'Enable' %}</a>
+                        {% endif %}
                         <a class="pf-c-button pf-m-tertiary" href="{% url 'passbook_admin:user-password-reset' pk=user.pk %}?back={{ request.get_full_path }}">{% trans 'Reset Password' %}</a>
                         <a class="pf-c-button pf-m-tertiary" href="{% url 'passbook_core:impersonate-init' user_id=user.pk %}">{% trans 'Impersonate' %}</a>
                     </td>

passbook/admin/templates/generic/form.html

@@ -1,4 +1,4 @@
-{% extends "administration/base.html" %}
+{% extends container_template|default:"administration/base.html" %}
 
 {% load i18n %}
 {% load passbook_utils %}

passbook/admin/urls.py

@@ -17,6 +17,7 @@ from passbook.admin.views import (
     stages_bindings,
     stages_invitations,
     stages_prompts,
+    tasks,
     tokens,
     users,
 )
@@ -247,6 +248,10 @@ urlpatterns = [
     path("users/create/", users.UserCreateView.as_view(), name="user-create"),
     path("users/<int:pk>/update/", users.UserUpdateView.as_view(), name="user-update"),
     path("users/<int:pk>/delete/", users.UserDeleteView.as_view(), name="user-delete"),
+    path(
+        "users/<int:pk>/disable/", users.UserDisableView.as_view(), name="user-disable"
+    ),
+    path("users/<int:pk>/enable/", users.UserEnableView.as_view(), name="user-enable"),
     path(
         "users/<int:pk>/reset/",
         users.UserPasswordResetView.as_view(),
@@ -307,4 +312,10 @@ urlpatterns = [
         outposts.OutpostDeleteView.as_view(),
         name="outpost-delete",
     ),
+    # Tasks
+    path(
+        "tasks/",
+        tasks.TaskListView.as_view(),
+        name="tasks",
+    ),
 ]

passbook/admin/views/overview.py

@@ -5,9 +5,9 @@ from django.conf import settings
 from django.core.cache import cache
 from django.db.models import Count
 from django.db.models.fields.json import KeyTextTransform
-from django.shortcuts import redirect, reverse
 from django.views.generic import TemplateView
 from packaging.version import LegacyVersion, Version, parse
+from structlog import get_logger
 
 from passbook import __version__
 from passbook.admin.mixins import AdminRequiredMixin
@@ -16,6 +16,8 @@ from passbook.audit.models import Event, EventAction
 from passbook.core.models import Provider, User
 from passbook.policies.models import Policy
 
+LOGGER = get_logger()
+
 
 class AdministrationOverviewView(AdminRequiredMixin, TemplateView):
     """Overview View"""
@@ -24,9 +26,14 @@ class AdministrationOverviewView(AdminRequiredMixin, TemplateView):
 
     def post(self, *args, **kwargs):
         """Handle post (clear cache from modal)"""
-        if "clear" in self.request.POST:
-            cache.clear()
-            return redirect(reverse("passbook_flows:default-authentication"))
+        if "clear_policies" in self.request.POST:
+            keys = cache.keys("policy_*")
+            cache.delete_many(keys)
+            LOGGER.debug("Cleared Policy cache", keys=len(keys))
+        if "clear_flows" in self.request.POST:
+            keys = cache.keys("flow_*")
+            cache.delete_many(keys)
+            LOGGER.debug("Cleared flow cache", keys=len(keys))
         return self.get(*args, **kwargs)
 
     def get_latest_version(self) -> Union[LegacyVersion, Version]:

passbook/admin/views/tasks.py

@@ -0,0 +1,23 @@
+"""passbook Tasks List"""
+from typing import Any, Dict
+
+from django.views.generic.base import TemplateView
+
+from passbook.admin.mixins import AdminRequiredMixin
+from passbook.lib.tasks import TaskInfo, TaskResultStatus
+
+
+class TaskListView(AdminRequiredMixin, TemplateView):
+    """Show list of all background tasks"""
+
+    template_name = "administration/task/list.html"
+
+    def get_context_data(self, **kwargs: Any) -> Dict[str, Any]:
+        kwargs = super().get_context_data(**kwargs)
+        kwargs["object_list"] = sorted(
+            TaskInfo.all().values(), key=lambda x: x.task_name
+        )
+        kwargs["task_successful"] = TaskResultStatus.SUCCESSFUL
+        kwargs["task_warning"] = TaskResultStatus.WARNING
+        kwargs["task_error"] = TaskResultStatus.ERROR
+        return kwargs

passbook/admin/views/users.py

@@ -6,6 +6,7 @@ from django.contrib.auth.mixins import (
 )
 from django.contrib.messages.views import SuccessMessageMixin
 from django.http import HttpRequest, HttpResponse
+from django.http.response import HttpResponseRedirect
 from django.shortcuts import redirect
 from django.urls import reverse, reverse_lazy
 from django.utils.http import urlencode
@@ -98,6 +99,53 @@ class UserDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageV
     success_message = _("Successfully deleted User")
 
 
+class UserDisableView(
+    LoginRequiredMixin, PermissionRequiredMixin, BackSuccessUrlMixin, DeleteMessageView
+):
+    """Disable user"""
+
+    object: User
+
+    model = User
+    permission_required = "passbook_core.update_user"
+
+    # By default the object's name is user which is used by other checks
+    context_object_name = "object"
+    template_name = "administration/user/disable.html"
+    success_url = reverse_lazy("passbook_admin:users")
+    success_message = _("Successfully disabled User")
+
+    def delete(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        self.object: User = self.get_object()
+        success_url = self.get_success_url()
+        self.object.is_active = False
+        self.object.save()
+        return HttpResponseRedirect(success_url)
+
+
+class UserEnableView(
+    LoginRequiredMixin, PermissionRequiredMixin, BackSuccessUrlMixin, DetailView
+):
+    """Enable user"""
+
+    object: User
+
+    model = User
+    permission_required = "passbook_core.update_user"
+
+    # By default the object's name is user which is used by other checks
+    context_object_name = "object"
+    success_url = reverse_lazy("passbook_admin:users")
+    success_message = _("Successfully enabled User")
+
+    def get(self, request: HttpRequest, *args, **kwargs):
+        self.object: User = self.get_object()
+        success_url = self.get_success_url()
+        self.object.is_active = True
+        self.object.save()
+        return HttpResponseRedirect(success_url)
+
+
 class UserPasswordResetView(LoginRequiredMixin, PermissionRequiredMixin, DetailView):
     """Get Password reset link for user"""
 
@@ -110,7 +158,7 @@ class UserPasswordResetView(LoginRequiredMixin, PermissionRequiredMixin, DetailV
         token, _ = Token.objects.get_or_create(
             identifier="password-reset-temp", user=self.object
         )
-        querystring = urlencode({"token": token.token_uuid})
+        querystring = urlencode({"token": token.key})
         link = request.build_absolute_uri(
             reverse("passbook_flows:default-recovery") + f"?{querystring}"
         )

passbook/api/auth.py

@@ -1,43 +1,57 @@
 """API Authentication"""
 from base64 import b64decode
-from typing import Any, Tuple, Union
+from typing import Any, Optional, Tuple, Union
 
-from django.utils.translation import gettext as _
-from rest_framework import HTTP_HEADER_ENCODING, exceptions
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
 from rest_framework.request import Request
+from structlog import get_logger
 
 from passbook.core.models import Token, TokenIntents, User
 
+LOGGER = get_logger()
+
+
+def token_from_header(raw_header: bytes) -> Optional[Token]:
+    """raw_header in the Format of `Basic dGVzdDp0ZXN0`"""
+    auth_credentials = raw_header.decode()
+    # Accept headers with Type format and without
+    if " " in auth_credentials:
+        auth_type, auth_credentials = auth_credentials.split()
+        if auth_type.lower() != "basic":
+            LOGGER.debug(
+                "Unsupported authentication type, denying", type=auth_type.lower()
+            )
+            return None
+    try:
+        auth_credentials = b64decode(auth_credentials.encode()).decode()
+    except UnicodeDecodeError:
+        return None
+    # Accept credentials with username and without
+    if ":" in auth_credentials:
+        _, password = auth_credentials.split(":")
+    else:
+        password = auth_credentials
+    if password == "":
+        return None
+    tokens = Token.filter_not_expired(key=password, intent=TokenIntents.INTENT_API)
+    if not tokens.exists():
+        LOGGER.debug("Token not found")
+        return None
+    return tokens.first()
+
 
 class PassbookTokenAuthentication(BaseAuthentication):
     """Token-based authentication using HTTP Basic authentication"""
 
     def authenticate(self, request: Request) -> Union[Tuple[User, Any], None]:
         """Token-based authentication using HTTP Basic authentication"""
-        auth = get_authorization_header(request).split()
+        auth = get_authorization_header(request)
 
-        if not auth or auth[0].lower() != b"basic":
+        token = token_from_header(auth)
+        if not token:
             return None
 
-        if len(auth) == 1:
-            msg = _("Invalid basic header. No credentials provided.")
-            raise exceptions.AuthenticationFailed(msg)
-        if len(auth) > 2:
-            msg = _(
-                "Invalid basic header. Credentials string should not contain spaces."
-            )
-            raise exceptions.AuthenticationFailed(msg)
-
-        header_data = b64decode(auth[1]).decode(HTTP_HEADER_ENCODING).partition(":")
-
-        tokens = Token.filter_not_expired(
-            token_uuid=header_data[2], intent=TokenIntents.INTENT_API
-        )
-        if not tokens.exists():
-            raise exceptions.AuthenticationFailed(_("Invalid token."))
-
-        return (tokens.first().user, None)
+        return (token.user, None)
 
     def authenticate_header(self, request: Request) -> str:
         return 'Basic realm="passbook"'

passbook/api/v2/messages.py

@@ -1,6 +1,6 @@
 """core messages API"""
 from django.contrib.messages import get_messages
-from drf_yasg.utils import swagger_auto_schema
+from drf_yasg2.utils import swagger_auto_schema
 from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.response import Response

passbook/api/v2/urls.py

@@ -1,12 +1,13 @@
 """api v2 urls"""
 from django.urls import path, re_path
-from drf_yasg import openapi
-from drf_yasg.views import get_schema_view
+from drf_yasg2 import openapi
+from drf_yasg2.views import get_schema_view
 from rest_framework import routers
 from rest_framework.permissions import AllowAny
 
 from passbook.admin.api.overview import AdministrationOverviewViewSet
 from passbook.admin.api.overview_metrics import AdministrationMetricsViewSet
+from passbook.admin.api.tasks import TaskViewSet
 from passbook.api.v2.messages import MessagesViewSet
 from passbook.audit.api import EventViewSet
 from passbook.core.api.applications import ApplicationViewSet
@@ -57,6 +58,7 @@ router.register(
     "admin/overview", AdministrationOverviewViewSet, basename="admin_overview"
 )
 router.register("admin/metrics", AdministrationMetricsViewSet, basename="admin_metrics")
+router.register("admin/system_tasks", TaskViewSet, basename="admin_system_tasks")
 
 router.register("core/applications", ApplicationViewSet)
 router.register("core/groups", GroupViewSet)
@@ -66,6 +68,9 @@ router.register("core/tokens", TokenViewSet)
 router.register("outposts/outposts", OutpostViewSet)
 router.register("outposts/proxy", OutpostConfigViewSet)
 
+router.register("flows/instances", FlowViewSet)
+router.register("flows/bindings", FlowStageBindingViewSet)
+
 router.register("crypto/certificatekeypairs", CertificateKeyPairViewSet)
 
 router.register("audit/events", EventViewSet)
@@ -112,9 +117,6 @@ router.register("stages/user_login", UserLoginStageViewSet)
 router.register("stages/user_logout", UserLogoutStageViewSet)
 router.register("stages/user_write", UserWriteStageViewSet)
 
-router.register("flows/instances", FlowViewSet)
-router.register("flows/bindings", FlowStageBindingViewSet)
-
 router.register("stages/dummy", DummyStageViewSet)
 router.register("policies/dummy", DummyPolicyViewSet)
 

passbook/audit/api.py

@@ -15,7 +15,6 @@ class EventSerializer(ModelSerializer):
             "pk",
             "user",
             "action",
-            "date",
             "app",
             "context",
             "client_ip",

passbook/audit/migrations/0006_auto_20201017_2024.py

@@ -0,0 +1,42 @@
+# Generated by Django 3.1.2 on 2020-10-17 20:24
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_audit", "0005_auto_20201005_2139"),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name="event",
+            name="date",
+        ),
+        migrations.AlterField(
+            model_name="event",
+            name="action",
+            field=models.TextField(
+                choices=[
+                    ("login", "Login"),
+                    ("login_failed", "Login Failed"),
+                    ("logout", "Logout"),
+                    ("user_write", "User Write"),
+                    ("suspicious_request", "Suspicious Request"),
+                    ("password_set", "Password Set"),
+                    ("token_view", "Token View"),
+                    ("invitation_created", "Invite Created"),
+                    ("invitation_used", "Invite Used"),
+                    ("authorize_application", "Authorize Application"),
+                    ("source_linked", "Source Linked"),
+                    ("impersonation_started", "Impersonation Started"),
+                    ("impersonation_ended", "Impersonation Ended"),
+                    ("model_created", "Model Created"),
+                    ("model_updated", "Model Updated"),
+                    ("model_deleted", "Model Deleted"),
+                    ("custom_", "Custom Prefix"),
+                ]
+            ),
+        ),
+    ]

passbook/audit/models.py

@@ -100,6 +100,8 @@ class EventAction(models.TextChoices):
     SUSPICIOUS_REQUEST = "suspicious_request"
     PASSWORD_SET = "password_set"  # noqa # nosec
 
+    TOKEN_VIEW = "token_view"
+
     INVITE_CREATED = "invitation_created"
     INVITE_USED = "invitation_used"
 
@@ -122,7 +124,6 @@ class Event(models.Model):
     event_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
     user = models.JSONField(default=dict)
     action = models.TextField(choices=EventAction.choices)
-    date = models.DateTimeField(auto_now_add=True)
     app = models.TextField()
     context = models.JSONField(default=dict, blank=True)
     client_ip = models.GenericIPAddressField(null=True)

passbook/audit/templates/audit/list.html

@@ -17,6 +17,7 @@
         <div class="pf-c-card">
             <div class="pf-c-toolbar">
                 <div class="pf-c-toolbar__content">
+                    {% include 'partials/toolbar_search.html' %}
                     {% include 'partials/pagination.html' %}
                 </div>
             </div>

passbook/audit/views.py

@@ -3,12 +3,16 @@ from django.contrib.auth.mixins import LoginRequiredMixin
 from django.views.generic import ListView
 from guardian.mixins import PermissionListMixin
 
-from passbook.admin.views.utils import UserPaginateListMixin
+from passbook.admin.views.utils import SearchListMixin, UserPaginateListMixin
 from passbook.audit.models import Event
 
 
 class EventListView(
-    PermissionListMixin, LoginRequiredMixin, UserPaginateListMixin, ListView
+    PermissionListMixin,
+    LoginRequiredMixin,
+    SearchListMixin,
+    UserPaginateListMixin,
+    ListView,
 ):
     """Show list of all invitations"""
 
@@ -16,3 +20,11 @@ class EventListView(
     template_name = "audit/list.html"
     permission_required = "passbook_audit.view_event"
     ordering = "-created"
+
+    search_fields = [
+        "user",
+        "action",
+        "app",
+        "context",
+        "client_ip",
+    ]

passbook/core/api/tokens.py

@@ -1,7 +1,12 @@
 """Tokens API Viewset"""
+from django.http.response import Http404
+from rest_framework.decorators import action
+from rest_framework.request import Request
+from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
+from passbook.audit.models import Event, EventAction
 from passbook.core.models import Token
 
 
@@ -17,6 +22,16 @@ class TokenSerializer(ModelSerializer):
 class TokenViewSet(ModelViewSet):
     """Token Viewset"""
 
-    queryset = Token.objects.all()
     lookup_field = "identifier"
+    queryset = Token.filter_not_expired()
     serializer_class = TokenSerializer
+
+    @action(detail=True)
+    def view_key(self, request: Request, identifier: str) -> Response:
+        """Return token key and log access"""
+        tokens = Token.filter_not_expired(identifier=identifier)
+        if not tokens.exists():
+            raise Http404
+        token = tokens.first()
+        Event.new(EventAction.TOKEN_VIEW, token=token).from_http(request)
+        return Response({"key": token.key})

passbook/core/channels.py

@@ -1,9 +1,9 @@
 """Channels base classes"""
 from channels.generic.websocket import JsonWebsocketConsumer
-from django.core.exceptions import ValidationError
 from structlog import get_logger
 
-from passbook.core.models import Token, TokenIntents, User
+from passbook.api.auth import token_from_header
+from passbook.core.models import User
 
 LOGGER = get_logger()
 
@@ -18,20 +18,15 @@ class AuthJsonConsumer(JsonWebsocketConsumer):
         if b"authorization" not in headers:
             LOGGER.warning("WS Request without authorization header")
             self.close()
+            return False
 
-        token = headers[b"authorization"]
-        try:
-            token_uuid = token.decode("utf-8")
-            tokens = Token.filter_not_expired(
-                token_uuid=token_uuid, intent=TokenIntents.INTENT_API
-            )
-            if not tokens.exists():
-                LOGGER.warning("WS Request with invalid token")
-                self.close()
-                return False
-        except ValidationError:
-            LOGGER.warning("WS Invalid UUID")
+        raw_header = headers[b"authorization"]
+
+        token = token_from_header(raw_header)
+        if not token:
+            LOGGER.warning("Failed to authenticate")
             self.close()
             return False
-        self.user = tokens.first().user
+
+        self.user = token.user
         return True

passbook/core/forms/token.py

@@ -0,0 +1,22 @@
+"""Core user token form"""
+from django import forms
+
+from passbook.core.models import Token
+
+
+class UserTokenForm(forms.ModelForm):
+    """Token form, for tokens created by endusers"""
+
+    class Meta:
+
+        model = Token
+        fields = [
+            "identifier",
+            "expires",
+            "expiring",
+            "description",
+        ]
+        widgets = {
+            "identifier": forms.TextInput(),
+            "description": forms.TextInput(),
+        }

passbook/core/migrations/0014_auto_20201018_1158.py

@@ -0,0 +1,50 @@
+# Generated by Django 3.1.2 on 2020-10-18 11:58
+from django.apps.registry import Apps
+from django.db import migrations, models
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+import passbook.core.models
+
+
+def set_default_token_key(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    db_alias = schema_editor.connection.alias
+    Token = apps.get_model("passbook_core", "Token")
+
+    for token in Token.objects.using(db_alias).all():
+        token.key = token.pk.hex
+        token.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_core", "0013_auto_20201003_2132"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="token",
+            name="key",
+            field=models.TextField(default=passbook.core.models.default_token_key),
+        ),
+        migrations.AlterUniqueTogether(
+            name="token",
+            unique_together=set(),
+        ),
+        migrations.AlterField(
+            model_name="token",
+            name="identifier",
+            field=models.SlugField(max_length=255),
+        ),
+        migrations.AddIndex(
+            model_name="token",
+            index=models.Index(fields=["key"], name="passbook_co_key_e45007_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="token",
+            index=models.Index(
+                fields=["identifier"], name="passbook_co_identif_1a34a8_idx"
+            ),
+        ),
+        migrations.RunPython(set_default_token_key),
+    ]

passbook/core/models.py

@@ -32,6 +32,11 @@ def default_token_duration():
     return now() + timedelta(minutes=30)
 
 
+def default_token_key():
+    """Default token key"""
+    return uuid4().hex
+
+
 class Group(models.Model):
     """Custom Group model which supports a basic hierarchy"""
 
@@ -274,10 +279,8 @@ class ExpiringModel(models.Model):
     def filter_not_expired(cls, **kwargs) -> QuerySet:
         """Filer for tokens which are not expired yet or are not expiring,
         and match filters in `kwargs`"""
-        query = Q(**kwargs)
-        query_not_expired_yet = Q(expires__lt=now(), expiring=True)
-        query_not_expiring = Q(expiring=False)
-        return cls.objects.filter(query & (query_not_expired_yet | query_not_expiring))
+        expired = Q(expires__lt=now(), expiring=True)
+        return cls.objects.exclude(expired).filter(**kwargs)
 
     @property
     def is_expired(self) -> bool:
@@ -298,6 +301,7 @@ class TokenIntents(models.TextChoices):
     # Allow access to API
     INTENT_API = "api"
 
+    # Recovery use for the recovery app
     INTENT_RECOVERY = "recovery"
 
 
@@ -305,7 +309,8 @@ class Token(ExpiringModel):
     """Token used to authenticate the User for API Access or confirm another Stage like Email."""
 
     token_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    identifier = models.TextField()
+    identifier = models.SlugField(max_length=255)
+    key = models.TextField(default=default_token_key)
     intent = models.TextField(
         choices=TokenIntents.choices, default=TokenIntents.INTENT_VERIFICATION
     )
@@ -313,13 +318,19 @@ class Token(ExpiringModel):
     description = models.TextField(default="", blank=True)
 
     def __str__(self):
-        return f"Token {self.identifier} (expires={self.expires})"
+        description = f"{self.identifier}"
+        if self.expiring:
+            description += f" (expires={self.expires})"
+        return description
 
     class Meta:
 
         verbose_name = _("Token")
         verbose_name_plural = _("Tokens")
-        unique_together = (("identifier", "user"),)
+        indexes = [
+            models.Index(fields=["identifier"]),
+            models.Index(fields=["key"]),
+        ]
 
 
 class PropertyMapping(models.Model):

passbook/core/tasks.py

@@ -1,16 +1,26 @@
 """passbook core tasks"""
+from datetime import datetime
+from io import StringIO
+
+from boto3.exceptions import Boto3Error
+from botocore.exceptions import BotoCoreError, ClientError
+from dbbackup.db.exceptions import CommandConnectorError
+from django.contrib.humanize.templatetags.humanize import naturaltime
+from django.core import management
 from django.utils.timezone import now
 from structlog import get_logger
 
 from passbook.core.models import ExpiringModel
+from passbook.lib.tasks import MonitoredTask, TaskResult, TaskResultStatus
 from passbook.root.celery import CELERY_APP
 
 LOGGER = get_logger()
 
 
-@CELERY_APP.task()
-def clean_expired_models():
+@CELERY_APP.task(bind=True, base=MonitoredTask)
+def clean_expired_models(self: MonitoredTask):
     """Remove expired objects"""
+    messages = []
     for cls in ExpiringModel.__subclasses__():
         cls: ExpiringModel
         amount, _ = (
@@ -20,3 +30,33 @@ def clean_expired_models():
             .delete()
         )
         LOGGER.debug("Deleted expired models", model=cls, amount=amount)
+        messages.append(f"Deleted {amount} expired {cls._meta.verbose_name_plural}")
+    self.set_status(TaskResult(TaskResultStatus.SUCCESSFUL, messages))
+
+
+@CELERY_APP.task(bind=True, base=MonitoredTask)
+def backup_database(self: MonitoredTask):  # pragma: no cover
+    """Database backup"""
+    try:
+        start = datetime.now()
+        out = StringIO()
+        management.call_command("dbbackup", quiet=True, stdout=out)
+        self.set_status(
+            TaskResult(
+                TaskResultStatus.SUCCESSFUL,
+                [
+                    f"Successfully finished database backup {naturaltime(start)}",
+                    out.getvalue(),
+                ],
+            )
+        )
+        LOGGER.info("Successfully backed up database.")
+    except (
+        IOError,
+        BotoCoreError,
+        ClientError,
+        Boto3Error,
+        PermissionError,
+        CommandConnectorError,
+    ) as exc:
+        self.set_status(TaskResult(TaskResultStatus.ERROR).with_error(exc))

passbook/core/templates/base/page.html

@@ -7,7 +7,7 @@
 {% load passbook_utils %}
 
 {% block body %}
-{% include 'partials/messages.html' %}
+<pb-messages url="{% url 'passbook_api:messages-list' %}"></pb-messages>
 <div class="pf-c-page" id="page-default-nav-example">
     <a class="pf-c-skip-to-content pf-c-button pf-m-primary" href="#main-content">{% trans 'Skip to content' %}</a>
     <header role="banner" class="pf-c-page__header ws-page-header">
@@ -21,7 +21,7 @@
             </div>
             <a href="{% url 'passbook_core:overview' %}" class="pf-c-page__header-brand-link">
                 <div class="pf-c-brand pb-brand">
-                    <img src="{{ config.passbook.branding.logo }}" alt="passbook icon">
+                    <img src="{{ config.passbook.branding.logo }}" style="width: 100px;" alt="passbook icon">
                     {% if config.passbook.branding.title_show %}
                     <small><small>{{ config.passbook.branding.title }}</small></small>
                     {% endif %}
@@ -53,7 +53,7 @@
                     {{ user.username }}
                 </a>
             </div>
-            <img class="pf-c-avatar" src="{% gravatar user.email %}" alt="">
+            <img class="pf-c-avatar" src="{% avatar user %}" alt="">
         </div>
     </header>
     {% block page_content %}

passbook/core/templates/generic/delete.html

@@ -1,4 +1,4 @@
-{% extends "administration/base.html" %}
+{% extends container_template|default:"administration/base.html" %}
 
 {% load i18n %}
 {% load passbook_utils %}

passbook/core/templates/login/base.html

@@ -1,7 +1,7 @@
 {% load static %}
 {% load i18n %}
 
-{% include 'partials/messages.html' %}
+<pb-messages url="{% url 'passbook_api:messages-list' %}"></pb-messages>
 
 <header class="pf-c-login__main-header">
     <h1 class="pf-c-title pf-m-3xl">

passbook/core/templates/login/base_full.html

@@ -18,7 +18,7 @@
         </filter>
     </svg>
 </div>
-{% include 'partials/messages.html' %}
+<pb-messages url="{% url 'passbook_api:messages-list' %}"></pb-messages>
 <div class="pf-c-login">
     <div class="pf-c-login__container">
         <header class="pf-c-login__header">

passbook/core/templates/login/form_with_user.html

@@ -7,7 +7,7 @@
 <div class="pf-c-form__group">
     <div class="form-control-static">
         <div class="left">
-            <img class="pf-c-avatar" src="{% gravatar user.email %}" alt="">
+            <img class="pf-c-avatar" src="{% avatar user %}" alt="">
             {{ user.username }}
         </div>
         <div class="right">

passbook/core/templates/partials/messages.html

@@ -1,22 +0,0 @@
-<ul class="pf-c-alert-group pf-m-toast">
-    {% for msg in messages %}
-    <li class="pf-c-alert-group__item">
-        <div class="pf-c-alert pf-m-{{ msg.level_tag }} {% if msg.level_tag == 'error' %}pf-m-danger{% endif %}">
-            <div class="pf-c-alert__icon">
-                {% if msg.level_tag == 'error' %}
-                <i class="fas fa-exclamation-circle"></i>
-                {% elif msg.level_tag == 'warning' %}
-                <i class="fas fa-exclamation-triangle"></i>
-                {% elif msg.level_tag == 'success' %}
-                <i class="fas fa-check-circle"></i>
-                {% elif msg.level_tag == 'info' %}
-                <i class="fas fa-info"></i>
-                {% endif %}
-            </div>
-            <h4 class="pf-c-alert__title">
-                {{ msg.message|safe }}
-            </h4>
-        </div>
-    </li>
-    {% endfor %}
-</ul>

passbook/core/templates/user/base.html

@@ -16,6 +16,10 @@
                         <a href="{% url 'passbook_core:user-settings' %}"
                             class="pf-c-nav__link {% is_active 'passbook_core:user-settings' %}">{% trans 'User Details' %}</a>
                     </li>
+                    <li class="pf-c-nav__item">
+                        <a href="{% url 'passbook_core:user-tokens' %}"
+                            class="pf-c-nav__link {% is_active 'passbook_core:user-tokens' 'passbook_core:user-tokens-create' 'passbook_core:user-tokens-update' 'passbook_core:user-tokens-delete' %}">{% trans 'Tokens' %}</a>
+                    </li>
                 </ul>
             </section>
             {% user_stages as user_stages_loc %}
@@ -53,6 +57,7 @@
     </div>
 </div>
 <main role="main" class="pf-c-page__main" tabindex="-1" id="main-content">
+    {% block content %}
     <section class="pf-c-page__main-section">
         <div class="pf-u-display-flex pf-u-justify-content-center">
             <div class="pf-u-w-75">
@@ -61,5 +66,6 @@
             </div>
         </div>
     </section>
+    {% endblock %}
 </main>
 {% endblock %}

passbook/core/templates/user/token_list.html

@@ -0,0 +1,91 @@
+{% extends "user/base.html" %}
+
+{% load i18n %}
+{% load passbook_utils %}
+
+{% block content %}
+<section class="pf-c-page__main-section pf-m-light">
+    <div class="pf-c-content">
+        <h1>
+            <i class="pf-icon pf-icon-users"></i>
+            {% trans 'Tokens' %}
+        </h1>
+        <p>{% trans "Tokens can be used to access passbook's API." %}
+        </p>
+    </div>
+</section>
+<section class="pf-c-page__main-section pf-m-no-padding-mobile">
+    <div class="pf-c-card">
+        {% if object_list %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+                <div class="pf-c-toolbar__bulk-select">
+                    <a href="{% url 'passbook_core:user-tokens-create' %}?back={{ request.get_full_path }}"  class="pf-c-button pf-m-primary" type="button">{% trans 'Create' %}</a>
+                </div>
+                {% include 'partials/pagination.html' %}
+            </div>
+        </div>
+        <table class="pf-c-table pf-m-compact pf-m-grid-xl" role="grid">
+            <thead>
+                <tr role="row">
+                    <th role="columnheader" scope="col">{% trans 'Identifier' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Expires?' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Expiry Date' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Description' %}</th>
+                    <th role="cell"></th>
+                </tr>
+            </thead>
+            <tbody role="rowgroup">
+                {% for token in object_list %}
+                <tr role="row">
+                    <th role="columnheader">
+                        <div>{{ token.identifier }}</div>
+                    </th>
+                    <td role="cell">
+                        <span>
+                            {{ token.expiring|yesno:"Yes,No" }}
+                        </span>
+                    </td>
+                    <td role="cell">
+                        <span>
+                            {% if not token.expiring %}
+                            -
+                            {% else %}
+                            {{ token.expires }}
+                            {% endif %}
+                        </span>
+                    </td>
+                    <td role="cell">
+                        <span>
+                            {{ token.description }}
+                        </span>
+                    </td>
+                    <td>
+                        <a class="pf-c-button pf-m-secondary" href="{% url 'passbook_core:user-tokens-update' identifier=token.identifier %}?back={{ request.get_full_path }}">{% trans 'Edit' %}</a>
+                        <a class="pf-c-button pf-m-danger" href="{% url 'passbook_core:user-tokens-delete' identifier=token.identifier %}?back={{ request.get_full_path }}">{% trans 'Delete' %}</a>
+                    </td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+        <div class="pf-c-pagination pf-m-bottom">
+            {% include 'partials/pagination.html' %}
+        </div>
+        {% else %}
+        <div class="pf-c-empty-state">
+            <div class="pf-c-empty-state__content">
+                <i class="fas fa-cubes pf-c-empty-state__icon" aria-hidden="true"></i>
+                <h1 class="pf-c-title pf-m-lg">
+                    {% trans 'No Tokens.' %}
+                </h1>
+                <div class="pf-c-empty-state__body">
+                    {% trans 'Currently no tokens exist. Click the button below to create one.' %}
+                </div>
+                <a href="{% url 'passbook_core:user-tokens-create' %}?back={{ request.get_full_path }}" class="pf-c-button pf-m-primary" type="button">{% trans 'Create' %}</a>
+            </div>
+        </div>
+        {% endif %}
+    </div>
+</section>
+{% endblock %}

passbook/core/tests/test_tasks.py

@@ -14,5 +14,5 @@ class TestTasks(TestCase):
         """Test Token cleanup task"""
         Token.objects.create(expires=now(), user=get_anonymous_user())
         self.assertEqual(Token.objects.all().count(), 1)
-        clean_expired_models()
+        clean_expired_models.delay().get()
         self.assertEqual(Token.objects.all().count(), 0)

passbook/core/urls.py

@@ -6,6 +6,22 @@ from passbook.core.views import impersonate, overview, user
 urlpatterns = [
     # User views
     path("-/user/", user.UserSettingsView.as_view(), name="user-settings"),
+    path("-/user/tokens/", user.TokenListView.as_view(), name="user-tokens"),
+    path(
+        "-/user/tokens/create/",
+        user.TokenCreateView.as_view(),
+        name="user-tokens-create",
+    ),
+    path(
+        "-/user/tokens/<slug:identifier>/update/",
+        user.TokenUpdateView.as_view(),
+        name="user-tokens-update",
+    ),
+    path(
+        "-/user/tokens/<slug:identifier>/delete/",
+        user.TokenDeleteView.as_view(),
+        name="user-tokens-delete",
+    ),
     # Overview
     path("", overview.OverviewView.as_view(), name="overview"),
     # Impersonation

passbook/core/views/user.py

@@ -2,13 +2,28 @@
 from typing import Any, Dict
 
 from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
 from django.contrib.messages.views import SuccessMessageMixin
+from django.db.models.query import QuerySet
+from django.http.response import HttpResponse
 from django.urls import reverse_lazy
 from django.utils.translation import gettext as _
-from django.views.generic import UpdateView
+from django.views.generic import ListView, UpdateView
+from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
+from guardian.shortcuts import get_objects_for_user
 
+from passbook.admin.views.utils import (
+    DeleteMessageView,
+    SearchListMixin,
+    UserPaginateListMixin,
+)
+from passbook.core.forms.token import UserTokenForm
 from passbook.core.forms.users import UserDetailForm
+from passbook.core.models import Token, TokenIntents
 from passbook.flows.models import Flow, FlowDesignation
+from passbook.lib.views import CreateAssignPermView
 
 
 class UserSettingsView(SuccessMessageMixin, LoginRequiredMixin, UpdateView):
@@ -30,3 +45,93 @@ class UserSettingsView(SuccessMessageMixin, LoginRequiredMixin, UpdateView):
         )
         kwargs["unenrollment_enabled"] = bool(unenrollment_flow)
         return kwargs
+
+
+class TokenListView(
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    ListView,
+):
+    """Show list of all tokens"""
+
+    model = Token
+    ordering = "expires"
+    permission_required = "passbook_core.view_token"
+
+    template_name = "user/token_list.html"
+    search_fields = [
+        "identifier",
+        "intent",
+        "description",
+    ]
+
+    def get_queryset(self) -> QuerySet:
+        return super().get_queryset().filter(intent=TokenIntents.INTENT_API)
+
+
+class TokenCreateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    CreateAssignPermView,
+):
+    """Create new Token"""
+
+    model = Token
+    form_class = UserTokenForm
+    permission_required = "passbook_core.add_token"
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("passbook_core:user-tokens")
+    success_message = _("Successfully created Token")
+
+    def get_context_data(self, **kwargs: Any) -> Dict[str, Any]:
+        kwargs = super().get_context_data(**kwargs)
+        kwargs["container_template"] = "user/base.html"
+        return kwargs
+
+    def form_valid(self, form: UserTokenForm) -> HttpResponse:
+        form.instance.user = self.request.user
+        form.instance.intent = TokenIntents.INTENT_API
+        return super().form_valid(form)
+
+
+class TokenUpdateView(
+    SuccessMessageMixin, LoginRequiredMixin, PermissionRequiredMixin, UpdateView
+):
+    """Update token"""
+
+    model = Token
+    form_class = UserTokenForm
+    permission_required = "passbook_core.update_token"
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("passbook_core:user-tokens")
+    success_message = _("Successfully updated Token")
+
+    def get_context_data(self, **kwargs: Any) -> Dict[str, Any]:
+        kwargs = super().get_context_data(**kwargs)
+        kwargs["container_template"] = "user/base.html"
+        return kwargs
+
+    def get_object(self) -> Token:
+        identifier = self.kwargs.get("identifier")
+        return get_objects_for_user(
+            self.request.user, "passbook_core.update_token", self.model
+        ).filter(intent=TokenIntents.INTENT_API, identifier=identifier)
+
+
+class TokenDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
+    """Delete token"""
+
+    model = Token
+    permission_required = "passbook_core.delete_token"
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("passbook_core:user-tokens")
+    success_message = _("Successfully deleted Token")
+
+    def get_context_data(self, **kwargs: Any) -> Dict[str, Any]:
+        kwargs = super().get_context_data(**kwargs)
+        kwargs["container_template"] = "user/base.html"
+        return kwargs

passbook/flows/api.py

@@ -27,7 +27,15 @@ class FlowStageBindingSerializer(ModelSerializer):
     class Meta:
 
         model = FlowStageBinding
-        fields = ["pk", "target", "stage", "re_evaluate_policies", "order", "policies"]
+        fields = [
+            "pk",
+            "target",
+            "stage",
+            "evaluate_on_plan",
+            "re_evaluate_policies",
+            "order",
+            "policies",
+        ]
 
 
 class FlowStageBindingViewSet(ModelViewSet):