OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1428 Commits
13 Branches
0 Tags
45 MiB
Tree: 0579f3b058
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0579f3b058'
${ noResults }
server-tools/auth_totp/controllers/main.py

155 lines
6.3 KiB
Raw Normal View History

[9.0][ADD] auth_totp: MFA Support (#687) * [ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied * PR commit * PR commit
8 years ago
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2016-2017 LasLabs Inc.
  3. # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
  5. from datetime import datetime, timedelta
  6. import json
  7. from werkzeug.contrib.securecookie import SecureCookie
  8. from openerp import _, http, registry, SUPERUSER_ID
  9. from openerp.api import Environment
  10. from openerp.http import Response, request
  11. from openerp.addons.web.controllers.main import Home
  12. from ..exceptions import MfaTokenInvalidError, MfaTokenExpiredError
  15. class JsonSecureCookie(SecureCookie):
  16. serialization_method = json
  19. class AuthTotp(Home):
  21. @http.route()
  22. def web_login(self, *args, **kwargs):
  23. """Add MFA logic to the web_login action in Home
  25. Overview:
  26. * Call web_login in Home
  27. * Return the result of that call if the user has not logged in yet
  28. using a password, does not have MFA enabled, or has a valid
  29. trusted device cookie
  30. * If none of these is true, generate a new MFA login token for the
  31. user, log the user out, and redirect to the MFA login form
  32. """
  34. # sudo() is required because there may be no request.env.uid (likely
  35. # since there may be no user logged in at the start of the request)
  36. user_model_sudo = request.env['res.users'].sudo()
  37. config_model_sudo = user_model_sudo.env['ir.config_parameter']
  39. response = super(AuthTotp, self).web_login(*args, **kwargs)
  41. if not request.params.get('login_success'):
  42. return response
  44. user = user_model_sudo.browse(request.uid)
  45. if not user.mfa_enabled:
  46. return response
  48. cookie_key = 'trusted_devices_%d' % user.id
  49. device_cookie = request.httprequest.cookies.get(cookie_key)
  50. if device_cookie:
  51. secret = config_model_sudo.get_param('database.secret')
  52. device_cookie = JsonSecureCookie.unserialize(device_cookie, secret)
  53. if device_cookie.get('device_id') in user.trusted_device_ids.ids:
  54. return response
  56. user.generate_mfa_login_token()
  57. request.session.logout(keep_db=True)
  58. return http.local_redirect(
  59. '/auth_totp/login',
  60. query={
  61. 'mfa_login_token': user.mfa_login_token,
  62. 'redirect': request.params.get('redirect'),
  63. },
  64. keep_hash=True,
  65. )
  67. @http.route('/auth_totp/login', type='http', auth='none', methods=['GET'])
  68. def mfa_login_get(self, *args, **kwargs):
  69. return request.render('auth_totp.mfa_login', qcontext=request.params)
  71. @http.route('/auth_totp/login', type='http', auth='none', methods=['POST'])
  72. def mfa_login_post(self, *args, **kwargs):
  73. """Process MFA login attempt
  75. Overview:
  76. * Try to find a user based on the MFA login token. If this doesn't
  77. work, redirect to the password login page with an error message
  78. * Validate the confirmation code provided by the user. If it's not
  79. valid, redirect to the previous login step with an error message
  80. * Generate a long-term MFA login token for the user and log the
  81. user in using the token
  82. * Build a trusted device cookie and add it to the response if the
  83. trusted device option was checked
  84. * Redirect to the provided URL or to '/web' if one was not given
  85. """
  87. # sudo() is required because there is no request.env.uid (likely since
  88. # there is no user logged in at the start of the request)
  89. user_model_sudo = request.env['res.users'].sudo()
  90. device_model_sudo = user_model_sudo.env['res.users.device']
  91. config_model_sudo = user_model_sudo.env['ir.config_parameter']
  93. token = request.params.get('mfa_login_token')
  94. try:
  95. user = user_model_sudo.user_from_mfa_login_token(token)
  96. except (MfaTokenInvalidError, MfaTokenExpiredError) as exception:
  97. return http.local_redirect(
  98. '/web/login',
  99. query={
  100. 'redirect': request.params.get('redirect'),
  101. 'error': exception.message,
  102. },
  103. keep_hash=True,
  104. )
  106. confirmation_code = request.params.get('confirmation_code')
  107. if not user.validate_mfa_confirmation_code(confirmation_code):
  108. return http.local_redirect(
  109. '/auth_totp/login',
  110. query={
  111. 'redirect': request.params.get('redirect'),
  112. 'error': _(
  113. 'Your confirmation code is not correct. Please try'
  114. ' again.'
  115. ),
  116. 'mfa_login_token': token,
  117. },
  118. keep_hash=True,
  119. )
  121. # These context managers trigger a safe commit, which persists the
  122. # changes right away and is needed for the auth call
  123. with Environment.manage():
  124. with registry(request.db).cursor() as temp_cr:
  125. temp_env = Environment(temp_cr, SUPERUSER_ID, request.context)
  126. temp_user = temp_env['res.users'].browse(user.id)
  127. temp_user.generate_mfa_login_token(60 * 24 * 30)
  128. token = temp_user.mfa_login_token
  129. request.session.authenticate(request.db, user.login, token, user.id)
  131. redirect = request.params.get('redirect')
  132. if not redirect:
  133. redirect = '/web'
  134. response = Response(http.redirect_with_hash(redirect))
  136. if request.params.get('remember_device'):
  137. device = device_model_sudo.create({'user_id': user.id})
  138. secret = config_model_sudo.get_param('database.secret')
  139. device_cookie = JsonSecureCookie({'device_id': device.id}, secret)
  140. cookie_lifetime = timedelta(days=30)
  141. cookie_exp = datetime.utcnow() + cookie_lifetime
  142. device_cookie = device_cookie.serialize(cookie_exp)
  143. cookie_key = 'trusted_devices_%d' % user.id
  144. sec_config = config_model_sudo.get_param('auth_totp.secure_cookie')
  145. security_flag = sec_config != '0'
  146. response.set_cookie(
  147. cookie_key,
  148. device_cookie,
  149. max_age=cookie_lifetime.total_seconds(),
  150. expires=cookie_exp,
  151. httponly=True,
  152. secure=security_flag,
  153. )
  155. return response