This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/passbook/core/models.py

310 lines
10 KiB
Python
Raw Normal View History

2018-11-11 12:41:48 +00:00
"""passbook core models"""
from datetime import timedelta
2018-12-09 20:20:34 +00:00
from random import SystemRandom
from time import sleep
from typing import Any, Optional
from uuid import uuid4
2018-11-11 12:41:48 +00:00
from django.contrib.auth.models import AbstractUser
2019-10-07 14:33:48 +00:00
from django.contrib.postgres.fields import JSONField
from django.core.exceptions import ValidationError
2018-11-11 12:41:48 +00:00
from django.db import models
from django.http import HttpRequest
from django.urls import reverse_lazy
from django.utils.timezone import now
from django.utils.translation import gettext_lazy as _
2020-02-14 14:17:40 +00:00
from django_prometheus.models import ExportModelOperationsMixin
from guardian.mixins import GuardianUserMixin
from jinja2 import Undefined
from jinja2.exceptions import TemplateSyntaxError, UndefinedError
from jinja2.nativetypes import NativeEnvironment
2018-11-16 08:10:35 +00:00
from model_utils.managers import InheritanceManager
2019-10-01 08:24:10 +00:00
from structlog import get_logger
2018-11-11 12:41:48 +00:00
from passbook.core.exceptions import PropertyMappingExpressionException
from passbook.core.signals import password_changed
2020-02-20 16:23:05 +00:00
from passbook.core.types import UILoginButton, UIUserSettings
2018-11-16 08:10:35 +00:00
from passbook.lib.models import CreatedUpdatedModel, UUIDModel
2019-10-07 14:33:48 +00:00
from passbook.policies.exceptions import PolicyException
from passbook.policies.types import PolicyRequest, PolicyResult
2018-11-11 12:41:48 +00:00
LOGGER = get_logger()
NATIVE_ENVIRONMENT = NativeEnvironment()
2018-11-11 12:41:48 +00:00
def default_nonce_duration():
"""Default duration a Nonce is valid"""
return now() + timedelta(hours=4)
2019-12-31 11:51:16 +00:00
2020-01-19 20:01:26 +00:00
class Group(ExportModelOperationsMixin("group"), UUIDModel):
"""Custom Group model which supports a basic hierarchy"""
2019-12-31 11:51:16 +00:00
name = models.CharField(_("name"), max_length=80)
parent = models.ForeignKey(
"Group",
blank=True,
null=True,
on_delete=models.SET_NULL,
related_name="children",
)
attributes = JSONField(default=dict, blank=True)
def __str__(self):
2019-10-07 14:33:48 +00:00
return f"Group {self.name}"
class Meta:
2019-12-31 11:51:16 +00:00
unique_together = (("name", "parent",),)
2020-01-19 20:01:26 +00:00
class User(ExportModelOperationsMixin("user"), GuardianUserMixin, AbstractUser):
2018-11-11 12:41:48 +00:00
"""Custom User model to allow easier adding o f user-based settings"""
uuid = models.UUIDField(default=uuid4, editable=False)
name = models.TextField(help_text=_("User's display name."))
2019-12-31 11:51:16 +00:00
sources = models.ManyToManyField("Source", through="UserSourceConnection")
groups = models.ManyToManyField("Group")
password_change_date = models.DateTimeField(auto_now_add=True)
attributes = JSONField(default=dict, blank=True)
def set_password(self, password):
if self.pk:
password_changed.send(sender=self, user=self, password=password)
self.password_change_date = now()
return super().set_password(password)
2018-11-16 10:41:14 +00:00
class Meta:
2019-12-31 11:51:16 +00:00
permissions = (("reset_user_password", "Reset Password"),)
2020-01-19 20:01:26 +00:00
class Provider(ExportModelOperationsMixin("provider"), models.Model):
"""Application-independent Provider instance. For example SAML2 Remote, OAuth2 Application"""
2018-11-16 10:41:14 +00:00
2019-12-31 11:51:16 +00:00
property_mappings = models.ManyToManyField(
"PropertyMapping", default=None, blank=True
)
2018-11-25 19:38:49 +00:00
objects = InheritanceManager()
2018-11-16 10:41:14 +00:00
# This class defines no field for easier inheritance
def __str__(self):
2019-12-31 11:51:16 +00:00
if hasattr(self, "name"):
return getattr(self, "name")
return super().__str__()
2018-11-11 12:41:48 +00:00
2019-02-16 09:24:31 +00:00
class PolicyModel(UUIDModel, CreatedUpdatedModel):
"""Base model which can have policies applied to it"""
2019-12-31 11:51:16 +00:00
policies = models.ManyToManyField("Policy", blank=True)
2020-01-19 20:01:26 +00:00
class Application(ExportModelOperationsMixin("application"), PolicyModel):
2018-11-11 12:41:48 +00:00
"""Every Application which uses passbook for authentication/identification/authorization
needs an Application record. Other authentication types can subclass this Model to
add custom fields and other properties"""
name = models.TextField(help_text=_("Application's display Name."))
slug = models.SlugField(help_text=_("Internal application name, used in URLs."))
skip_authorization = models.BooleanField(default=False)
2019-12-31 11:51:16 +00:00
provider = models.OneToOneField(
"Provider", null=True, blank=True, default=None, on_delete=models.SET_DEFAULT
)
meta_launch_url = models.URLField(default="", blank=True)
meta_icon_url = models.TextField(default="", blank=True)
meta_description = models.TextField(default="", blank=True)
meta_publisher = models.TextField(default="", blank=True)
2018-11-11 12:41:48 +00:00
2018-11-16 08:10:35 +00:00
objects = InheritanceManager()
def get_provider(self) -> Optional[Provider]:
"""Get casted provider instance"""
if not self.provider:
return None
return Provider.objects.get_subclass(pk=self.provider.pk)
2018-11-11 12:41:48 +00:00
def __str__(self):
return self.name
2019-10-07 14:33:48 +00:00
2020-01-19 20:01:26 +00:00
class Source(ExportModelOperationsMixin("source"), PolicyModel):
2018-11-11 12:41:48 +00:00
"""Base Authentication source, i.e. an OAuth Provider, SAML Remote or LDAP Server"""
name = models.TextField(help_text=_("Source's display Name."))
slug = models.SlugField(help_text=_("Internal source name, used in URLs."))
2018-11-11 12:41:48 +00:00
enabled = models.BooleanField(default=True)
2019-12-31 11:51:16 +00:00
property_mappings = models.ManyToManyField(
"PropertyMapping", default=None, blank=True
)
2018-11-11 12:41:48 +00:00
2019-12-31 11:51:16 +00:00
form = "" # ModelForm-based class ued to create/edit instance
2018-11-16 08:10:35 +00:00
objects = InheritanceManager()
@property
def ui_login_button(self) -> Optional[UILoginButton]:
"""If source uses a http-based flow, return UI Information about the login
button. If source doesn't use http-based flow, return None."""
return None
@property
def ui_additional_info(self) -> Optional[str]:
"""Return additional Info, such as a callback URL. Show in the administration interface."""
return None
@property
def ui_user_settings(self) -> Optional[UIUserSettings]:
"""Entrypoint to integrate with User settings. Can either return None if no
user settings are available, or an instanace of UIUserSettings."""
return None
2019-03-13 15:49:30 +00:00
2018-11-11 12:41:48 +00:00
def __str__(self):
return self.name
2019-10-07 14:33:48 +00:00
2018-11-11 12:41:48 +00:00
class UserSourceConnection(CreatedUpdatedModel):
"""Connection between User and Source."""
user = models.ForeignKey(User, on_delete=models.CASCADE)
source = models.ForeignKey(Source, on_delete=models.CASCADE)
class Meta:
2019-12-31 11:51:16 +00:00
unique_together = (("user", "source"),)
2018-11-11 12:41:48 +00:00
2019-10-07 14:33:48 +00:00
2020-01-19 20:01:26 +00:00
class Policy(ExportModelOperationsMixin("policy"), UUIDModel, CreatedUpdatedModel):
2019-02-16 10:13:00 +00:00
"""Policies which specify if a user is authorized to use an Application. Can be overridden by
2018-11-11 12:41:48 +00:00
other types to add other fields, more logic, etc."""
name = models.TextField(blank=True, null=True)
negate = models.BooleanField(default=False)
2018-11-25 19:38:49 +00:00
order = models.IntegerField(default=0)
timeout = models.IntegerField(default=30)
2018-11-11 12:41:48 +00:00
2018-11-16 08:10:35 +00:00
objects = InheritanceManager()
2018-11-11 12:41:48 +00:00
def __str__(self):
return f"Policy {self.name}"
2018-11-11 12:41:48 +00:00
def passes(self, request: PolicyRequest) -> PolicyResult:
2019-02-16 09:24:31 +00:00
"""Check if user instance passes this policy"""
2019-10-02 20:28:39 +00:00
raise PolicyException()
2018-11-11 12:41:48 +00:00
2019-02-16 09:24:31 +00:00
class DebugPolicy(Policy):
"""Policy used for debugging the PolicyEngine. Returns a fixed result,
but takes a random time to process."""
result = models.BooleanField(default=False)
wait_min = models.IntegerField(default=5)
wait_max = models.IntegerField(default=30)
2019-12-31 11:51:16 +00:00
form = "passbook.core.forms.policies.DebugPolicyForm"
def passes(self, request: PolicyRequest) -> PolicyResult:
"""Wait random time then return result"""
2018-12-09 20:20:34 +00:00
wait = SystemRandom().randrange(self.wait_min, self.wait_max)
LOGGER.debug("Policy waiting", policy=self, delay=wait)
sleep(wait)
2019-12-31 11:51:16 +00:00
return PolicyResult(self.result, "Debugging")
class Meta:
2019-12-31 11:51:16 +00:00
verbose_name = _("Debug Policy")
verbose_name_plural = _("Debug Policies")
2018-12-10 12:48:22 +00:00
2020-01-19 20:01:26 +00:00
class Invitation(ExportModelOperationsMixin("invitation"), UUIDModel):
2018-12-10 13:21:42 +00:00
"""Single-use invitation link"""
2018-12-10 12:48:22 +00:00
2019-12-31 11:51:16 +00:00
created_by = models.ForeignKey("User", on_delete=models.CASCADE)
2018-12-10 12:48:22 +00:00
expires = models.DateTimeField(default=None, blank=True, null=True)
fixed_username = models.TextField(blank=True, default=None)
fixed_email = models.TextField(blank=True, default=None)
needs_confirmation = models.BooleanField(default=True)
2018-12-10 12:48:22 +00:00
2018-12-10 13:49:15 +00:00
@property
def link(self):
"""Get link to use invitation"""
2019-12-31 11:51:16 +00:00
return (
reverse_lazy("passbook_core:auth-sign-up") + f"?invitation={self.uuid.hex}"
)
2018-12-10 13:49:15 +00:00
2018-12-10 12:48:22 +00:00
def __str__(self):
2019-10-07 14:33:48 +00:00
return f"Invitation {self.uuid.hex} created by {self.created_by}"
2018-12-10 12:48:22 +00:00
class Meta:
2019-12-31 11:51:16 +00:00
verbose_name = _("Invitation")
verbose_name_plural = _("Invitations")
2020-01-19 20:01:26 +00:00
class Nonce(ExportModelOperationsMixin("nonce"), UUIDModel):
"""One-time link for password resets/sign-up-confirmations"""
expires = models.DateTimeField(default=default_nonce_duration)
2019-12-31 11:51:16 +00:00
user = models.ForeignKey("User", on_delete=models.CASCADE)
expiring = models.BooleanField(default=True)
2019-12-31 11:51:16 +00:00
description = models.TextField(default="", blank=True)
@property
def is_expired(self) -> bool:
"""Check if nonce is expired yet."""
return now() > self.expires
def __str__(self):
return f"Nonce f{self.uuid.hex} {self.description} (expires={self.expires})"
class Meta:
2019-12-31 11:51:16 +00:00
verbose_name = _("Nonce")
verbose_name_plural = _("Nonces")
class PropertyMapping(UUIDModel):
"""User-defined key -> x mapping which can be used by providers to expose extra data."""
name = models.TextField()
expression = models.TextField()
2019-12-31 11:51:16 +00:00
form = ""
objects = InheritanceManager()
def evaluate(
self, user: Optional[User], request: Optional[HttpRequest], **kwargs
) -> Any:
"""Evaluate `self.expression` using `**kwargs` as Context."""
try:
expression = NATIVE_ENVIRONMENT.from_string(self.expression)
except TemplateSyntaxError as exc:
raise PropertyMappingExpressionException from exc
try:
response = expression.render(user=user, request=request, **kwargs)
if isinstance(response, Undefined):
raise PropertyMappingExpressionException("Response was 'Undefined'")
return response
except UndefinedError as exc:
raise PropertyMappingExpressionException from exc
def save(self, *args, **kwargs):
try:
NATIVE_ENVIRONMENT.from_string(self.expression)
except TemplateSyntaxError as exc:
raise ValidationError("Expression Syntax Error") from exc
return super().save(*args, **kwargs)
def __str__(self):
2019-10-07 14:33:48 +00:00
return f"Property Mapping {self.name}"
class Meta:
2019-12-31 11:51:16 +00:00
verbose_name = _("Property Mapping")
verbose_name_plural = _("Property Mappings")