authentik/passbook/core/models.py

402 lines
13 KiB
Python
Raw Normal View History

2018-11-11 12:41:48 +00:00
"""passbook core models"""
import re
from logging import getLogger
2018-12-09 20:20:34 +00:00
from random import SystemRandom
from time import sleep
from uuid import uuid4
2018-11-11 12:41:48 +00:00
from django.contrib.auth.models import AbstractUser
from django.contrib.postgres.fields import ArrayField
2018-11-11 12:41:48 +00:00
from django.db import models
2018-12-10 13:49:15 +00:00
from django.urls import reverse_lazy
from django.utils.timezone import now
2018-11-26 21:08:48 +00:00
from django.utils.translation import gettext as _
2018-11-16 08:10:35 +00:00
from model_utils.managers import InheritanceManager
2018-11-11 12:41:48 +00:00
from passbook.core.signals import password_changed
2018-11-16 08:10:35 +00:00
from passbook.lib.models import CreatedUpdatedModel, UUIDModel
2018-11-11 12:41:48 +00:00
LOGGER = getLogger(__name__)
class Group(UUIDModel):
"""Custom Group model which supports a basic hierarchy"""
name = models.CharField(_('name'), max_length=80)
parent = models.ForeignKey('Group', blank=True, null=True,
on_delete=models.SET_NULL, related_name='children')
extra_data = models.TextField(blank=True)
def __str__(self):
return "Group %s" % self.name
class Meta:
unique_together = (('name', 'parent',),)
2018-11-11 12:41:48 +00:00
class User(AbstractUser):
"""Custom User model to allow easier adding o f user-based settings"""
uuid = models.UUIDField(default=uuid4, editable=False)
2018-11-11 12:41:48 +00:00
sources = models.ManyToManyField('Source', through='UserSourceConnection')
2018-11-16 10:41:14 +00:00
applications = models.ManyToManyField('Application')
groups = models.ManyToManyField('Group')
password_change_date = models.DateTimeField(auto_now_add=True)
def set_password(self, password):
password_changed.send(sender=self, user=self, password=password)
self.password_change_date = now()
return super().set_password(password)
2018-11-16 10:41:14 +00:00
class Provider(models.Model):
"""Application-independent Provider instance. For example SAML2 Remote, OAuth2 Application"""
2018-11-16 10:41:14 +00:00
2018-11-25 19:38:49 +00:00
objects = InheritanceManager()
2018-11-16 10:41:14 +00:00
# This class defines no field for easier inheritance
def __str__(self):
if hasattr(self, 'name'):
return getattr(self, 'name')
return super().__str__()
2018-11-11 12:41:48 +00:00
2019-02-16 09:24:31 +00:00
class PolicyModel(UUIDModel, CreatedUpdatedModel):
"""Base model which can have policies applied to it"""
2019-02-16 09:24:31 +00:00
policies = models.ManyToManyField('Policy', blank=True)
def passes(self, user: User) -> bool:
"""Return true if user passes, otherwise False or raise Exception"""
2019-02-16 10:13:00 +00:00
for policy in self.policies.all():
2019-02-16 09:24:31 +00:00
if not policy.passes(user):
return False
return True
2019-02-16 09:24:31 +00:00
class Factor(PolicyModel):
2019-02-16 08:52:37 +00:00
"""Authentication factor, multiple instances of the same Factor can be used"""
name = models.TextField()
slug = models.SlugField(unique=True)
order = models.IntegerField()
enabled = models.BooleanField(default=True)
objects = InheritanceManager()
type = ''
form = ''
2019-02-16 08:52:37 +00:00
def has_user_settings(self):
"""Entrypoint to integrate with User settings. Can either return False if no
user settings are available, or a tuple or string, string, string where the first string
is the name the item has, the second string is the icon and the third is the view-name."""
return False
2019-02-16 08:52:37 +00:00
def __str__(self):
return "Factor %s" % self.slug
class PasswordFactor(Factor):
"""Password-based Django-backend Authentication Factor"""
backends = ArrayField(models.TextField())
password_policies = models.ManyToManyField('Policy', blank=True)
type = 'passbook.core.auth.factors.password.PasswordFactor'
form = 'passbook.core.forms.factors.PasswordFactorForm'
def has_user_settings(self):
return _('Change Password'), 'pficon-key', 'passbook_core:user-change-password'
def password_passes(self, user: User) -> bool:
"""Return true if user's password passes, otherwise False or raise Exception"""
for policy in self.policies.all():
if not policy.passes(user):
return False
return True
def __str__(self):
return "Password Factor %s" % self.slug
class Meta:
verbose_name = _('Password Factor')
verbose_name_plural = _('Password Factors')
class DummyFactor(Factor):
"""Dummy factor, mostly used to debug"""
type = 'passbook.core.auth.factors.dummy.DummyFactor'
form = 'passbook.core.forms.factors.DummyFactorForm'
def __str__(self):
return "Dummy Factor %s" % self.slug
class Meta:
verbose_name = _('Dummy Factor')
verbose_name_plural = _('Dummy Factors')
2019-02-16 09:24:31 +00:00
class Application(PolicyModel):
2018-11-11 12:41:48 +00:00
"""Every Application which uses passbook for authentication/identification/authorization
needs an Application record. Other authentication types can subclass this Model to
add custom fields and other properties"""
name = models.TextField()
2018-12-26 16:17:39 +00:00
slug = models.SlugField()
2018-11-11 12:41:48 +00:00
launch_url = models.URLField(null=True, blank=True)
icon_url = models.TextField(null=True, blank=True)
2019-02-16 08:52:37 +00:00
provider = models.OneToOneField('Provider', null=True, blank=True,
default=None, on_delete=models.SET_DEFAULT)
skip_authorization = models.BooleanField(default=False)
2018-11-11 12:41:48 +00:00
2018-11-16 08:10:35 +00:00
objects = InheritanceManager()
2018-11-11 12:41:48 +00:00
def user_is_authorized(self, user: User) -> bool:
"""Check if user is authorized to use this application"""
2019-02-16 09:24:31 +00:00
from passbook.core.policies import PolicyEngine
return PolicyEngine(self.policies.all()).for_user(user).result
2018-11-11 12:41:48 +00:00
def __str__(self):
return self.name
2019-02-16 09:24:31 +00:00
class Source(PolicyModel):
2018-11-11 12:41:48 +00:00
"""Base Authentication source, i.e. an OAuth Provider, SAML Remote or LDAP Server"""
name = models.TextField()
slug = models.SlugField()
2018-11-16 08:10:35 +00:00
form = '' # ModelForm-based class ued to create/edit instance
2018-11-11 12:41:48 +00:00
enabled = models.BooleanField(default=True)
2018-11-16 08:10:35 +00:00
objects = InheritanceManager()
@property
def is_link(self):
"""Return true if Source should get a link on the login page"""
return False
@property
def get_login_button(self):
"""Return a tuple of URL, Icon name and Name"""
raise NotImplementedError
@property
def additional_info(self):
"""Return additional Info, such as a callback URL. Show in the administration interface."""
return None
2018-11-11 12:41:48 +00:00
def __str__(self):
return self.name
class UserSourceConnection(CreatedUpdatedModel):
"""Connection between User and Source."""
user = models.ForeignKey(User, on_delete=models.CASCADE)
source = models.ForeignKey(Source, on_delete=models.CASCADE)
class Meta:
unique_together = (('user', 'source'),)
2019-02-16 09:24:31 +00:00
class Policy(UUIDModel, CreatedUpdatedModel):
2019-02-16 10:13:00 +00:00
"""Policies which specify if a user is authorized to use an Application. Can be overridden by
2018-11-11 12:41:48 +00:00
other types to add other fields, more logic, etc."""
ACTION_ALLOW = 'allow'
ACTION_DENY = 'deny'
ACTIONS = (
(ACTION_ALLOW, ACTION_ALLOW),
(ACTION_DENY, ACTION_DENY),
)
name = models.TextField(blank=True, null=True)
action = models.CharField(max_length=20, choices=ACTIONS)
negate = models.BooleanField(default=False)
2018-11-25 19:38:49 +00:00
order = models.IntegerField(default=0)
2018-11-11 12:41:48 +00:00
2018-11-16 08:10:35 +00:00
objects = InheritanceManager()
2018-11-11 12:41:48 +00:00
def __str__(self):
if self.name:
return self.name
return "%s action %s" % (self.name, self.action)
2018-11-11 12:41:48 +00:00
def passes(self, user: User) -> bool:
2019-02-16 09:24:31 +00:00
"""Check if user instance passes this policy"""
2018-11-11 12:41:48 +00:00
raise NotImplementedError()
2019-02-16 09:24:31 +00:00
class FieldMatcherPolicy(Policy):
"""Policy which checks if a field of the User model matches/doesn't match a
2018-11-11 12:41:48 +00:00
certain pattern"""
MATCH_STARTSWITH = 'startswith'
MATCH_ENDSWITH = 'endswith'
MATCH_CONTAINS = 'contains'
MATCH_REGEXP = 'regexp'
MATCH_EXACT = 'exact'
2019-02-10 19:09:47 +00:00
2018-11-11 12:41:48 +00:00
MATCHES = (
2018-11-26 21:08:48 +00:00
(MATCH_STARTSWITH, _('Starts with')),
(MATCH_ENDSWITH, _('Ends with')),
2019-02-21 15:21:45 +00:00
(MATCH_CONTAINS, _('Contains')),
2018-11-26 21:08:48 +00:00
(MATCH_REGEXP, _('Regexp')),
(MATCH_EXACT, _('Exact')),
2018-11-11 12:41:48 +00:00
)
USER_FIELDS = (
2019-02-10 19:09:47 +00:00
('username', _('Username'),),
('first_name', _('First Name'),),
('last_name', _('Last Name'),),
('email', _('E-Mail'),),
('is_staff', _('Is staff'),),
('is_active', _('Is active'),),
('data_joined', _('Date joined'),),
)
user_field = models.TextField(choices=USER_FIELDS)
2018-11-11 12:41:48 +00:00
match_action = models.CharField(max_length=50, choices=MATCHES)
value = models.TextField()
2019-02-16 09:24:31 +00:00
form = 'passbook.core.forms.policies.FieldMatcherPolicyForm'
2018-11-26 21:08:48 +00:00
2018-11-11 12:41:48 +00:00
def __str__(self):
description = "%s, user.%s %s '%s'" % (self.name, self.user_field,
self.match_action, self.value)
2018-11-11 12:41:48 +00:00
if self.name:
description = "%s: %s" % (self.name, description)
return description
def passes(self, user: User) -> bool:
2018-11-11 12:41:48 +00:00
"""Check if user instance passes this role"""
if not hasattr(user, self.user_field):
raise ValueError("Field does not exist")
user_field_value = getattr(user, self.user_field, None)
LOGGER.debug("Checked '%s' %s with '%s'...",
user_field_value, self.match_action, self.value)
passes = False
2019-02-16 09:24:31 +00:00
if self.match_action == FieldMatcherPolicy.MATCH_STARTSWITH:
2018-11-11 12:41:48 +00:00
passes = user_field_value.startswith(self.value)
2019-02-16 09:24:31 +00:00
if self.match_action == FieldMatcherPolicy.MATCH_ENDSWITH:
2018-11-11 12:41:48 +00:00
passes = user_field_value.endswith(self.value)
2019-02-16 09:24:31 +00:00
if self.match_action == FieldMatcherPolicy.MATCH_CONTAINS:
2018-11-11 12:41:48 +00:00
passes = self.value in user_field_value
2019-02-16 09:24:31 +00:00
if self.match_action == FieldMatcherPolicy.MATCH_REGEXP:
2018-11-11 12:41:48 +00:00
pattern = re.compile(self.value)
2018-11-30 13:33:33 +00:00
passes = bool(pattern.match(user_field_value))
2018-11-11 12:41:48 +00:00
if self.negate:
passes = not passes
LOGGER.debug("User got '%r'", passes)
return passes
2018-11-26 21:08:48 +00:00
class Meta:
2019-02-16 09:24:31 +00:00
verbose_name = _('Field matcher Policy')
2019-02-16 10:13:00 +00:00
verbose_name_plural = _('Field matcher Policies')
2019-02-16 10:13:00 +00:00
class PasswordPolicy(Policy):
2019-02-16 09:24:31 +00:00
"""Policy to make sure passwords have certain properties"""
2019-02-10 19:09:47 +00:00
amount_uppercase = models.IntegerField(default=0)
amount_lowercase = models.IntegerField(default=0)
amount_symbols = models.IntegerField(default=0)
length_min = models.IntegerField(default=0)
symbol_charset = models.TextField(default=r"!\"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ ")
2019-02-16 10:13:00 +00:00
form = 'passbook.core.forms.policies.PasswordPolicyForm'
2019-02-10 19:09:47 +00:00
def passes(self, user: User) -> bool:
# Only check if password is being set
if not hasattr(user, '__password__'):
return True
password = getattr(user, '__password__')
filter_regex = r''
if self.amount_lowercase > 0:
filter_regex += r'[a-z]{%d,}' % self.amount_lowercase
if self.amount_uppercase > 0:
filter_regex += r'[A-Z]{%d,}' % self.amount_uppercase
if self.amount_symbols > 0:
filter_regex += r'[%s]{%d,}' % (self.symbol_charset, self.amount_symbols)
result = bool(re.compile(filter_regex).match(password))
LOGGER.debug("User got %r", result)
return result
class Meta:
2019-02-16 10:13:00 +00:00
verbose_name = _('Password Policy')
verbose_name_plural = _('Password Policies')
2019-02-10 19:09:47 +00:00
2019-02-16 09:24:31 +00:00
class WebhookPolicy(Policy):
"""Policy that asks webhook"""
2018-11-27 15:23:04 +00:00
METHOD_GET = 'GET'
METHOD_POST = 'POST'
METHOD_PATCH = 'PATCH'
METHOD_DELETE = 'DELETE'
METHOD_PUT = 'PUT'
METHODS = (
(METHOD_GET, METHOD_GET),
(METHOD_POST, METHOD_POST),
(METHOD_PATCH, METHOD_PATCH),
(METHOD_DELETE, METHOD_DELETE),
(METHOD_PUT, METHOD_PUT),
)
url = models.URLField()
method = models.CharField(max_length=10, choices=METHODS)
json_body = models.TextField()
json_headers = models.TextField()
result_jsonpath = models.TextField()
result_json_value = models.TextField()
2019-02-16 09:24:31 +00:00
form = 'passbook.core.forms.policies.WebhookPolicyForm'
2018-11-27 15:23:04 +00:00
def passes(self, user: User):
"""Call webhook asynchronously and report back"""
raise NotImplementedError()
class Meta:
2019-02-16 09:24:31 +00:00
verbose_name = _('Webhook Policy')
2019-02-16 10:13:00 +00:00
verbose_name_plural = _('Webhook Policies')
2019-02-16 09:24:31 +00:00
class DebugPolicy(Policy):
"""Policy used for debugging the PolicyEngine. Returns a fixed result,
but takes a random time to process."""
result = models.BooleanField(default=False)
wait_min = models.IntegerField(default=5)
wait_max = models.IntegerField(default=30)
2019-02-16 09:24:31 +00:00
form = 'passbook.core.forms.policies.DebugPolicyForm'
def passes(self, user: User):
"""Wait random time then return result"""
2018-12-09 20:20:34 +00:00
wait = SystemRandom().randrange(self.wait_min, self.wait_max)
2019-02-16 09:24:31 +00:00
LOGGER.debug("Policy '%s' waiting for %ds", self.name, wait)
sleep(wait)
return self.result
class Meta:
2019-02-16 09:24:31 +00:00
verbose_name = _('Debug Policy')
2019-02-16 10:13:00 +00:00
verbose_name_plural = _('Debug Policies')
2018-12-10 12:48:22 +00:00
2018-12-10 13:49:15 +00:00
class Invitation(UUIDModel):
2018-12-10 13:21:42 +00:00
"""Single-use invitation link"""
2018-12-10 12:48:22 +00:00
created_by = models.ForeignKey('User', on_delete=models.CASCADE)
expires = models.DateTimeField(default=None, blank=True, null=True)
fixed_username = models.TextField(blank=True, default=None)
fixed_email = models.TextField(blank=True, default=None)
2018-12-10 13:49:15 +00:00
@property
def link(self):
"""Get link to use invitation"""
return reverse_lazy('passbook_core:auth-sign-up') + '?invitation=%s' % self.uuid
2018-12-10 12:48:22 +00:00
def __str__(self):
2018-12-10 13:49:15 +00:00
return "Invitation %s created by %s" % (self.uuid, self.created_by)
2018-12-10 12:48:22 +00:00
class Meta:
2018-12-10 13:49:15 +00:00
verbose_name = _('Invitation')
2018-12-10 13:21:42 +00:00
verbose_name_plural = _('Invitations')