policies/expression: remove pb_flow_plan, save flow context directly in context

This commit is contained in:
Jens Langhammer 2020-09-26 13:58:32 +02:00
parent 502e43085f
commit 2b9705b33c
4 changed files with 38 additions and 7 deletions

View file

@ -27,4 +27,11 @@ return False
- `request.context`: A dictionary with dynamic data. This depends on the origin of the execution. - `request.context`: A dictionary with dynamic data. This depends on the origin of the execution.
- `pb_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external provider. - `pb_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external provider.
- `pb_client_ip`: Client's IP Address or '255.255.255.255' if no IP Address could be extracted. Can be [compared](../expressions/index.md#comparing-ip-addresses) - `pb_client_ip`: Client's IP Address or '255.255.255.255' if no IP Address could be extracted. Can be [compared](../expressions/index.md#comparing-ip-addresses)
- `pb_flow_plan`: Current Plan if Policy is called from the Flow Planner.
Additionally, when the policy is executed from a flow, every variable from the flow's current context is accessible under the `context` object.
This includes the following:
- `prompt_data`: Data which has been saved from a prompt stage or an external source.
- `application`: The application the user is in the process of authorizing.
- `pending_user`: The currently pending user

View file

@ -12,7 +12,7 @@ FLOW_POLICY_EXPRESSION = """# This policy ensures that this flow can only be use
return pb_is_sso_flow""" return pb_is_sso_flow"""
PROMPT_POLICY_EXPRESSION = """# Check if we've not been given a username by the external IdP PROMPT_POLICY_EXPRESSION = """# Check if we've not been given a username by the external IdP
# and trigger the enrollment flow # and trigger the enrollment flow
return 'username' not in pb_flow_plan.context.get('prompt_data', {})""" return 'username' not in context.get('prompt_data', {})"""
def create_default_source_enrollment_flow( def create_default_source_enrollment_flow(

View file

@ -6,7 +6,6 @@ from django.http import HttpRequest
from structlog import get_logger from structlog import get_logger
from passbook.flows.planner import PLAN_CONTEXT_SSO from passbook.flows.planner import PLAN_CONTEXT_SSO
from passbook.flows.views import SESSION_KEY_PLAN
from passbook.lib.expression.evaluator import BaseEvaluator from passbook.lib.expression.evaluator import BaseEvaluator
from passbook.lib.utils.http import get_client_ip from passbook.lib.utils.http import get_client_ip
from passbook.policies.types import PolicyRequest, PolicyResult from passbook.policies.types import PolicyRequest, PolicyResult
@ -31,23 +30,20 @@ class PolicyEvaluator(BaseEvaluator):
def set_policy_request(self, request: PolicyRequest): def set_policy_request(self, request: PolicyRequest):
"""Update context based on policy request (if http request is given, update that too)""" """Update context based on policy request (if http request is given, update that too)"""
# update passbook/policies/expression/templates/policy/expression/form.html
# update docs/policies/expression/index.md # update docs/policies/expression/index.md
self._context["pb_is_sso_flow"] = request.context.get(PLAN_CONTEXT_SSO, False) self._context["pb_is_sso_flow"] = request.context.get(PLAN_CONTEXT_SSO, False)
if request.http_request: if request.http_request:
self.set_http_request(request.http_request) self.set_http_request(request.http_request)
self._context["request"] = request self._context["request"] = request
self._context["context"] = request.context
def set_http_request(self, request: HttpRequest): def set_http_request(self, request: HttpRequest):
"""Update context based on http request""" """Update context based on http request"""
# update passbook/policies/expression/templates/policy/expression/form.html
# update docs/policies/expression/index.md # update docs/policies/expression/index.md
self._context["pb_client_ip"] = ip_address( self._context["pb_client_ip"] = ip_address(
get_client_ip(request) or "255.255.255.255" get_client_ip(request) or "255.255.255.255"
) )
self._context["request"] = request self._context["request"] = request
if SESSION_KEY_PLAN in request.session:
self._context["pb_flow_plan"] = request.session[SESSION_KEY_PLAN]
def evaluate(self, expression_source: str) -> PolicyResult: def evaluate(self, expression_source: str) -> PolicyResult:
"""Parse and evaluate expression. Policy is expected to return a truthy object. """Parse and evaluate expression. Policy is expected to return a truthy object.

View file

@ -0,0 +1,28 @@
# Generated by Django 3.1.1 on 2020-09-26 11:56
from django.apps.registry import Apps
from django.db import migrations
from django.db.backends.base.schema import BaseDatabaseSchemaEditor
def remove_pb_flow_plan(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
ExpressionPolicy = apps.get_model(
"passbook_policies_expression", "ExpressionPolicy"
)
db_alias = schema_editor.connection.alias
for policy in ExpressionPolicy.objects.using(db_alias).all():
policy.expression.replace("pb_flow_plan.", "context.")
policy.save()
class Migration(migrations.Migration):
dependencies = [
("passbook_policies_expression", "0001_initial"),
]
operations = [
migrations.RunPython(remove_pb_flow_plan),
]