You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

239 lines
7.7 KiB

  1. .. image:: https://img.shields.io/badge/licence-AGPL--3-blue.svg
  2. :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
  3. :alt: License: AGPL-3
  4. ================
  5. Keychain Account
  6. ================
  7. This module allows you to store credentials of external systems.
  8. * All the crendentials are stored in one place: easier to manage and to audit.
  9. * Multi-account made possible without effort.
  10. * Store additionnal data for each account.
  11. * Validation rules for additional data.
  12. * Have different account for different environments (prod / test / env / etc).
  13. By default, passwords are encrypted with a key stored in Odoo config.
  14. It's far from an ideal password storage setup, but it's way better
  15. than password in clear text in the database.
  16. It can be easily replaced by another system. See "Security" chapter below.
  17. Accounts may be: market places (Amazon, Cdiscount, ...), carriers (Laposte, UPS, ...)
  18. or any third party system called from Odoo.
  19. This module is aimed for developers.
  20. The logic to choose between accounts will be achieved in dependent modules.
  21. ==========
  22. Uses cases
  23. ==========
  24. Possible use case for deliveries: you need multiple accounts for the same carrier.
  25. It can be for instance due to carrier restrictions (immutable sender address),
  26. or business rules (each warehouse use a different account).
  27. Configuration
  28. =============
  29. After the installation of this module, you need to add some entries
  30. in Odoo's config file: (etc/openerp.cfg)
  31. > keychain_key = fyeMIx9XVPBBky5XZeLDxVc9dFKy7Uzas3AoyMarHPA=
  32. You can generate keys with `python -c 'from cryptography.fernet import Fernet; print Fernet.generate_key()'`.
  33. This key is used to encrypt account passwords.
  34. If you plan to use environments, you should add a key per environment:
  35. > keychain_key_dev = 8H_qFvwhxv6EeO9bZ8ww7BUymNt3xtQKYEq9rjAPtrc=
  36. > keychain_key_prod = y5z-ETtXkVI_ADoFEZ5CHLvrNjwOPxsx-htSVbDbmRc=
  37. keychain_key is used for encryption when no environment is set.
  38. Usage (for module dev)
  39. ======================
  40. * Add this keychain as a dependency in __openerp__.py
  41. * Subclass `keychain.account` and add your module in namespaces: `(see after for the name of namespace )`
  42. .. code:: python
  43. class LaposteAccount(models.Model):
  44. _inherit = 'keychain.account'
  45. namespace = fields.Selection(
  46. selection_add=[('roulier_laposte', 'Laposte')])
  47. * Add the default data (as dict):
  48. .. code:: python
  49. class LaposteAccount(models.Model):
  50. # ...
  51. def _roulier_laposte_init_data(self):
  52. return {
  53. "agencyCode": "",
  54. "recommandationLevel": "R1"
  55. }
  56. * Implement validation of user entered data:
  57. .. code:: python
  58. class LaposteAccount(models.Model):
  59. # ...
  60. def _roulier_laposte_validate_data(self, data):
  61. return len(data.get("agencyCode") > 3)
  62. * In your code, fetch the account:
  63. .. code:: python
  64. import random
  65. def _get_auth(self):
  66. keychain = self.env['keychain.account']
  67. if self.env.user.has_group('stock.group_stock_user'):
  68. retrieve = keychain.suspend_security().retrieve
  69. else:
  70. retrieve = keychain.retrieve
  71. accounts = retrieve(
  72. [['namespace', '=', 'roulier_laposte']])
  73. account = random.choice(accounts)
  74. return {
  75. 'login': account.login,
  76. 'password': account.get_password()
  77. }
  78. In this example, an account is randomly picked. Usually this is set according
  79. to rules specific for each client.
  80. You have to restrict user access of your methods with suspend_security().
  81. Warning: _init_data and _validate_data should be prefixed with your namespace!
  82. Choose python naming function compatible name.
  83. Switching from prod to dev
  84. ==========================
  85. You may adopt one of the following strategies:
  86. * store your dev accounts in production db using the dev key
  87. * import your dev accounts with Odoo builtin methods like a data.xml (in a dedicated module).
  88. * import your dev accounts with your own migration/cleanup script
  89. * etc.
  90. Note: only the password field is unreadable without the proper key, login and data fields
  91. are available on all environments.
  92. You may also use a same `technical_name` and different `environment` for choosing at runtime
  93. between accounts.
  94. Usage (for user)
  95. ================
  96. Go to *settings / keychain*, create a record with the following
  97. * Namespace: type of account (ie: Laposte)
  98. * Name: human readable label "Warehouse 1"
  99. * Technical Name: name used by a consumer module (like "warehouse_1")
  100. * Login: login of the account
  101. * Password_clear: For entering the password in clear text (not stored unencrypted)
  102. * Password: password encrypted, unreadable without the key (in config)
  103. * Data: a JSON string for additionnal values (additionnal config for the account, like: `{"agencyCode": "Lyon", "insuranceLevel": "R1"})`
  104. * Environment: usually prod or dev or blank (for all)
  105. .. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas
  106. :alt: Try me on Runbot
  107. :target: https://runbot.odoo-community.org/runbot/server-tools/9.0
  108. Known issues / Roadmap
  109. ======================
  110. - Account inheritence is not supported out-of-the-box (like defining common settings for all environments)
  111. - Key expiration or rotation should be done manually
  112. - Import passwords from data.xml
  113. Security
  114. ========
  115. This discussion: https://github.com/OCA/server-tools/pull/644 may help you decide if this module is suitable for your needs or not.
  116. Common sense: Odoo is not a safe place for storing sensitive data.
  117. But sometimes you don't have any other possibilities.
  118. This module is designed to store credentials of data like carrier account, smtp, api keys...
  119. but definitively not for credits cards number, medical records, etc.
  120. By default, passwords are stored encrypted in the db using
  121. symetric encryption `Fernet <https://cryptography.io/en/latest/fernet/>`_.
  122. The encryption key is stored in openerp.tools.config.
  123. Threats even with this module installed:
  124. - unauthorized Odoo user want to access data: access is rejected by Odoo security rules
  125. - authorized Odoo user try to access data with rpc api: he gets the passwords encrypted, he can't recover because the key and the decrypted password are not exposed through rpc
  126. - db is stolen: without the key it's currently pretty hard to recover the passwords
  127. - Odoo is compromised (malicious module or vulnerability): hacker has access to python and can do what he wants with Odoo: passwords of the current env can be easily decrypted
  128. - server is compromised: idem
  129. If your dev server is compromised, hacker can't decrypt your prod passwords
  130. since you have different keys between dev and prod.
  131. If you want something more secure: don't store any sensitive data in Odoo,
  132. use an external system as a proxy, you can still use this module
  133. for storing all other data related to your accounts.
  134. Bug Tracker
  135. ===========
  136. Bugs are tracked on `GitHub Issues
  137. <https://github.com/OCA/server-tools/issues>`_. In case of trouble, please
  138. check there if your issue has already been reported. If you spotted it first,
  139. help us smashing it by providing a detailed and welcomed feedback.
  140. Credits
  141. =======
  142. * `Akretion <https://akretion.com>`_
  143. Contributors
  144. ------------
  145. * Raphaël Reverdy <raphael.reverdy@akretion.com>
  146. Funders
  147. -------
  148. The development of this module has been financially supported by:
  149. * Akretion
  150. Maintainer
  151. ----------
  152. .. image:: https://odoo-community.org/logo.png
  153. :alt: Odoo Community Association
  154. :target: https://odoo-community.org
  155. This module is maintained by the OCA.
  156. OCA, or the Odoo Community Association, is a nonprofit organization whose
  157. mission is to support the collaborative development of Odoo features and
  158. promote its widespread use.
  159. To contribute to this module, please visit https://odoo-community.org.