OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2238 Commits
13 Branches
0 Tags
45 MiB
Tree: 0840bbe092
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0840bbe092'
${ noResults }
server-tools/auth_brute_force/models/res_users.py

150 lines
5.3 KiB
Raw Normal View History

[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
6 years ago
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2017 Tecnativa - Jairo Llopis
  3. # License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
  5. import logging
  6. from contextlib import contextmanager
  7. from threading import current_thread
  8. from odoo import api, models, SUPERUSER_ID
  9. from odoo.exceptions import AccessDenied
  10. from odoo.service import wsgi_server
  12. _logger = logging.getLogger(__name__)
  15. class ResUsers(models.Model):
  16. _inherit = "res.users"
  18. # HACK https://github.com/odoo/odoo/issues/24183
  19. # TODO Remove in v12, and use normal odoo.http.request to get details
  20. @api.model_cr
  21. def _register_hook(self):
  22. """🐒-patch XML-RPC controller to know remote address."""
  23. original_fn = wsgi_server.application_unproxied
  25. def _patch(environ, start_response):
  26. current_thread().environ = environ
  27. return original_fn(environ, start_response)
  29. wsgi_server.application_unproxied = _patch
  31. # Helpers to track authentication attempts
  32. @classmethod
  33. @contextmanager
  34. def _auth_attempt(cls, login):
  35. """Start an authentication attempt and track its state."""
  36. try:
  37. # Check if this call is nested
  38. attempt_id = current_thread().auth_attempt_id
  39. except AttributeError:
  40. # Not nested; create a new attempt
  41. attempt_id = cls._auth_attempt_new(login)
  42. if not attempt_id:
  43. # No attempt was created, so there's nothing to do here
  44. yield
  45. return
  46. try:
  47. current_thread().auth_attempt_id = attempt_id
  48. result = "successful"
  49. try:
  50. yield
  51. except AccessDenied as error:
  52. result = getattr(error, "reason", "failed")
  53. raise
  54. finally:
  55. cls._auth_attempt_update({"result": result})
  56. finally:
  57. try:
  58. del current_thread().auth_attempt_id
  59. except AttributeError:
  60. pass # It was deleted already
  62. @classmethod
  63. def _auth_attempt_force_raise(cls, login, method):
  64. """Force a method to raise an AccessDenied on falsey return."""
  65. try:
  66. with cls._auth_attempt(login):
  67. result = method()
  68. if not result:
  69. # Force exception to record auth failure
  70. raise AccessDenied()
  71. except AccessDenied:
  72. pass # `_auth_attempt()` did the hard part already
  73. return result
  75. @classmethod
  76. def _auth_attempt_new(cls, login):
  77. """Store one authentication attempt, not knowing the result."""
  78. # Get the right remote address
  79. try:
  80. remote_addr = current_thread().environ["REMOTE_ADDR"]
  81. except (KeyError, AttributeError):
  82. remote_addr = False
  83. # Exit if it doesn't make sense to store this attempt
  84. if not remote_addr:
  85. return False
  86. # Use a separate cursor to keep changes always
  87. with cls.pool.cursor() as cr:
  88. env = api.Environment(cr, SUPERUSER_ID, {})
  89. attempt = env["res.authentication.attempt"].create({
  90. "login": login,
  91. "remote": remote_addr,
  92. })
  93. return attempt.id
  95. @classmethod
  96. def _auth_attempt_update(cls, values):
  97. """Update a given auth attempt if we still ignore its result."""
  98. auth_id = getattr(current_thread(), "auth_attempt_id", False)
  99. if not auth_id:
  100. return {} # No running auth attempt; nothing to do
  101. # Use a separate cursor to keep changes always
  102. with cls.pool.cursor() as cr:
  103. env = api.Environment(cr, SUPERUSER_ID, {})
  104. attempt = env["res.authentication.attempt"].browse(auth_id)
  105. # Update only on 1st call
  106. if not attempt.result:
  107. attempt.write(values)
  108. return attempt.copy_data()[0] if attempt else {}
  110. # Override all auth-related core methods
  111. @classmethod
  112. def _login(cls, db, login, password):
  113. return cls._auth_attempt_force_raise(
  114. login,
  115. lambda: super(ResUsers, cls)._login(db, login, password),
  116. )
  118. @classmethod
  119. def authenticate(cls, db, login, password, user_agent_env):
  120. return cls._auth_attempt_force_raise(
  121. login,
  122. lambda: super(ResUsers, cls).authenticate(
  123. db, login, password, user_agent_env),
  124. )
  126. @api.model
  127. def check_credentials(self, password):
  128. """This is the most important and specific auth check method.
  130. When we get here, it means that Odoo already checked the user exists
  131. in this database.
  133. Other auth methods usually plug here.
  134. """
  135. login = self.env.user.login
  136. with self._auth_attempt(login):
  137. # Update login, just in case we stored the UID before
  138. attempt = self._auth_attempt_update({"login": login})
  139. remote = attempt.get("remote")
  140. # Fail if the remote is banned
  141. trusted = self.env["res.authentication.attempt"]._trusted(
  142. remote,
  143. login,
  144. )
  145. if not trusted:
  146. error = AccessDenied()
  147. error.reason = "banned"
  148. raise error
  149. # Continue with other auth systems
  150. return super(ResUsers, self).check_credentials(password)