new release: 0.12.4-stable

e2e: add @retry decorator to make e2e tests more reliable
flows: revert evaluate_on_call rename for backwards compatibility
2026-05-11 17:36:35 +02:00 · 2020-10-20 22:31:31 +02:00 · 2020-10-20 18:51:17 +02:00 · 2020-10-20 15:41:50 +02:00 · 2020-10-20 15:14:41 +02:00 · 2020-10-20 15:06:36 +02:00
34 changed files with 208 additions and 62 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.12.3-stable
+current_version = 0.12.4-stable
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -18,11 +18,11 @@ jobs:
      - name: Building Docker Image
        run: docker build
          --no-cache
-          -t beryju/passbook:0.12.3-stable
+          -t beryju/passbook:0.12.4-stable
          -t beryju/passbook:latest
          -f Dockerfile .
      - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/passbook:0.12.3-stable
+        run: docker push beryju/passbook:0.12.4-stable
      - name: Push Docker Container to Registry (latest)
        run: docker push beryju/passbook:latest
  build-proxy:
@@ -48,11 +48,11 @@ jobs:
          cd proxy
          docker build \
          --no-cache \
-          -t beryju/passbook-proxy:0.12.3-stable \
+          -t beryju/passbook-proxy:0.12.4-stable \
          -t beryju/passbook-proxy:latest \
          -f Dockerfile .
      - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/passbook-proxy:0.12.3-stable
+        run: docker push beryju/passbook-proxy:0.12.4-stable
      - name: Push Docker Container to Registry (latest)
        run: docker push beryju/passbook-proxy:latest
  build-static:
@@ -77,11 +77,11 @@ jobs:
        run: docker build
          --no-cache
          --network=$(docker network ls | grep github | awk '{print $1}')
-          -t beryju/passbook-static:0.12.3-stable
+          -t beryju/passbook-static:0.12.4-stable
          -t beryju/passbook-static:latest
          -f static.Dockerfile .
      - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/passbook-static:0.12.3-stable
+        run: docker push beryju/passbook-static:0.12.4-stable
      - name: Push Docker Container to Registry (latest)
        run: docker push beryju/passbook-static:latest
  test-release:
@@ -114,5 +114,5 @@ jobs:
          SENTRY_PROJECT: passbook
          SENTRY_URL: https://sentry.beryju.org
        with:
-          tagName: 0.12.3-stable
+          tagName: 0.12.4-stable
          environment: beryjuorg-prod
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -19,7 +19,7 @@ services:
    networks:
      - internal
  server:
-    image: beryju/passbook:${PASSBOOK_TAG:-0.12.3-stable}
+    image: beryju/passbook:${PASSBOOK_TAG:-0.12.4-stable}
    command: server
    environment:
      PASSBOOK_REDIS__HOST: redis
@@ -40,7 +40,7 @@ services:
    env_file:
      - .env
  worker:
-    image: beryju/passbook:${PASSBOOK_TAG:-0.12.3-stable}
+    image: beryju/passbook:${PASSBOOK_TAG:-0.12.4-stable}
    command: worker
    networks:
      - internal
@@ -54,7 +54,7 @@ services:
    env_file:
      - .env
  static:
-    image: beryju/passbook-static:${PASSBOOK_TAG:-0.12.3-stable}
+    image: beryju/passbook-static:${PASSBOOK_TAG:-0.12.4-stable}
    networks:
      - internal
    labels:
--- a/docs/flow/examples/login-conditional-captcha.json
+++ b/docs/flow/examples/login-conditional-captcha.json
@@ -95,7 +95,8 @@
            },
            "model": "passbook_flows.flowstagebinding",
            "attrs": {
-                "re_evaluate_policies": false
+                "evaluate_on_plan": false,
+                "re_evaluate_policies": true
            }
        },
        {
--- a/docs/installation/docker-compose.md
+++ b/docs/installation/docker-compose.md
@@ -13,7 +13,7 @@ Download the latest `docker-compose.yml` from [here](https://raw.githubuserconte

 To optionally enable error-reporting, run `echo PASSBOOK_ERROR_REPORTING__ENABLED=true >> .env`

-To optionally deploy a different version run `echo PASSBOOK_TAG=0.12.3-stable >> .env`
+To optionally deploy a different version run `echo PASSBOOK_TAG=0.12.4-stable >> .env`

 If this is a fresh passbook install run the following commands to generate a password:

--- a/docs/installation/kubernetes.md
+++ b/docs/installation/kubernetes.md
@@ -11,7 +11,7 @@ This installation automatically applies database migrations on startup. After th
 image:
  name: beryju/passbook
  name_static: beryju/passbook-static
-  tag: 0.12.3-stable
+  tag: 0.12.4-stable

 nameOverride: ""

--- a/docs/policies/expression.md
+++ b/docs/policies/expression.md
@@ -26,7 +26,11 @@ return False
    - `request.obj`: A Django Model instance. This is only set if the policy is ran against an object.
    - `request.context`: A dictionary with dynamic data. This depends on the origin of the execution.
 - `pb_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external provider.
- `pb_client_ip`: Client's IP Address or '255.255.255.255' if no IP Address could be extracted. Can be [compared](../expressions/index.md#comparing-ip-addresses)
+- `pb_client_ip`: Client's IP Address or 255.255.255.255 if no IP Address could be extracted. Can be [compared](../expressions/index.md#comparing-ip-addresses), for example
+
+    ```python
+    return pb_client_ip in ip_network('10.0.0.0/24')
+    ```

 Additionally, when the policy is executed from a flow, every variable from the flow's current context is accessible under the `context` object.

--- a/e2e/test_flows_enroll.py
+++ b/e2e/test_flows_enroll.py
@@ -8,7 +8,7 @@ from docker.types import Healthcheck
 from selenium.webdriver.common.by import By
 from selenium.webdriver.support import expected_conditions as ec

-from e2e.utils import USER, SeleniumTestCase
+from e2e.utils import USER, SeleniumTestCase, retry
 from passbook.flows.models import Flow, FlowDesignation, FlowStageBinding
 from passbook.stages.email.models import EmailStage, EmailTemplates
 from passbook.stages.identification.models import IdentificationStage
@@ -34,6 +34,7 @@ class TestFlowsEnroll(SeleniumTestCase):
            ),
        }

+    @retry()
    def test_enroll_2_step(self):
        """Test 2-step enroll flow"""
        # First stage fields
@@ -119,6 +120,7 @@ class TestFlowsEnroll(SeleniumTestCase):
            "foo@bar.baz",
        )

+    @retry()
    @override_settings(EMAIL_BACKEND="django.core.mail.backends.smtp.EmailBackend")
    def test_enroll_email(self):
        """Test enroll with Email verification"""
--- a/e2e/test_flows_login.py
+++ b/e2e/test_flows_login.py
@@ -5,13 +5,14 @@ from unittest.case import skipUnless
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys

-from e2e.utils import USER, SeleniumTestCase
+from e2e.utils import USER, SeleniumTestCase, retry


@skipUnless(platform.startswith("linux"), "requires local docker")
 class TestFlowsLogin(SeleniumTestCase):
    """test default login flow"""

+    @retry()
    def test_login(self):
        """test default login flow"""
        self.driver.get(f"{self.live_server_url}/flows/default-authentication-flow/")
--- a/e2e/test_flows_otp.py
+++ b/e2e/test_flows_otp.py
@@ -12,7 +12,7 @@ from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
 from selenium.webdriver.support import expected_conditions as ec

-from e2e.utils import USER, SeleniumTestCase
+from e2e.utils import USER, SeleniumTestCase, retry
 from passbook.flows.models import Flow, FlowStageBinding
 from passbook.stages.otp_validate.models import OTPValidateStage

@@ -21,6 +21,7 @@ from passbook.stages.otp_validate.models import OTPValidateStage
 class TestFlowsOTP(SeleniumTestCase):
    """test flow with otp stages"""

+    @retry()
    def test_otp_validate(self):
        """test flow with otp stages"""
        sleep(1)
@@ -52,6 +53,7 @@ class TestFlowsOTP(SeleniumTestCase):
            USER().username,
        )

+    @retry()
    def test_otp_totp_setup(self):
        """test TOTP Setup stage"""
        flow: Flow = Flow.objects.get(slug="default-authentication-flow")
@@ -98,6 +100,7 @@ class TestFlowsOTP(SeleniumTestCase):

        self.assertTrue(TOTPDevice.objects.filter(user=USER(), confirmed=True).exists())

+    @retry()
    def test_otp_static_setup(self):
        """test Static OTP Setup stage"""
        flow: Flow = Flow.objects.get(slug="default-authentication-flow")
--- a/e2e/test_flows_stage_setup.py
+++ b/e2e/test_flows_stage_setup.py
@@ -5,7 +5,7 @@ from unittest.case import skipUnless
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys

-from e2e.utils import USER, SeleniumTestCase
+from e2e.utils import USER, SeleniumTestCase, retry
 from passbook.core.models import User
 from passbook.flows.models import Flow, FlowDesignation
 from passbook.providers.oauth2.generators import generate_client_secret
@@ -16,6 +16,7 @@ from passbook.stages.password.models import PasswordStage
 class TestFlowsStageSetup(SeleniumTestCase):
    """test stage setup flows"""

+    @retry()
    def test_password_change(self):
        """test password change flow"""
        # Ensure that password stage has change_flow set
--- a/e2e/test_provider_oauth2_github.py
+++ b/e2e/test_provider_oauth2_github.py
@@ -9,7 +9,7 @@ from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
 from selenium.webdriver.support import expected_conditions as ec

-from e2e.utils import USER, SeleniumTestCase
+from e2e.utils import USER, SeleniumTestCase, retry
 from passbook.core.models import Application
 from passbook.flows.models import Flow
 from passbook.policies.expression.models import ExpressionPolicy
@@ -61,6 +61,7 @@ class TestProviderOAuth2Github(SeleniumTestCase):
            },
        }

+    @retry()
    def test_authorization_consent_implied(self):
        """test OAuth Provider flow (default authorization flow with implied consent)"""
        # Bootstrap all needed objects
@@ -115,6 +116,7 @@ class TestProviderOAuth2Github(SeleniumTestCase):
            USER().username,
        )

+    @retry()
    def test_authorization_consent_explicit(self):
        """test OAuth Provider flow (default authorization flow with explicit consent)"""
        # Bootstrap all needed objects
@@ -184,6 +186,7 @@ class TestProviderOAuth2Github(SeleniumTestCase):
            USER().username,
        )

+    @retry()
    def test_denied(self):
        """test OAuth Provider flow (default authorization flow, denied)"""
        # Bootstrap all needed objects
--- a/e2e/test_provider_oauth2_grafana.py
+++ b/e2e/test_provider_oauth2_grafana.py
@@ -10,7 +10,7 @@ from selenium.webdriver.common.keys import Keys
 from selenium.webdriver.support import expected_conditions as ec
 from structlog import get_logger

-from e2e.utils import USER, SeleniumTestCase
+from e2e.utils import USER, SeleniumTestCase, retry
 from passbook.core.models import Application
 from passbook.crypto.models import CertificateKeyPair
 from passbook.flows.models import Flow
@@ -80,6 +80,7 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
            },
        }

+    @retry()
    def test_redirect_uri_error(self):
        """test OpenID Provider flow (invalid redirect URI, check error message)"""
        sleep(1)
@@ -122,6 +123,7 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
            "Redirect URI Error",
        )

+    @retry()
    def test_authorization_consent_implied(self):
        """test OpenID Provider flow (default authorization flow with implied consent)"""
        sleep(1)
@@ -183,6 +185,7 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
            USER().email,
        )

+    @retry()
    def test_authorization_logout(self):
        """test OpenID Provider flow with logout"""
        sleep(1)
@@ -252,6 +255,7 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
        )
        self.driver.find_element(By.ID, "logout").click()

+    @retry()
    def test_authorization_consent_explicit(self):
        """test OpenID Provider flow (default authorization flow with explicit consent)"""
        sleep(1)
@@ -325,6 +329,7 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
            USER().email,
        )

+    @retry()
    def test_authorization_denied(self):
        """test OpenID Provider flow (default authorization with access deny)"""
        sleep(1)
--- a/e2e/test_provider_oauth2_oidc.py
+++ b/e2e/test_provider_oauth2_oidc.py
@@ -12,7 +12,7 @@ from selenium.webdriver.common.keys import Keys
 from selenium.webdriver.support import expected_conditions as ec
 from structlog import get_logger

-from e2e.utils import USER, SeleniumTestCase
+from e2e.utils import USER, SeleniumTestCase, retry
 from passbook.core.models import Application
 from passbook.crypto.models import CertificateKeyPair
 from passbook.flows.models import Flow
@@ -76,6 +76,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
            LOGGER.info("Container failed healthcheck")
            sleep(1)

+    @retry()
    def test_redirect_uri_error(self):
        """test OpenID Provider flow (invalid redirect URI, check error message)"""
        sleep(1)
@@ -119,6 +120,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
            "Redirect URI Error",
        )

+    @retry()
    def test_authorization_consent_implied(self):
        """test OpenID Provider flow (default authorization flow with implied consent)"""
        sleep(1)
@@ -169,6 +171,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
        self.assertEqual(body["IDTokenClaims"]["email"], USER().email)
        self.assertEqual(body["UserInfo"]["email"], USER().email)

+    @retry()
    def test_authorization_consent_explicit(self):
        """test OpenID Provider flow (default authorization flow with explicit consent)"""
        sleep(1)
@@ -229,6 +232,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
        self.assertEqual(body["IDTokenClaims"]["email"], USER().email)
        self.assertEqual(body["UserInfo"]["email"], USER().email)

+    @retry()
    def test_authorization_denied(self):
        """test OpenID Provider flow (default authorization with access deny)"""
        sleep(1)
--- a/e2e/test_provider_proxy.py
+++ b/e2e/test_provider_proxy.py
@@ -11,7 +11,7 @@ from docker.models.containers import Container
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys

-from e2e.utils import USER, SeleniumTestCase
+from e2e.utils import USER, SeleniumTestCase, retry
 from passbook import __version__
 from passbook.core.models import Application
 from passbook.flows.models import Flow
@@ -57,6 +57,7 @@ class TestProviderProxy(SeleniumTestCase):
        )
        return container

+    @retry()
    def test_proxy_simple(self):
        """Test simple outpost setup with single provider"""
        proxy: ProxyProvider = ProxyProvider.objects.create(
@@ -110,6 +111,7 @@ class TestProviderProxy(SeleniumTestCase):
 class TestProviderProxyConnect(ChannelsLiveServerTestCase):
    """Test Proxy connectivity over websockets"""

+    @retry()
    def test_proxy_connectivity(self):
        """Test proxy connectivity over websocket"""
        SeleniumTestCase().apply_default_data()
--- a/e2e/test_provider_saml.py
+++ b/e2e/test_provider_saml.py
@@ -12,7 +12,7 @@ from selenium.webdriver.common.keys import Keys
 from selenium.webdriver.support import expected_conditions as ec
 from structlog import get_logger

-from e2e.utils import USER, SeleniumTestCase
+from e2e.utils import USER, SeleniumTestCase, retry
 from passbook.core.models import Application
 from passbook.crypto.models import CertificateKeyPair
 from passbook.flows.models import Flow
@@ -66,6 +66,7 @@ class TestProviderSAML(SeleniumTestCase):
            LOGGER.info("Container failed healthcheck")
            sleep(1)

+    @retry()
    def test_sp_initiated_implicit(self):
        """test SAML Provider flow SP-initiated flow (implicit consent)"""
        # Bootstrap all needed objects
@@ -105,6 +106,7 @@ class TestProviderSAML(SeleniumTestCase):
        self.assertEqual(body["attr"]["mail"], [USER().email])
        self.assertEqual(body["attr"]["uid"], [str(USER().pk)])

+    @retry()
    def test_sp_initiated_explicit(self):
        """test SAML Provider flow SP-initiated flow (explicit consent)"""
        # Bootstrap all needed objects
@@ -150,6 +152,7 @@ class TestProviderSAML(SeleniumTestCase):
        self.assertEqual(body["attr"]["mail"], [USER().email])
        self.assertEqual(body["attr"]["uid"], [str(USER().pk)])

+    @retry()
    def test_idp_initiated_implicit(self):
        """test SAML Provider flow IdP-initiated flow (implicit consent)"""
        # Bootstrap all needed objects
@@ -195,6 +198,7 @@ class TestProviderSAML(SeleniumTestCase):
        self.assertEqual(body["attr"]["mail"], [USER().email])
        self.assertEqual(body["attr"]["uid"], [str(USER().pk)])

+    @retry()
    def test_sp_initiated_denied(self):
        """test SAML Provider flow SP-initiated flow (Policy denies access)"""
        # Bootstrap all needed objects
--- a/e2e/test_source_oauth.py
+++ b/e2e/test_source_oauth.py
@@ -14,7 +14,7 @@ from selenium.webdriver.support import expected_conditions as ec
 from structlog import get_logger
 from yaml import safe_dump

-from e2e.utils import SeleniumTestCase
+from e2e.utils import SeleniumTestCase, retry
 from passbook.flows.models import Flow
 from passbook.providers.oauth2.generators import (
    generate_client_id,
@@ -106,6 +106,7 @@ class TestSourceOAuth2(SeleniumTestCase):
            consumer_secret=self.client_secret,
        )

+    @retry()
    def test_oauth_enroll(self):
        """test OAuth Source With With OIDC"""
        self.create_objects()
@@ -159,6 +160,7 @@ class TestSourceOAuth2(SeleniumTestCase):
            "admin@example.com",
        )

+    @retry()
    @override_settings(SESSION_COOKIE_SAMESITE="strict")
    def test_oauth_samesite_strict(self):
        """test OAuth Source With SameSite set to strict
@@ -195,6 +197,7 @@ class TestSourceOAuth2(SeleniumTestCase):
            "Authentication Failed.",
        )

+    @retry()
    def test_oauth_enroll_auth(self):
        """test OAuth Source With With OIDC (enroll and authenticate again)"""
        self.test_oauth_enroll()
@@ -291,6 +294,7 @@ class TestSourceOAuth1(SeleniumTestCase):
            consumer_secret=self.client_secret,
        )

+    @retry()
    def test_oauth_enroll(self):
        """test OAuth Source With With OIDC"""
        self.create_objects()
--- a/e2e/test_source_saml.py
+++ b/e2e/test_source_saml.py
@@ -10,7 +10,7 @@ from selenium.webdriver.common.keys import Keys
 from selenium.webdriver.support import expected_conditions as ec
 from structlog import get_logger

-from e2e.utils import SeleniumTestCase
+from e2e.utils import SeleniumTestCase, retry
 from passbook.crypto.models import CertificateKeyPair
 from passbook.flows.models import Flow
 from passbook.sources.saml.models import SAMLBindingTypes, SAMLSource
@@ -92,6 +92,7 @@ class TestSourceSAML(SeleniumTestCase):
            },
        }

+    @retry()
    def test_idp_redirect(self):
        """test SAML Source With redirect binding"""
        # Bootstrap all needed objects
@@ -141,6 +142,7 @@ class TestSourceSAML(SeleniumTestCase):
            self.driver.find_element(By.ID, "id_username").get_attribute("value"), ""
        )

+    @retry()
    def test_idp_post(self):
        """test SAML Source With post binding"""
        # Bootstrap all needed objects
@@ -192,6 +194,7 @@ class TestSourceSAML(SeleniumTestCase):
            self.driver.find_element(By.ID, "id_username").get_attribute("value"), ""
        )

+    @retry()
    def test_idp_post_auto(self):
        """test SAML Source With post binding (auto redirect)"""
        # Bootstrap all needed objects
--- a/e2e/utils.py
+++ b/e2e/utils.py
@@ -1,19 +1,22 @@
 """passbook e2e testing utilities"""
+from functools import wraps
 from glob import glob
 from importlib.util import module_from_spec, spec_from_file_location
 from inspect import getmembers, isfunction
 from os import environ, makedirs
 from time import sleep, time
-from typing import Any, Dict, Optional
+from typing import Any, Callable, Dict, Optional

 from django.apps import apps
 from django.contrib.staticfiles.testing import StaticLiveServerTestCase
 from django.db import connection, transaction
 from django.db.utils import IntegrityError
 from django.shortcuts import reverse
+from django.test.testcases import TestCase
 from docker import DockerClient, from_env
 from docker.models.containers import Container
 from selenium import webdriver
+from selenium.common.exceptions import TimeoutException
 from selenium.webdriver.common.desired_capabilities import DesiredCapabilities
 from selenium.webdriver.remote.webdriver import WebDriver
 from selenium.webdriver.support.ui import WebDriverWait
@@ -123,3 +126,35 @@ class SeleniumTestCase(StaticLiveServerTestCase):
                            func(apps, schema_editor)
                        except IntegrityError:
                            pass
+
+
+def retry(max_retires=3, exceptions=None):
+    """Retry test multiple times. Default to catching Selenium Timeout Exception"""
+
+    if not exceptions:
+        exceptions = [TimeoutException]
+
+    def retry_actual(func: Callable):
+        """Retry test multiple times"""
+        count = 1
+
+        @wraps(func)
+        def wrapper(self: TestCase, *args, **kwargs):
+            """Run test again if we're below max_retries, including tearDown and
+            setUp. Otherwise raise the error"""
+            nonlocal count
+            try:
+                return func(self, *args, **kwargs)
+            # pylint: disable=catching-non-exception
+            except tuple(exceptions) as exc:
+                count += 1
+                if count > max_retires:
+                    # pylint: disable=raising-non-exception
+                    raise exc
+                self.tearDown()
+                self.setUp()
+                return wrapper(self, *args, **kwargs)
+
+        return wrapper
+
+    return retry_actual
--- a/helm/Chart.yaml
+++ b/helm/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: "0.12.3-stable"
+appVersion: "0.12.4-stable"
 description: A Helm chart for passbook.
 name: passbook
-version: "0.12.3-stable"
+version: "0.12.4-stable"
 icon: https://github.com/BeryJu/passbook/blob/master/docs/images/logo.svg
 dependencies:
  - name: postgresql
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -4,7 +4,7 @@
 image:
  name: beryju/passbook
  name_static: beryju/passbook-static
-  tag: 0.12.3-stable
+  tag: 0.12.4-stable

 nameOverride: ""

--- a/passbook/init.py
+++ b/passbook/init.py
@@ -1,2 +1,2 @@
 """passbook"""
-__version__ = "0.12.3-stable"
+__version__ = "0.12.4-stable"
--- a/passbook/flows/api.py
+++ b/passbook/flows/api.py
@@ -27,7 +27,15 @@ class FlowStageBindingSerializer(ModelSerializer):
    class Meta:

        model = FlowStageBinding
-        fields = ["pk", "target", "stage", "re_evaluate_policies", "order", "policies"]
+        fields = [
+            "pk",
+            "target",
+            "stage",
+            "evaluate_on_plan",
+            "re_evaluate_policies",
+            "order",
+            "policies",
+        ]


 class FlowStageBindingViewSet(ModelViewSet):
--- a/passbook/flows/forms.py
+++ b/passbook/flows/forms.py
@@ -50,12 +50,10 @@ class FlowStageBindingForm(forms.ModelForm):
        fields = [
            "target",
            "stage",
+            "evaluate_on_plan",
            "re_evaluate_policies",
            "order",
        ]
-        labels = {
-            "re_evaluate_policies": _("Re-evaluate Policies"),
-        }
        widgets = {
            "name": forms.TextInput(),
        }
--- a/passbook/flows/markers.py
+++ b/passbook/flows/markers.py
@@ -2,6 +2,7 @@
 from dataclasses import dataclass
 from typing import TYPE_CHECKING, Optional

+from django.http.request import HttpRequest
 from structlog import get_logger

 from passbook.core.models import User
@@ -20,7 +21,9 @@ class StageMarker:
    """Base stage marker class, no extra attributes, and has no special handler."""

    # pylint: disable=unused-argument
-    def process(self, plan: "FlowPlan", stage: Stage) -> Optional[Stage]:
+    def process(
+        self, plan: "FlowPlan", stage: Stage, http_request: Optional[HttpRequest]
+    ) -> Optional[Stage]:
        """Process callback for this marker. This should be overridden by sub-classes.
        If a stage should be removed, return None."""
        return stage
@@ -33,10 +36,14 @@ class ReevaluateMarker(StageMarker):
    binding: PolicyBinding
    user: User

-    def process(self, plan: "FlowPlan", stage: Stage) -> Optional[Stage]:
+    def process(
+        self, plan: "FlowPlan", stage: Stage, http_request: Optional[HttpRequest]
+    ) -> Optional[Stage]:
        """Re-evaluate policies bound to stage, and if they fail, remove from plan"""
        engine = PolicyEngine(self.binding, self.user)
        engine.use_cache = False
+        if http_request:
+            engine.request.http_request = http_request
        engine.request.context = plan.context
        engine.build()
        result = engine.result
--- a/passbook/flows/migrations/0015_flowstagebinding_evaluate_on_plan.py
+++ b/passbook/flows/migrations/0015_flowstagebinding_evaluate_on_plan.py
@@ -0,0 +1,29 @@
+# Generated by Django 3.1.2 on 2020-10-20 12:42
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_flows", "0014_auto_20200925_2332"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="flowstagebinding",
+            name="re_evaluate_policies",
+            field=models.BooleanField(
+                default=False,
+                help_text="Evaluate policies when the Stage is present to the user.",
+            ),
+        ),
+        migrations.AddField(
+            model_name="flowstagebinding",
+            name="evaluate_on_plan",
+            field=models.BooleanField(
+                default=True,
+                help_text="Evaluate policies during the Flow planning process. Disable this for input-based policies.",
+            ),
+        ),
+    ]
--- a/passbook/flows/models.py
+++ b/passbook/flows/models.py
@@ -154,15 +154,19 @@ class FlowStageBinding(SerializerModel, PolicyBindingModel):
    target = models.ForeignKey("Flow", on_delete=models.CASCADE)
    stage = InheritanceForeignKey(Stage, on_delete=models.CASCADE)

-    re_evaluate_policies = models.BooleanField(
-        default=False,
+    evaluate_on_plan = models.BooleanField(
+        default=True,
        help_text=_(
            (
-                "When this option is enabled, the planner will re-evaluate "
-                "policies bound to this binding."
+                "Evaluate policies during the Flow planning process. "
+                "Disable this for input-based policies."
            )
        ),
    )
+    re_evaluate_policies = models.BooleanField(
+        default=False,
+        help_text=_("Evaluate policies when the Stage is present to the user."),
+    )

    order = models.IntegerField()

--- a/passbook/flows/planner.py
+++ b/passbook/flows/planner.py
@@ -46,7 +46,7 @@ class FlowPlan:
        self.stages.append(stage)
        self.markers.append(marker or StageMarker())

-    def next(self) -> Optional[Stage]:
+    def next(self, http_request: Optional[HttpRequest]) -> Optional[Stage]:
        """Return next pending stage from the bottom of the list"""
        if not self.has_stages:
            return None
@@ -55,7 +55,7 @@ class FlowPlan:

        if marker.__class__ is not StageMarker:
            LOGGER.debug("f(plan_inst): stage has marker", stage=stage, marker=marker)
-        marked_stage = marker.process(self, stage)
+        marked_stage = marker.process(self, stage, http_request)
        if not marked_stage:
            LOGGER.debug("f(plan_inst): marker returned none, next stage", stage=stage)
            self.stages.remove(stage)
@@ -63,7 +63,7 @@ class FlowPlan:
            if not self.has_stages:
                return None
            # pylint: disable=not-callable
-            return self.next()
+            return self.next(http_request)
        return marked_stage

    def pop(self):
@@ -159,23 +159,41 @@ class FlowPlanner:
            for binding in FlowStageBinding.objects.filter(
                target__pk=self.flow.pk
            ).order_by("order"):
-                engine = PolicyEngine(binding, user, request)
-                engine.request.context = plan.context
-                engine.build()
-                if engine.passing:
+                binding: FlowStageBinding
+                stage = binding.stage
+                marker = StageMarker()
+                if binding.evaluate_on_plan:
                    LOGGER.debug(
-                        "f(plan): Stage passing", stage=binding.stage, flow=self.flow
+                        "f(plan): evaluating on plan",
+                        stage=binding.stage,
+                        flow=self.flow,
                    )
-                    plan.stages.append(binding.stage)
-                    marker = StageMarker()
-                    if binding.re_evaluate_policies:
+                    engine = PolicyEngine(binding, user, request)
+                    engine.request.context = plan.context
+                    engine.build()
+                    if engine.passing:
                        LOGGER.debug(
-                            "f(plan): Stage has re-evaluate marker",
+                            "f(plan): Stage passing",
                            stage=binding.stage,
                            flow=self.flow,
                        )
-                        marker = ReevaluateMarker(binding=binding, user=user)
-                    plan.markers.append(marker)
+                    else:
+                        stage = None
+                else:
+                    LOGGER.debug(
+                        "f(plan): not evaluating on plan",
+                        stage=binding.stage,
+                        flow=self.flow,
+                    )
+                if binding.re_evaluate_policies and stage:
+                    LOGGER.debug(
+                        "f(plan): Stage has re-evaluate marker",
+                        stage=binding.stage,
+                        flow=self.flow,
+                    )
+                    marker = ReevaluateMarker(binding=binding, user=user)
+                if stage:
+                    plan.append(stage, marker)
        LOGGER.debug(
            "f(plan): Finished building",
            flow=self.flow,
--- a/passbook/flows/views.py
+++ b/passbook/flows/views.py
@@ -86,7 +86,7 @@ class FlowExecutorView(View):
                return to_stage_response(self.request, self.handle_invalid_flow(exc))
        # We don't save the Plan after getting the next stage
        # as it hasn't been successfully passed yet
-        next_stage = self.plan.next()
+        next_stage = self.plan.next(self.request)
        if not next_stage:
            LOGGER.debug("f(exec): no more stages, flow is done.")
            return self._flow_done()
--- a/passbook/policies/expression/evaluator.py
+++ b/passbook/policies/expression/evaluator.py
@@ -1,5 +1,5 @@
 """passbook expression policy evaluator"""
-from ipaddress import ip_address
+from ipaddress import ip_address, ip_network
 from typing import List

 from django.http import HttpRequest
@@ -22,6 +22,8 @@ class PolicyEvaluator(BaseEvaluator):
        super().__init__()
        self._messages = []
        self._context["pb_message"] = self.expr_func_message
+        self._context["ip_address"] = ip_address
+        self._context["ip_network"] = ip_network
        self._filename = policy_name or "PolicyEvaluator"

    def expr_func_message(self, message: str):
--- a/passbook/stages/password/stage.py
+++ b/passbook/stages/password/stage.py
@@ -1,7 +1,6 @@
 """passbook password stage"""
 from typing import Any, Dict, List, Optional

-from django.contrib import messages
 from django.contrib.auth import _clean_credentials
 from django.contrib.auth.backends import BaseBackend
 from django.contrib.auth.signals import user_login_failed
@@ -122,5 +121,4 @@ class PasswordStageView(FormView, StageView):
            self.executor.plan.context[
                PLAN_CONTEXT_AUTHENTICATION_BACKEND
            ] = user.backend
-            messages.success(self.request, _("Successfully logged in!"))
            return self.executor.stage_ok()
--- a/passbook/stages/user_login/stage.py
+++ b/passbook/stages/user_login/stage.py
@@ -39,4 +39,5 @@ class UserLoginStageView(StageView):
            flow_slug=self.executor.flow.slug,
            session_duration=self.executor.current_stage.session_duration,
        )
+        messages.success(self.request, _("Successfully logged in!"))
        return self.executor.stage_ok()
--- a/proxy/pkg/version.go
+++ b/proxy/pkg/version.go
@@ -1,3 +1,3 @@
 package pkg

-const VERSION = "0.12.3-stable"
+const VERSION = "0.12.4-stable"
--- a/swagger.yaml
+++ b/swagger.yaml
@@ -833,6 +833,11 @@ paths:
          description: ''
          required: false
          type: string
+        - name: evaluate_on_plan
+          in: query
+          description: ''
+          required: false
+          type: string
        - name: re_evaluate_policies
          in: query
          description: ''
@@ -6337,10 +6342,14 @@ definitions:
        title: Stage
        type: string
        format: uuid
+      evaluate_on_plan:
+        title: Evaluate on plan
+        description: Evaluate policies during the Flow planning process. Disable this
+          for input-based policies.
+        type: boolean
      re_evaluate_policies:
        title: Re evaluate policies
-        description: When this option is enabled, the planner will re-evaluate policies
-          bound to this binding.
+        description: Evaluate policies when the Stage is present to the user.
        type: boolean
      order:
        title: Order
Author	SHA1	Message	Date
Jens Langhammer	b00573bde2	new release: 0.12.4-stable	2020-10-20 22:31:31 +02:00
Jens Langhammer	aeee3ad7f9	e2e: add @retry decorator to make e2e tests more reliable	2020-10-20 18:51:17 +02:00
Jens Langhammer	ef021495ef	flows: revert evaluate_on_call rename for backwards compatibility	2020-10-20 15:41:50 +02:00
Jens Langhammer	061eab4b36	docs: fix keys for example flows	2020-10-20 15:14:41 +02:00
Jens Langhammer	870e01f836	flows: rename re_evaluate_policies to evaluate_on_call, add evaluate_on_plan	2020-10-20 15:06:36 +02:00
Jens Langhammer	e2ca72adf0	stages/user_login: only show successful login message at login stage	2020-10-20 12:11:59 +02:00
Jens Langhammer	395ef43eae	policies/expression: fix ip_network not being imported by default	2020-10-20 12:05:56 +02:00