You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

104 lines
4.4 KiB

  1. # -*- encoding: utf-8 -*-
  2. ##############################################################################
  3. #
  4. # Tracks Authentication Attempts and Prevents Brute-force Attacks module
  5. # Copyright (C) 2015-Today GRAP (http://www.grap.coop)
  6. # @author Sylvain LE GAL (https://twitter.com/legalsylvain)
  7. #
  8. # This program is free software: you can redistribute it and/or modify
  9. # it under the terms of the GNU Affero General Public License as
  10. # published by the Free Software Foundation, either version 3 of the
  11. # License, or (at your option) any later version.
  12. #
  13. # This program is distributed in the hope that it will be useful,
  14. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  15. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  16. # GNU Affero General Public License for more details.
  17. #
  18. # You should have received a copy of the GNU Affero General Public License
  19. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  20. #
  21. ##############################################################################
  22. import logging
  23. from openerp import fields, http, registry, SUPERUSER_ID
  24. from openerp.http import request
  25. from openerp.addons.web.controllers.main import Home, ensure_db
  26. _logger = logging.getLogger(__name__)
  27. class LoginController(Home):
  28. @http.route()
  29. def web_login(self, redirect=None, **kw):
  30. if request.httprequest.method == 'POST':
  31. ensure_db()
  32. remote = request.httprequest.remote_addr
  33. # Get registry and cursor
  34. config_obj = registry(request.session.db)['ir.config_parameter']
  35. attempt_obj = registry(
  36. request.session.db)['res.authentication.attempt']
  37. banned_remote_obj = registry(
  38. request.session.db)['res.banned.remote']
  39. cursor = attempt_obj.pool.cursor()
  40. # Get Settings
  41. max_attempts_qty = int(config_obj.search_read(
  42. cursor, SUPERUSER_ID,
  43. [('key', '=', 'auth_brute_force.max_attempt_qty')],
  44. ['value'])[0]['value'])
  45. # Test if remote user is banned
  46. banned = banned_remote_obj.search(cursor, SUPERUSER_ID, [
  47. ('remote', '=', remote)])
  48. if banned:
  49. _logger.warning(
  50. "Authentication tried from remote '%s'. The request has"
  51. " been ignored because the remote has been banned after"
  52. " %d attempts without success. Login tried : '%s'." % (
  53. remote, max_attempts_qty, request.params['login']))
  54. request.params['password'] = ''
  55. else:
  56. # Try to authenticate
  57. result = request.session.authenticate(
  58. request.session.db, request.params['login'],
  59. request.params['password'])
  60. # Log attempt
  61. cursor.commit()
  62. attempt_obj.create(cursor, SUPERUSER_ID, {
  63. 'attempt_date': fields.Datetime.now(),
  64. 'login': request.params['login'],
  65. 'remote': remote,
  66. 'result': banned and 'banned' or (
  67. result and 'successfull' or 'failed'),
  68. })
  69. cursor.commit()
  70. if not banned and not result:
  71. # Get last bad attempts quantity
  72. attempts_qty = len(attempt_obj.search_last_failed(
  73. cursor, SUPERUSER_ID, remote))
  74. if max_attempts_qty <= attempts_qty:
  75. # We ban the remote
  76. _logger.warning(
  77. "Authentication failed from remote '%s'. "
  78. "The remote has been banned. Login tried : '%s'." % (
  79. remote, request.params['login']))
  80. banned_remote_obj.create(cursor, SUPERUSER_ID, {
  81. 'remote': remote,
  82. 'ban_date': fields.Datetime.now(),
  83. })
  84. cursor.commit()
  85. else:
  86. _logger.warning(
  87. "Authentication failed from remote '%s'."
  88. " Login tried : '%s'. Attempt %d / %d." % (
  89. remote, request.params['login'], attempts_qty,
  90. max_attempts_qty))
  91. cursor.close()
  92. return super(LoginController, self).web_login(redirect=redirect, **kw)