OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1690 Commits
13 Branches
0 Tags
45 MiB
Tree: 57417fb7d2
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '57417fb7d2'
${ noResults }
server-tools/auth_brute_force/tests/test_brute_force.py

396 lines
14 KiB
Raw Normal View History

[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
6 years ago
[FIX] auth_brute_force: Fix addon requirement computation (#1251) Include HACK for https://github.com/odoo/odoo/pull/24833, which explains the false positive problem we were having here: an addon being importable doesn't mean it is installed.
6 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
6 years ago
[MIG] auth_brute_force: Backport from v10 Odoo v9 auth methods usually violate both old and new api; they just only work in old api, so I had to adapt some tests to use it instead. Normal backport outside of that.
6 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
6 years ago
[FIX] auth_brute_force: Fix addon requirement computation (#1251) Include HACK for https://github.com/odoo/odoo/pull/24833, which explains the false positive problem we were having here: an addon being importable doesn't mean it is installed.
6 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
6 years ago
[FIX] auth_brute_force: Fix addon requirement computation (#1251) Include HACK for https://github.com/odoo/odoo/pull/24833, which explains the false positive problem we were having here: an addon being importable doesn't mean it is installed.
6 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
6 years ago
[FIX] auth_brute_force: Fix addon requirement computation (#1251) Include HACK for https://github.com/odoo/odoo/pull/24833, which explains the false positive problem we were having here: an addon being importable doesn't mean it is installed.
6 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
6 years ago
[MIG] auth_brute_force: Backport from v10 Odoo v9 auth methods usually violate both old and new api; they just only work in old api, so I had to adapt some tests to use it instead. Normal backport outside of that.
6 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
6 years ago
[MIG] auth_brute_force: Backport from v10 Odoo v9 auth methods usually violate both old and new api; they just only work in old api, so I had to adapt some tests to use it instead. Normal backport outside of that.
6 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
6 years ago
[MIG] auth_brute_force: Backport from v10 Odoo v9 auth methods usually violate both old and new api; they just only work in old api, so I had to adapt some tests to use it instead. Normal backport outside of that.
6 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
6 years ago
[MIG] auth_brute_force: Backport from v10 Odoo v9 auth methods usually violate both old and new api; they just only work in old api, so I had to adapt some tests to use it instead. Normal backport outside of that.
6 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
6 years ago
[MIG] auth_brute_force: Backport from v10 Odoo v9 auth methods usually violate both old and new api; they just only work in old api, so I had to adapt some tests to use it instead. Normal backport outside of that.
6 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
6 years ago
[MIG] auth_brute_force: Backport from v10 Odoo v9 auth methods usually violate both old and new api; they just only work in old api, so I had to adapt some tests to use it instead. Normal backport outside of that.
6 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
6 years ago
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2017 Tecnativa - Jairo Llopis
  3. # License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
  5. from threading import current_thread
  6. from urllib import urlencode
  8. from decorator import decorator
  9. from mock import patch
  10. from werkzeug.utils import redirect
  12. from openerp import http
  13. from openerp.tests.common import at_install, HttpCase, post_install
  14. from openerp.tools import mute_logger
  15. from openerp.modules.registry import RegistryManager
  17. from ..models import res_authentication_attempt, res_users
  20. GARBAGE_LOGGERS = (
  21. "werkzeug",
  22. res_authentication_attempt.__name__,
  23. res_users.__name__,
  24. )
  27. # HACK https://github.com/odoo/odoo/pull/24833
  28. def skip_unless_addons_installed(*addons):
  29. """Decorator to skip a test unless some addons are installed.
  31. :param *str addons:
  32. Addon names that should be installed.
  34. :param reason:
  35. Explain why you must skip this test.
  36. """
  38. @decorator
  39. def _wrapper(method, self, *args, **kwargs):
  40. installed = self.addons_installed(*addons)
  41. if not installed:
  42. missing = set(addons) - installed
  43. self.skipTest("Required addons not installed: %s" %
  44. ",".join(sorted(missing)))
  45. return method(self, *args, **kwargs)
  47. return _wrapper
  50. @at_install(False)
  51. @post_install(True)
  52. # Skip CSRF validation on tests
  53. @patch(http.__name__ + ".WebRequest.validate_csrf", return_value=True)
  54. # Skip specific browser forgery on redirections
  55. @patch(http.__name__ + ".redirect_with_hash", side_effect=redirect)
  56. # Faster tests without calls to geolocation API
  57. @patch(res_authentication_attempt.__name__ + ".urlopen", return_value="")
  58. class BruteForceCase(HttpCase):
  59. def setUp(self):
  60. super(BruteForceCase, self).setUp()
  61. # Some tests could retain environ from last test and produce fake
  62. # results without this patch
  63. # HACK https://github.com/odoo/odoo/issues/24183
  64. # TODO Remove in v12
  65. try:
  66. del current_thread().environ
  67. except AttributeError:
  68. pass
  69. # Complex password to avoid conflicts with `password_security`
  70. self.good_password = "Admin$%02584"
  71. self.data_demo = {
  72. "login": "demo",
  73. "password": "Demo%&/(908409**",
  74. }
  75. with self.cursor() as cr:
  76. env = self.env(cr)
  77. env["ir.config_parameter"].set_param(
  78. "auth_brute_force.max_by_ip_user", 3)
  79. env["ir.config_parameter"].set_param(
  80. "auth_brute_force.max_by_ip", 4)
  81. # Clean attempts to be able to count in tests
  82. env["res.authentication.attempt"].search([]).unlink()
  83. # Make sure involved users have good passwords
  84. env.user.password = self.good_password
  85. env["res.users"].search([
  86. ("login", "=", self.data_demo["login"]),
  87. ]).password = self.data_demo["password"]
  89. # HACK https://github.com/odoo/odoo/pull/24833
  90. def addons_installed(self, *addons):
  91. """Know if the specified addons are installed."""
  92. found = self.env["ir.module.module"].search([
  93. ("name", "in", addons),
  94. ("state", "not in", ["uninstalled", "uninstallable"]),
  95. ])
  96. return set(addons) - set(found.mapped("name"))
  98. @skip_unless_addons_installed("web")
  99. @mute_logger(*GARBAGE_LOGGERS)
  100. def test_web_login_existing(self, *args):
  101. """Remote is banned with real user on web login form."""
  102. data1 = {
  103. "login": "admin",
  104. "password": "1234", # Wrong
  105. }
  106. # Make sure user is logged out
  107. self.url_open("/web/session/logout", timeout=30)
  108. # Fail 3 times
  109. for n in range(3):
  110. response = self.url_open("/web/login", bytes(urlencode(data1)), 30)
  111. # If you fail, you get /web/login again
  112. self.assertTrue(
  113. response.geturl().endswith("/web/login"),
  114. "Unexpected URL %s" % response.geturl(),
  115. )
  116. # Admin banned, demo not
  117. with self.cursor() as cr:
  118. env = self.env(cr)
  119. self.assertFalse(
  120. env["res.authentication.attempt"]._trusted(
  121. "127.0.0.1",
  122. data1["login"],
  123. ),
  124. )
  125. self.assertTrue(
  126. env["res.authentication.attempt"]._trusted(
  127. "127.0.0.1",
  128. "demo",
  129. ),
  130. )
  131. # Now I know the password, but login is rejected too
  132. data1["password"] = self.good_password
  133. response = self.url_open("/web/login", bytes(urlencode(data1)), 30)
  134. self.assertTrue(
  135. response.geturl().endswith("/web/login"),
  136. "Unexpected URL %s" % response.geturl(),
  137. )
  138. # IP has been banned, demo user cannot login
  139. with self.cursor() as cr:
  140. env = self.env(cr)
  141. self.assertFalse(
  142. env["res.authentication.attempt"]._trusted(
  143. "127.0.0.1",
  144. "demo",
  145. ),
  146. )
  147. # Attempts recorded
  148. with self.cursor() as cr:
  149. env = self.env(cr)
  150. failed = env["res.authentication.attempt"].search([
  151. ("result", "=", "failed"),
  152. ("login", "=", data1["login"]),
  153. ("remote", "=", "127.0.0.1"),
  154. ])
  155. self.assertEqual(len(failed), 3)
  156. banned = env["res.authentication.attempt"].search([
  157. ("result", "=", "banned"),
  158. ("remote", "=", "127.0.0.1"),
  159. ])
  160. self.assertEqual(len(banned), 1)
  161. # Unban
  162. banned.action_whitelist_add()
  163. # Try good login, it should work now
  164. response = self.url_open("/web/login", bytes(urlencode(data1)), 30)
  165. self.assertTrue(response.geturl().endswith("/web"))
  167. @skip_unless_addons_installed("web")
  168. @mute_logger(*GARBAGE_LOGGERS)
  169. def test_web_login_unexisting(self, *args):
  170. """Remote is banned with fake user on web login form."""
  171. data1 = {
  172. "login": "administrator", # Wrong
  173. "password": self.good_password,
  174. }
  175. # Make sure user is logged out
  176. self.url_open("/web/session/logout", timeout=30)
  177. # Fail 3 times
  178. for n in range(3):
  179. response = self.url_open("/web/login", bytes(urlencode(data1)), 30)
  180. # If you fail, you get /web/login again
  181. self.assertTrue(
  182. response.geturl().endswith("/web/login"),
  183. "Unexpected URL %s" % response.geturl(),
  184. )
  185. # Admin banned, demo not
  186. with self.cursor() as cr:
  187. env = self.env(cr)
  188. self.assertFalse(
  189. env["res.authentication.attempt"]._trusted(
  190. "127.0.0.1",
  191. data1["login"],
  192. ),
  193. )
  194. self.assertTrue(
  195. env["res.authentication.attempt"]._trusted(
  196. "127.0.0.1",
  197. self.data_demo["login"],
  198. ),
  199. )
  200. # Demo user can login
  201. response = self.url_open(
  202. "/web/login",
  203. bytes(urlencode(self.data_demo)),
  204. 30,
  205. )
  206. # If you pass, you get /web
  207. self.assertTrue(
  208. response.geturl().endswith("/web"),
  209. "Unexpected URL %s" % response.geturl(),
  210. )
  211. self.url_open("/web/session/logout", timeout=30)
  212. # Attempts recorded
  213. with self.cursor() as cr:
  214. env = self.env(cr)
  215. failed = env["res.authentication.attempt"].search([
  216. ("result", "=", "failed"),
  217. ("login", "=", data1["login"]),
  218. ("remote", "=", "127.0.0.1"),
  219. ])
  220. self.assertEqual(len(failed), 3)
  221. banned = env["res.authentication.attempt"].search([
  222. ("result", "=", "banned"),
  223. ("login", "=", data1["login"]),
  224. ("remote", "=", "127.0.0.1"),
  225. ])
  226. self.assertEqual(len(banned), 0)
  228. @mute_logger(*GARBAGE_LOGGERS)
  229. def test_xmlrpc_login_existing(self, *args):
  230. """Remote is banned with real user on XML-RPC login."""
  231. data1 = {
  232. "login": "admin",
  233. "password": "1234", # Wrong
  234. }
  235. # Fail 3 times
  236. for n in range(3):
  237. self.assertFalse(self.xmlrpc_common.authenticate(
  238. self.env.cr.dbname, data1["login"], data1["password"], {}))
  239. # Admin banned, demo not
  240. with self.cursor() as cr:
  241. env = self.env(cr)
  242. self.assertFalse(
  243. env["res.authentication.attempt"]._trusted(
  244. "127.0.0.1",
  245. data1["login"],
  246. ),
  247. )
  248. self.assertTrue(
  249. env["res.authentication.attempt"]._trusted(
  250. "127.0.0.1",
  251. "demo",
  252. ),
  253. )
  254. # Now I know the password, but login is rejected too
  255. data1["password"] = self.good_password
  256. self.assertFalse(self.xmlrpc_common.authenticate(
  257. self.env.cr.dbname, data1["login"], data1["password"], {}))
  258. # IP has been banned, demo user cannot login
  259. with self.cursor() as cr:
  260. env = self.env(cr)
  261. self.assertFalse(
  262. env["res.authentication.attempt"]._trusted(
  263. "127.0.0.1",
  264. "demo",
  265. ),
  266. )
  267. # Attempts recorded
  268. with self.cursor() as cr:
  269. env = self.env(cr)
  270. failed = env["res.authentication.attempt"].search([
  271. ("result", "=", "failed"),
  272. ("login", "=", data1["login"]),
  273. ("remote", "=", "127.0.0.1"),
  274. ])
  275. self.assertEqual(len(failed), 3)
  276. banned = env["res.authentication.attempt"].search([
  277. ("result", "=", "banned"),
  278. ("remote", "=", "127.0.0.1"),
  279. ])
  280. self.assertEqual(len(banned), 1)
  281. # Unban
  282. banned.action_whitelist_add()
  283. # Try good login, it should work now
  284. self.assertTrue(self.xmlrpc_common.authenticate(
  285. self.env.cr.dbname, data1["login"], data1["password"], {}))
  287. @mute_logger(*GARBAGE_LOGGERS)
  288. def test_xmlrpc_login_unexisting(self, *args):
  289. """Remote is banned with fake user on XML-RPC login."""
  290. data1 = {
  291. "login": "administrator", # Wrong
  292. "password": self.good_password,
  293. }
  294. # Fail 3 times
  295. for n in range(3):
  296. self.assertFalse(self.xmlrpc_common.authenticate(
  297. self.env.cr.dbname, data1["login"], data1["password"], {}))
  298. # Admin banned, demo not
  299. with self.cursor() as cr:
  300. env = self.env(cr)
  301. self.assertFalse(
  302. env["res.authentication.attempt"]._trusted(
  303. "127.0.0.1",
  304. data1["login"],
  305. ),
  306. )
  307. self.assertTrue(
  308. env["res.authentication.attempt"]._trusted(
  309. "127.0.0.1",
  310. self.data_demo["login"],
  311. ),
  312. )
  313. # Demo user can login
  314. self.assertTrue(self.xmlrpc_common.authenticate(
  315. self.env.cr.dbname,
  316. self.data_demo["login"],
  317. self.data_demo["password"],
  318. {},
  319. ))
  320. # Attempts recorded
  321. with self.cursor() as cr:
  322. env = self.env(cr)
  323. failed = env["res.authentication.attempt"].search([
  324. ("result", "=", "failed"),
  325. ("login", "=", data1["login"]),
  326. ("remote", "=", "127.0.0.1"),
  327. ])
  328. self.assertEqual(len(failed), 3)
  329. banned = env["res.authentication.attempt"].search([
  330. ("result", "=", "banned"),
  331. ("login", "=", data1["login"]),
  332. ("remote", "=", "127.0.0.1"),
  333. ])
  334. self.assertEqual(len(banned), 0)
  336. @mute_logger(*GARBAGE_LOGGERS)
  337. def test_orm_login_existing(self, *args):
  338. """No bans on ORM login with an existing user."""
  339. data1 = {
  340. "login": "admin",
  341. "password": "1234", # Wrong
  342. }
  343. with self.cursor() as cr:
  344. env = self.env(cr)
  345. pool = RegistryManager.get(cr.dbname)
  346. # Fail 3 times
  347. for n in range(3):
  348. self.assertFalse(
  349. pool["res.users"].authenticate(
  350. cr.dbname, data1["login"], data1["password"], {}))
  351. self.assertEqual(
  352. env["res.authentication.attempt"].search(count=True, args=[]),
  353. 0,
  354. )
  355. self.assertTrue(
  356. env["res.authentication.attempt"]._trusted(
  357. "127.0.0.1",
  358. data1["login"],
  359. ),
  360. )
  361. # Now I know the password, and login works
  362. data1["password"] = self.good_password
  363. self.assertTrue(
  364. pool["res.users"].authenticate(
  365. cr.dbname, data1["login"], data1["password"], {}))
  367. @mute_logger(*GARBAGE_LOGGERS)
  368. def test_orm_login_unexisting(self, *args):
  369. """No bans on ORM login with an unexisting user."""
  370. data1 = {
  371. "login": "administrator", # Wrong
  372. "password": self.good_password,
  373. }
  374. with self.cursor() as cr:
  375. pool = RegistryManager.get(cr.dbname)
  376. env = self.env(cr)
  377. # Fail 3 times
  378. for n in range(3):
  379. self.assertFalse(
  380. pool["res.users"].authenticate(
  381. cr.dbname, data1["login"], data1["password"], {}))
  382. self.assertEqual(
  383. env["res.authentication.attempt"].search(count=True, args=[]),
  384. 0,
  385. )
  386. self.assertTrue(
  387. env["res.authentication.attempt"]._trusted(
  388. "127.0.0.1",
  389. data1["login"],
  390. ),
  391. )
  392. # Now I know the user, and login works
  393. data1["login"] = "admin"
  394. self.assertTrue(
  395. pool["res.users"].authenticate(
  396. cr.dbname, data1["login"], data1["password"], {}))