diff --git a/docs/policies/expression.md b/docs/policies/expression.md index e4fbe05aa..0796cb5ed 100644 --- a/docs/policies/expression.md +++ b/docs/policies/expression.md @@ -27,4 +27,11 @@ return False - `request.context`: A dictionary with dynamic data. This depends on the origin of the execution. - `pb_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external provider. - `pb_client_ip`: Client's IP Address or '255.255.255.255' if no IP Address could be extracted. Can be [compared](../expressions/index.md#comparing-ip-addresses) -- `pb_flow_plan`: Current Plan if Policy is called from the Flow Planner. + +Additionally, when the policy is executed from a flow, every variable from the flow's current context is accessible under the `context` object. + +This includes the following: + +- `prompt_data`: Data which has been saved from a prompt stage or an external source. +- `application`: The application the user is in the process of authorizing. +- `pending_user`: The currently pending user diff --git a/passbook/flows/migrations/0009_source_flows.py b/passbook/flows/migrations/0009_source_flows.py index 53be52031..a4a60a5ed 100644 --- a/passbook/flows/migrations/0009_source_flows.py +++ b/passbook/flows/migrations/0009_source_flows.py @@ -12,7 +12,7 @@ FLOW_POLICY_EXPRESSION = """# This policy ensures that this flow can only be use return pb_is_sso_flow""" PROMPT_POLICY_EXPRESSION = """# Check if we've not been given a username by the external IdP # and trigger the enrollment flow -return 'username' not in pb_flow_plan.context.get('prompt_data', {})""" +return 'username' not in context.get('prompt_data', {})""" def create_default_source_enrollment_flow( diff --git a/passbook/policies/expression/evaluator.py b/passbook/policies/expression/evaluator.py index a8bcf6d06..d50bca8f1 100644 --- a/passbook/policies/expression/evaluator.py +++ b/passbook/policies/expression/evaluator.py @@ -6,7 +6,6 @@ from django.http import HttpRequest from structlog import get_logger from passbook.flows.planner import PLAN_CONTEXT_SSO -from passbook.flows.views import SESSION_KEY_PLAN from passbook.lib.expression.evaluator import BaseEvaluator from passbook.lib.utils.http import get_client_ip from passbook.policies.types import PolicyRequest, PolicyResult @@ -31,23 +30,20 @@ class PolicyEvaluator(BaseEvaluator): def set_policy_request(self, request: PolicyRequest): """Update context based on policy request (if http request is given, update that too)""" - # update passbook/policies/expression/templates/policy/expression/form.html # update docs/policies/expression/index.md self._context["pb_is_sso_flow"] = request.context.get(PLAN_CONTEXT_SSO, False) if request.http_request: self.set_http_request(request.http_request) self._context["request"] = request + self._context["context"] = request.context def set_http_request(self, request: HttpRequest): """Update context based on http request""" - # update passbook/policies/expression/templates/policy/expression/form.html # update docs/policies/expression/index.md self._context["pb_client_ip"] = ip_address( get_client_ip(request) or "255.255.255.255" ) self._context["request"] = request - if SESSION_KEY_PLAN in request.session: - self._context["pb_flow_plan"] = request.session[SESSION_KEY_PLAN] def evaluate(self, expression_source: str) -> PolicyResult: """Parse and evaluate expression. Policy is expected to return a truthy object. diff --git a/passbook/policies/expression/migrations/0002_auto_20200926_1156.py b/passbook/policies/expression/migrations/0002_auto_20200926_1156.py new file mode 100644 index 000000000..8f2e6798c --- /dev/null +++ b/passbook/policies/expression/migrations/0002_auto_20200926_1156.py @@ -0,0 +1,28 @@ +# Generated by Django 3.1.1 on 2020-09-26 11:56 + +from django.apps.registry import Apps +from django.db import migrations +from django.db.backends.base.schema import BaseDatabaseSchemaEditor + + +def remove_pb_flow_plan(apps: Apps, schema_editor: BaseDatabaseSchemaEditor): + ExpressionPolicy = apps.get_model( + "passbook_policies_expression", "ExpressionPolicy" + ) + + db_alias = schema_editor.connection.alias + + for policy in ExpressionPolicy.objects.using(db_alias).all(): + policy.expression.replace("pb_flow_plan.", "context.") + policy.save() + + +class Migration(migrations.Migration): + + dependencies = [ + ("passbook_policies_expression", "0001_initial"), + ] + + operations = [ + migrations.RunPython(remove_pb_flow_plan), + ]