2018-11-25 19:39:09 +00:00
|
|
|
"""passbook access helper classes"""
|
2020-07-01 21:18:10 +00:00
|
|
|
from typing import Optional
|
|
|
|
|
|
2019-02-26 08:10:37 +00:00
|
|
|
from django.contrib import messages
|
2020-07-02 11:48:42 +00:00
|
|
|
from django.contrib.auth.mixins import AccessMixin
|
2020-07-12 20:47:46 +00:00
|
|
|
from django.contrib.auth.views import redirect_to_login
|
2020-07-02 11:48:42 +00:00
|
|
|
from django.http import HttpRequest, HttpResponse
|
2019-02-26 08:10:37 +00:00
|
|
|
from django.utils.translation import gettext as _
|
2019-10-01 08:24:10 +00:00
|
|
|
from structlog import get_logger
|
2018-12-09 20:07:38 +00:00
|
|
|
|
2019-10-04 14:09:35 +00:00
|
|
|
from passbook.core.models import Application, Provider, User
|
2020-09-15 07:53:59 +00:00
|
|
|
from passbook.flows.views import SESSION_KEY_APPLICATION_PRE
|
2019-10-07 14:33:48 +00:00
|
|
|
from passbook.policies.engine import PolicyEngine
|
2020-09-15 07:53:59 +00:00
|
|
|
from passbook.policies.http import AccessDeniedResponse
|
2020-05-28 19:45:54 +00:00
|
|
|
from passbook.policies.types import PolicyResult
|
2018-12-09 20:07:38 +00:00
|
|
|
|
2019-10-04 08:08:53 +00:00
|
|
|
LOGGER = get_logger()
|
2018-11-25 19:39:09 +00:00
|
|
|
|
2019-12-31 11:51:16 +00:00
|
|
|
|
2020-07-01 21:18:10 +00:00
|
|
|
class BaseMixin:
|
|
|
|
|
"""Base Mixin class, used to annotate View Member variables"""
|
|
|
|
|
|
|
|
|
|
request: HttpRequest
|
|
|
|
|
|
|
|
|
|
|
2020-07-02 11:48:42 +00:00
|
|
|
class PolicyAccessMixin(BaseMixin, AccessMixin):
|
2018-11-25 19:39:09 +00:00
|
|
|
"""Mixin class for usage in Authorization views.
|
|
|
|
|
Provider functions to check application access, etc"""
|
|
|
|
|
|
2020-07-12 20:47:46 +00:00
|
|
|
def handle_no_permission(self, application: Optional[Application] = None):
|
2020-09-15 07:53:59 +00:00
|
|
|
"""User has no access and is not authenticated, so we remember the application
|
|
|
|
|
they try to access and redirect to the login URL. The application is saved to show
|
|
|
|
|
a hint on the Identification Stage what the user should login for."""
|
2020-07-12 20:47:46 +00:00
|
|
|
if application:
|
|
|
|
|
self.request.session[SESSION_KEY_APPLICATION_PRE] = application
|
|
|
|
|
return redirect_to_login(
|
|
|
|
|
self.request.get_full_path(),
|
|
|
|
|
self.get_login_url(),
|
|
|
|
|
self.get_redirect_field_name(),
|
|
|
|
|
)
|
|
|
|
|
|
2020-09-14 19:51:59 +00:00
|
|
|
def handle_no_permission_authenticated(
|
|
|
|
|
self, result: Optional[PolicyResult] = None
|
|
|
|
|
) -> HttpResponse:
|
|
|
|
|
"""Function called when user has no permissions but is authenticated"""
|
2020-09-15 07:53:59 +00:00
|
|
|
response = AccessDeniedResponse(self.request)
|
2020-09-14 19:51:59 +00:00
|
|
|
if result:
|
2020-09-15 07:53:59 +00:00
|
|
|
response.policy_result = result
|
|
|
|
|
return response
|
2020-07-02 11:48:42 +00:00
|
|
|
|
2019-10-04 14:09:35 +00:00
|
|
|
def provider_to_application(self, provider: Provider) -> Application:
|
2018-11-25 19:39:09 +00:00
|
|
|
"""Lookup application assigned to provider, throw error if no application assigned"""
|
2018-12-09 20:07:38 +00:00
|
|
|
try:
|
|
|
|
|
return provider.application
|
|
|
|
|
except Application.DoesNotExist as exc:
|
2019-12-31 11:51:16 +00:00
|
|
|
messages.error(
|
|
|
|
|
self.request,
|
|
|
|
|
_(
|
|
|
|
|
'Provider "%(name)s" has no application assigned'
|
|
|
|
|
% {"name": provider}
|
|
|
|
|
),
|
|
|
|
|
)
|
2019-02-26 08:10:37 +00:00
|
|
|
raise exc
|
2018-11-25 19:39:09 +00:00
|
|
|
|
2020-07-01 21:18:10 +00:00
|
|
|
def user_has_access(
|
|
|
|
|
self, application: Application, user: Optional[User] = None
|
|
|
|
|
) -> PolicyResult:
|
2018-11-25 19:39:09 +00:00
|
|
|
"""Check if user has access to application."""
|
2020-07-01 21:18:10 +00:00
|
|
|
user = user or self.request.user
|
|
|
|
|
policy_engine = PolicyEngine(
|
|
|
|
|
application, user or self.request.user, self.request
|
|
|
|
|
)
|
2019-10-15 13:44:59 +00:00
|
|
|
policy_engine.build()
|
2020-07-01 21:18:10 +00:00
|
|
|
result = policy_engine.result
|
|
|
|
|
LOGGER.debug(
|
2020-09-30 17:34:22 +00:00
|
|
|
"AccessMixin user_has_access",
|
|
|
|
|
user=user,
|
|
|
|
|
app=application,
|
|
|
|
|
result=result,
|
2020-07-01 21:18:10 +00:00
|
|
|
)
|
|
|
|
|
if not result.passing:
|
|
|
|
|
for message in result.messages:
|
|
|
|
|
messages.error(self.request, _(message))
|
|
|
|
|
return result
|
