Produits Entr'ouvert » Authentic 2

# authentic2 - versatile identity manager

# Copyright (C) 2022 Entr'ouvert

#

# This program is free software: you can redistribute it and/or modify it

# under the terms of the GNU Affero General Public License as published

# by the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU Affero General Public License for more details.

#

# You should have received a copy of the GNU Affero General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

from django import forms

from authentic2.forms.mixins import SlugMixin

from .models import BaseAuthenticator

class AuthenticatorAddForm(SlugMixin, forms.ModelForm):

    field_order = ('authenticator', 'name', 'ou')

    authenticators = {x.type: x for x in BaseAuthenticator.__subclasses__()}

    authenticator = forms.ChoiceField(choices=[(k, v._meta.verbose_name) for k, v in authenticators.items()])

    class Meta:

        model = BaseAuthenticator

        fields = ('name', 'ou')

    def save(self):

        Authenticator = self.authenticators[self.cleaned_data['authenticator']]

        self.instance = Authenticator(name=self.cleaned_data['name'], ou=self.cleaned_data['ou'])

        return super().save()

# authentic2 - versatile identity manager

# Copyright (C) 2010-2022 Entr'ouvert

#

# This program is free software: you can redistribute it and/or modify it

# under the terms of the GNU Affero General Public License as published

# by the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU Affero General Public License for more details.

#

# You should have received a copy of the GNU Affero General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

from django.contrib.auth.decorators import user_passes_test

from django.core.exceptions import PermissionDenied

from django.urls import path

from django.utils.functional import lazy

from authentic2.decorators import required

from authentic2.utils import misc as utils_misc

from . import views

def superuser_required(function, login_url):

    def check_superuser(user):

        if user and user.is_superuser:

            return True

        if user and not user.is_anonymous:

            raise PermissionDenied()

        return False

    actual_decorator = user_passes_test(check_superuser, login_url=login_url)

    return actual_decorator(function)

def superuser_login_required(func):

    return superuser_required(func, login_url=lazy(utils_misc.get_manager_login_url, str)())

urlpatterns = required(

    superuser_login_required,

    [

        # Authenticators

        path('authenticators/', views.authenticators, name='a2-manager-authenticators'),

        path(

            'authenticators/add/',

            views.add,

            name='a2-manager-authenticator-add',

        ),

        path(

            'authenticators/<int:pk>/detail/',

            views.detail,

            name='a2-manager-authenticator-detail',

        ),

        path(

            'authenticators/<int:pk>/edit/',

            views.edit,

            name='a2-manager-authenticator-edit',

        ),

        path(

            'authenticators/<int:pk>/delete/',

            views.delete,

            name='a2-manager-authenticator-delete',

        ),

        path(

            'authenticators/<int:pk>/toggle/',

            views.toggle,

            name='a2-manager-authenticator-toggle',

        ),

    ],

)

# Generated by Django 2.2.26 on 2022-05-17 14:24

from django.conf import settings

from django.db import migrations, models

import django.db.models.deletion

import uuid

class Migration(migrations.Migration):

    initial = True

    dependencies = [

        migrations.swappable_dependency(settings.RBAC_OU_MODEL),

    ]

    operations = [

        migrations.CreateModel(

            name='BaseAuthenticator',

            fields=[

                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),

                ('uuid', models.CharField(default=uuid.uuid4, editable=False, max_length=255, unique=True)),

                ('name', models.CharField(max_length=128, verbose_name='Name')),

                ('slug', models.SlugField(unique=True)),

                ('order', models.IntegerField(default=0, verbose_name='Order')),

                ('enabled', models.BooleanField(default=False, editable=False)),

                ('show_condition', models.CharField(blank=True, help_text='Django template controlling authenticator display. For example, "\'backoffice\' in login_hint or remotre_addr == \'1.2.3.4\'" would hide the authenticator from normal users except if they come from the specified IP address. Available variables include service_ou_slug, service_slug, remote_addr, login_hint and headers.', max_length=128, verbose_name='Show condition')),

                ('ou', models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, to=settings.RBAC_OU_MODEL, verbose_name='organizational unit')),

            ],

            options={

                'ordering': ('-enabled', 'name', 'slug', 'ou'),

            },

        ),

    ]

# authentic2 - versatile identity manager

# Copyright (C) 2022 Entr'ouvert

#

# This program is free software: you can redistribute it and/or modify it

# under the terms of the GNU Affero General Public License as published

# by the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU Affero General Public License for more details.

#

# You should have received a copy of the GNU Affero General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import datetime

import logging

import uuid

from django.db import models

from django.shortcuts import render, reverse

from django.utils.formats import date_format

from django.utils.translation import ugettext_lazy as _

from authentic2.utils.evaluate import evaluate_condition

from .query import AuthenticatorManager

logger = logging.getLogger(__name__)

class BaseAuthenticator(models.Model):

    uuid = models.CharField(max_length=255, unique=True, default=uuid.uuid4, editable=False)

    name = models.CharField(_('Name'), max_length=128)

    slug = models.SlugField(unique=True)

    ou = models.ForeignKey(

        verbose_name=_('organizational unit'),

        to='a2_rbac.OrganizationalUnit',

        null=True,

        blank=False,

        on_delete=models.CASCADE,

    )

    order = models.IntegerField(_('Order'), default=0)

    enabled = models.BooleanField(default=False, editable=False)

    show_condition = models.CharField(

        _('Show condition'),

        max_length=128,

        blank=True,

        help_text=_(

            'Django template controlling authenticator display. For example, "\'backoffice\' in '

            'login_hint or remotre_addr == \'1.2.3.4\'" would hide the authenticator from normal users '

            'except if they come from the specified IP address. Available variables include '

            'service_ou_slug, service_slug, remote_addr, login_hint and headers.'

        ),

    )

    objects = models.Manager()

    authenticators = AuthenticatorManager()

    type = ''

    manager_form_class = None

    description_fields = ['show_condition']

    class Meta:

        ordering = ('-enabled', 'name', 'slug', 'ou')

    def __str__(self):

        if self.name:

            return '%s - %s' % (self._meta.verbose_name, self.name)

        return str(self._meta.verbose_name)

    def get_identifier(self):

        return '%s_%s' % (self.type, self.pk)

    def get_absolute_url(self):

        return reverse('a2-manager-authenticator-detail', kwargs={'pk': self.pk})

    def get_short_description(self):

        return ''

    def get_full_description(self):

        for field in self.description_fields:

            value = getattr(self, field)

            if not value:

                continue

            if isinstance(value, datetime.datetime):

                value = date_format(value, 'DATETIME_FORMAT')

            yield _('%(field)s: %(value)s') % {

                'field': self._meta.get_field(field).verbose_name.capitalize(),

                'value': value,

            }

    @property

    def priority(self):

        return self.order

    def shown(self, ctx=()):

        if not self.show_condition:

            return True

        ctx = dict(ctx, id=self.slug)

        try:

            return evaluate_condition(self.show_condition, ctx, on_raise=True)

        except Exception as e:

            logger.error(e)

            return False

from django.db import models

from django.db.models.query import ModelIterable

class AuthenticatorIterable(ModelIterable):

    def __iter__(self):

        for obj in ModelIterable(self.queryset):

            yield next(getattr(obj, field) for field in self.queryset.subclasses if hasattr(obj, field))

class AuthenticatorQuerySet(models.QuerySet):

    def __init__(self, *args, **kwargs):

        super().__init__(*args, **kwargs)

        self.subclasses = [

            field.name for field in self.model._meta.get_fields() if isinstance(field, models.OneToOneRel)

        ]

        self._iterable_class = AuthenticatorIterable

class AuthenticatorManager(models.Manager):

    def get_queryset(self):

        qs = AuthenticatorQuerySet(self.model, using=self._db)

        return qs.select_related(*qs.subclasses)

{% extends "authentic2/authenticators/authenticator_common.html" %}

{% load gadjo i18n %}

{% block breadcrumb %}

  {{ block.super }}

  <a href="#"></a>

{% endblock %}

{% block content %}

  <form method="post" enctype="multipart/form-data">

    {% csrf_token %}

    {{ form|with_template }}

    <div class="buttons">

      <button>{% trans "Add" %}</button>

      <a class="cancel" href="{% url 'a2-manager-authenticators' %}">{% trans 'Cancel' %}</a>

    </div>

  </form>

{% endblock %}

{% extends "authentic2/manager/base.html" %}

{% load i18n %}

{% block page-title %}{{ block.super }} - {% if object %}{{ object }}{% else %}{% trans "Authenticators" %}{% endif %}{% endblock %}

{% block title %}{{ block.super }} - {% trans "Authenticators" %}{% endblock %}

{% block breadcrumb %}

  {{ block.super }}

  <a href="{% url 'a2-manager-authenticators' %}">{% trans "Authenticators" %}</a>

{% endblock %}

{% extends "authentic2/authenticators/authenticator_common.html" %}

{% load i18n gadjo %}

{% block breadcrumb %}

  {{ block.super }}

  <a href="{% url 'a2-manager-authenticators' %}">{% trans "Authenticators" %}</a>

  <a href="#"></a>

{% endblock %}

{% block content %}

  <form method="post" enctype="multipart/form-data">

    {% csrf_token %}

    <p>{% blocktrans %}Do you want to delete "{{ object }}" ?{% endblocktrans %}</p>

    <div class="buttons">

      <button class="delete-button">{% trans "Delete" %}</button>

      <a class="cancel" href="{% url 'a2-manager-authenticator-detail' pk=object.pk %}">{% trans 'Cancel' %}</a>

    </div>

  </form>

{% endblock %}

{% extends "authentic2/authenticators/authenticator_common.html" %}

{% load i18n gadjo %}

{% block appbar %}

  {{ block.super }}

  <span class="actions">

    <a class="extra-actions-menu-opener"></a>

    <a href="{% url 'a2-manager-authenticator-toggle' pk=object.pk %}">{{ object.enabled|yesno:_("Disable,Enable") }}</a>

    <a href="{% url 'a2-manager-authenticator-edit' pk=object.pk %}">{% trans "Edit" %}</a>

    <ul class="extra-actions-menu">

      <li><a rel="popup" href="{% url 'a2-manager-authenticator-delete' pk=object.pk %}">{% trans "Delete" %}</a></li>

    </ul>

  </span>

{% endblock %}

{% block breadcrumb %}

  {{ block.super }}

  <a href="#"></a>

{% endblock %}

{% block content %}

  <div class='placeholder'>

    {% for line in object.get_full_description %}

      <p>{{ line }}</p>

    {% empty %}

      <p>{% trans 'Click "Edit" to change configuration.' %}</p>

    {% endfor %}

  </div>

{% endblock %}

{% extends "authentic2/authenticators/authenticator_common.html" %}

{% load i18n gadjo %}

{% block breadcrumb %}

  {{ block.super }}

  <a href="{% url 'a2-manager-authenticator-detail' pk=object.pk %}">{{ object }}</a>

  <a href="#"></a>

{% endblock %}

{% block content %}

  <form method="post" enctype="multipart/form-data">

    {% csrf_token %}

    {{ form|with_template }}

    <div class="buttons">

      <button>{% trans "Save" %}</button>

      <a class="cancel" href="{% url 'a2-manager-authenticator-detail' pk=object.pk %}">{% trans 'Cancel' %}</a>

    </div>

  </form>

{% endblock %}

{% extends "authentic2/authenticators/authenticator_common.html" %}

{% load i18n gadjo %}

{% block appbar %}

  {{ block.super }}

  <span class="actions">

    <a href="{% url 'a2-manager-authenticator-add' %}" rel="popup">{% trans "Add new authenticator" %}</a>

  </span>

{% endblock %}

{% block main %}

  {% for authenticator in object_list %}

    <div class="section {% if not authenticator.enabled %}disabled{% endif %}">

      <h3>{{ authenticator }}

        <a class="button" href="{% url 'a2-manager-authenticator-detail' pk=authenticator.pk %}">{% trans "Configure" %}</a>

      </h3>

      {% if authenticator.enabled and authenticator.get_short_description %}

        <div>

          <p>{{ authenticator.get_short_description }}</p>

        </div>

      {% endif %}

    </div>

  {% endfor %}

{% endblock %}

# authentic2 - versatile identity manager

# Copyright (C) 2010-2022 Entr'ouvert

#

# This program is free software: you can redistribute it and/or modify it

# under the terms of the GNU Affero General Public License as published

# by the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU Affero General Public License for more details.

#

# You should have received a copy of the GNU Affero General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

from django.contrib import messages

from django.http import HttpResponseRedirect

from django.urls import reverse_lazy

from django.utils.translation import ugettext as _

from django.views.generic import CreateView, DeleteView, DetailView, UpdateView

from django.views.generic.list import ListView

from authentic2.apps.authenticators import forms

from authentic2.apps.authenticators.models import BaseAuthenticator

from authentic2.manager.views import MediaMixin, TitleMixin

class AuthenticatorsMixin(MediaMixin, TitleMixin):

    def get_queryset(self):

        return self.model.authenticators.all()

class AuthenticatorsView(AuthenticatorsMixin, ListView):

    template_name = 'authentic2/authenticators/authenticators.html'

    model = BaseAuthenticator

    title = _('Authenticators')

authenticators = AuthenticatorsView.as_view()

class AuthenticatorAddView(AuthenticatorsMixin, CreateView):

    template_name = 'authentic2/authenticators/authenticator_add_form.html'

    title = _('New authenticator')

    form_class = forms.AuthenticatorAddForm

add = AuthenticatorAddView.as_view()

class AuthenticatorDetailView(AuthenticatorsMixin, DetailView):

    template_name = 'authentic2/authenticators/authenticator_detail.html'

    model = BaseAuthenticator

    @property

    def title(self):

        return str(self.object)

detail = AuthenticatorDetailView.as_view()

class AuthenticatorEditView(AuthenticatorsMixin, UpdateView):

    template_name = 'authentic2/authenticators/authenticator_edit_form.html'

    title = _('Edit authenticator')

    model = BaseAuthenticator

    def get_form_class(self):

        return self.object.manager_form_class

edit = AuthenticatorEditView.as_view()

class AuthenticatorDeleteView(AuthenticatorsMixin, DeleteView):

    template_name = 'authentic2/authenticators/authenticator_delete_form.html'

    title = _('Delete authenticator')

    model = BaseAuthenticator

    success_url = reverse_lazy('a2-manager-authenticators')

delete = AuthenticatorDeleteView.as_view()

class AuthenticatorToggleView(DetailView):

    model = BaseAuthenticator

    def get(self, request, *args, **kwargs):

        authenticator = self.get_object()

        if authenticator.enabled:

            authenticator.enabled = False

            authenticator.save()

            message = _('Authenticator has been disabled.')

        else:

            authenticator.enabled = True

            authenticator.save()

            message = _('Authenticator has been enabled.')

        messages.info(self.request, message)

        return HttpResponseRedirect(authenticator.get_absolute_url())

toggle = AuthenticatorToggleView.as_view()

    def get_identifier(self):

        return self.id

import hashlib

from django.utils.text import slugify

class SlugMixin(forms.ModelForm):

    def save(self, commit=True):

        instance = self.instance

        if not instance.slug:

            instance.slug = slugify(str(instance.name)).lstrip('_')

            qs = instance.__class__.objects.all()

            if instance.pk:

                qs = qs.exclude(pk=instance.pk)

            new_slug = instance.slug

            i = 1

            while qs.filter(slug=new_slug).exists():

                new_slug = '%s-%d' % (instance.slug, i)

                i += 1

            instance.slug = new_slug

        if len(instance.slug) > 256:

            instance.slug = instance.slug[:252] + hashlib.md5(instance.slug).hexdigest()[:4]

        return super().save(commit=commit)

from authentic2.forms.mixins import SlugMixin

    <li><a href="{% url 'a2-manager-authenticators' %}">{% trans 'Authenticators' %}</a></li>

from authentic2.apps.authenticators.manager_urls import urlpatterns as authenticator_urlpatterns

urlpatterns += authenticator_urlpatterns

    'authentic2.apps.authenticators',

    if setting_name == 'AUTH_FRONTENDS':

        from authentic2.apps.authenticators.models import BaseAuthenticator

        backends = list(BaseAuthenticator.authenticators.filter(enabled=True))

        'id': authenticator.get_identifier(),

            fid = authenticator.get_identifier()

                if 'submit-%s' % frontend.get_identifier() in request.POST:

# authentic2 - versatile identity manager

# Copyright (C) 2010-2022 Entr'ouvert

#

# This program is free software: you can redistribute it and/or modify it

# under the terms of the GNU Affero General Public License as published

# by the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU Affero General Public License for more details.

#

# You should have received a copy of the GNU Affero General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

from .utils import login, logout

def test_authenticators_authorization(app, simple_user, superuser):

    resp = login(app, simple_user)

    app.get('/manage/authenticators/', status=403)

    logout(app)

    resp = login(app, superuser, path='/manage/')

    assert 'Authenticators' in resp.text

    resp = resp.click('Authenticators')

    assert 'Authenticators' in resp.text