2018-12-13 17:02:08 +00:00
|
|
|
"""passbook multi-factor authentication engine"""
|
|
|
|
from logging import getLogger
|
|
|
|
|
2018-12-14 08:49:34 +00:00
|
|
|
from django.contrib.auth import login
|
2018-12-18 14:34:26 +00:00
|
|
|
from django.contrib.auth.mixins import UserPassesTestMixin
|
2018-12-13 17:02:08 +00:00
|
|
|
from django.shortcuts import get_object_or_404, redirect, reverse
|
2018-12-14 08:49:34 +00:00
|
|
|
from django.views.generic import View
|
2018-12-13 17:02:08 +00:00
|
|
|
|
2019-02-16 08:52:37 +00:00
|
|
|
from passbook.core.models import Factor, User
|
2018-12-14 14:18:02 +00:00
|
|
|
from passbook.core.views.utils import PermissionDeniedView
|
2018-12-14 08:49:34 +00:00
|
|
|
from passbook.lib.utils.reflection import class_to_path, path_to_class
|
2018-12-13 17:02:08 +00:00
|
|
|
|
|
|
|
LOGGER = getLogger(__name__)
|
|
|
|
|
2018-12-18 14:34:26 +00:00
|
|
|
|
2019-02-16 08:52:37 +00:00
|
|
|
class AuthenticationView(UserPassesTestMixin, View):
|
2018-12-13 17:02:08 +00:00
|
|
|
"""Wizard-like Multi-factor authenticator"""
|
|
|
|
|
|
|
|
SESSION_FACTOR = 'passbook_factor'
|
|
|
|
SESSION_PENDING_FACTORS = 'passbook_pending_factors'
|
|
|
|
SESSION_PENDING_USER = 'passbook_pending_user'
|
2018-12-14 08:49:34 +00:00
|
|
|
SESSION_USER_BACKEND = 'passbook_user_backend'
|
2018-12-13 17:02:08 +00:00
|
|
|
|
|
|
|
pending_user = None
|
|
|
|
pending_factors = []
|
|
|
|
|
|
|
|
_current_factor = None
|
|
|
|
|
2018-12-18 14:34:26 +00:00
|
|
|
# Allow only not authenticated users to login
|
|
|
|
def test_func(self):
|
|
|
|
return self.request.user.is_authenticated is False
|
|
|
|
|
|
|
|
def handle_no_permission(self):
|
2019-02-16 08:52:37 +00:00
|
|
|
# Function from UserPassesTestMixin
|
2018-12-18 14:34:26 +00:00
|
|
|
if 'next' in self.request.GET:
|
|
|
|
return redirect(self.request.GET.get('next'))
|
|
|
|
return redirect(reverse('passbook_core:overview'))
|
|
|
|
|
2018-12-13 17:02:08 +00:00
|
|
|
def dispatch(self, request, *args, **kwargs):
|
|
|
|
# Extract pending user from session (only remember uid)
|
2019-02-16 08:52:37 +00:00
|
|
|
if AuthenticationView.SESSION_PENDING_USER in request.session:
|
2018-12-13 17:02:08 +00:00
|
|
|
self.pending_user = get_object_or_404(
|
2019-02-16 08:52:37 +00:00
|
|
|
User, id=self.request.session[AuthenticationView.SESSION_PENDING_USER])
|
2018-12-13 17:02:08 +00:00
|
|
|
else:
|
2018-12-18 14:34:26 +00:00
|
|
|
# No Pending user, redirect to login screen
|
|
|
|
return redirect(reverse('passbook_core:auth-login'))
|
2018-12-13 17:02:08 +00:00
|
|
|
# Write pending factors to session
|
2019-02-16 08:52:37 +00:00
|
|
|
if AuthenticationView.SESSION_PENDING_FACTORS in request.session:
|
|
|
|
self.pending_factors = request.session[AuthenticationView.SESSION_PENDING_FACTORS]
|
2018-12-13 17:02:08 +00:00
|
|
|
else:
|
2019-02-16 08:52:37 +00:00
|
|
|
# Get an initial list of factors which are currently enabled
|
|
|
|
# and apply to the current user. We check rules here and block the request
|
|
|
|
_all_factors = Factor.objects.filter(enabled=True)
|
|
|
|
self.pending_factors = []
|
|
|
|
for factor in _all_factors:
|
|
|
|
if factor.passes(self.pending_user):
|
|
|
|
self.pending_factors.append(_all_factors)
|
|
|
|
# self.pending_factors = Factor
|
2018-12-14 08:49:34 +00:00
|
|
|
# Read and instantiate factor from session
|
|
|
|
factor_class = None
|
2019-02-16 08:52:37 +00:00
|
|
|
if AuthenticationView.SESSION_FACTOR not in request.session:
|
2018-12-14 08:49:34 +00:00
|
|
|
factor_class = self.pending_factors[0]
|
|
|
|
else:
|
2019-02-16 08:52:37 +00:00
|
|
|
factor_class = request.session[AuthenticationView.SESSION_FACTOR]
|
|
|
|
# Instantiate Next Factor and pass request
|
2018-12-14 08:49:34 +00:00
|
|
|
factor = path_to_class(factor_class)
|
2018-12-13 17:02:08 +00:00
|
|
|
self._current_factor = factor(self)
|
|
|
|
self._current_factor.request = request
|
|
|
|
return super().dispatch(request, *args, **kwargs)
|
|
|
|
|
|
|
|
def get(self, request, *args, **kwargs):
|
|
|
|
"""pass get request to current factor"""
|
2018-12-14 08:49:34 +00:00
|
|
|
LOGGER.debug("Passing GET to %s", class_to_path(self._current_factor.__class__))
|
2018-12-13 17:02:08 +00:00
|
|
|
return self._current_factor.get(request, *args, **kwargs)
|
|
|
|
|
|
|
|
def post(self, request, *args, **kwargs):
|
|
|
|
"""pass post request to current factor"""
|
2018-12-14 08:49:34 +00:00
|
|
|
LOGGER.debug("Passing POST to %s", class_to_path(self._current_factor.__class__))
|
2018-12-13 17:02:08 +00:00
|
|
|
return self._current_factor.post(request, *args, **kwargs)
|
|
|
|
|
|
|
|
def user_ok(self):
|
|
|
|
"""Redirect to next Factor"""
|
2018-12-14 08:49:34 +00:00
|
|
|
LOGGER.debug("Factor %s passed", class_to_path(self._current_factor.__class__))
|
|
|
|
# Remove passed factor from pending factors
|
|
|
|
if class_to_path(self._current_factor.__class__) in self.pending_factors:
|
|
|
|
self.pending_factors.remove(class_to_path(self._current_factor.__class__))
|
2018-12-13 17:02:08 +00:00
|
|
|
next_factor = None
|
|
|
|
if self.pending_factors:
|
|
|
|
next_factor = self.pending_factors.pop()
|
2019-02-16 08:52:37 +00:00
|
|
|
self.request.session[AuthenticationView.SESSION_PENDING_FACTORS] = \
|
2018-12-13 17:02:08 +00:00
|
|
|
self.pending_factors
|
2019-02-16 08:52:37 +00:00
|
|
|
self.request.session[AuthenticationView.SESSION_FACTOR] = next_factor
|
2018-12-14 08:49:34 +00:00
|
|
|
LOGGER.debug("Rendering Factor is %s", next_factor)
|
2019-02-16 08:52:37 +00:00
|
|
|
return redirect(reverse('passbook_core:auth-process', kwargs={'factor': next_factor}))
|
2018-12-13 17:02:08 +00:00
|
|
|
# User passed all factors
|
|
|
|
LOGGER.debug("User passed all factors, logging in")
|
2018-12-14 08:49:34 +00:00
|
|
|
return self._user_passed()
|
2018-12-13 17:02:08 +00:00
|
|
|
|
|
|
|
def user_invalid(self):
|
2018-12-18 14:34:26 +00:00
|
|
|
"""Show error message, user cannot login.
|
|
|
|
This should only be shown if user authenticated successfully, but is disabled/locked/etc"""
|
2018-12-13 17:02:08 +00:00
|
|
|
LOGGER.debug("User invalid")
|
2019-02-16 08:52:37 +00:00
|
|
|
return redirect(reverse('passbook_core:auth-denied'))
|
2018-12-14 08:49:34 +00:00
|
|
|
|
|
|
|
def _user_passed(self):
|
|
|
|
"""User Successfully passed all factors"""
|
|
|
|
# user = authenticate(request=self.request, )
|
2019-02-16 08:52:37 +00:00
|
|
|
backend = self.request.session[AuthenticationView.SESSION_USER_BACKEND]
|
2018-12-14 08:49:34 +00:00
|
|
|
login(self.request, self.pending_user, backend=backend)
|
|
|
|
LOGGER.debug("Logged in user %s", self.pending_user)
|
2018-12-18 14:34:26 +00:00
|
|
|
# Cleanup
|
|
|
|
self._cleanup()
|
2018-12-14 08:49:34 +00:00
|
|
|
return redirect(reverse('passbook_core:overview'))
|
2018-12-14 14:18:02 +00:00
|
|
|
|
2018-12-18 14:34:26 +00:00
|
|
|
def _cleanup(self):
|
|
|
|
"""Remove temporary data from session"""
|
|
|
|
session_keys = ['SESSION_FACTOR', 'SESSION_PENDING_FACTORS',
|
|
|
|
'SESSION_PENDING_USER', 'SESSION_USER_BACKEND', ]
|
|
|
|
for key in session_keys:
|
|
|
|
if key in self.request.session:
|
|
|
|
del self.request.session[key]
|
|
|
|
LOGGER.debug("Cleaned up sessions")
|
|
|
|
|
2018-12-14 14:18:02 +00:00
|
|
|
class MFAPermissionDeniedView(PermissionDeniedView):
|
|
|
|
"""User could not be authenticated"""
|