OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1758 Commits
13 Branches
0 Tags
45 MiB
Tree: 74fcce91ee
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '74fcce91ee'
${ noResults }
server-tools/auth_totp/models/res_users.py

92 lines
3.6 KiB
Raw Normal View History

[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
PR commit
7 years ago
[MIG] auth_totp: Upgrade to v10 * Rename manifest * Change openerp references to odoo * Bump version * Add pyotp back to requirements
8 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Permissions fix and other tweaks * Slightly reword README * Replace LasLabs logo with OCA one * Overload _build_model in res.users model to add two MFA fields to the model class's list of self-writeable fields, allowing these fields to be edited by users without admin permissions for their own record * Update view_users_form_simple_modif and the unit tests in the module based on the self-writeable field change
8 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[IMP] auth_totp: Admin support * Add MFA fields to normal res.users form view for admin access * Update record rules to give admins read/unlink access to MFA authenticators
8 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
PR commit
7 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
PR commit
7 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
PR commit
7 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
PR commit
7 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
PR commit
7 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
PR commit
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
PR commit
7 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
PR commit
7 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
PR commit
7 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2016-2017 LasLabs Inc.
  3. # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
  5. from uuid import uuid4
  6. from odoo import _, api, fields, models
  7. from odoo.exceptions import ValidationError
  8. from odoo.http import request
  9. from ..controllers.main import JsonSecureCookie
  10. from ..exceptions import MfaLoginNeeded
  13. class ResUsers(models.Model):
  14. _inherit = 'res.users'
  16. @classmethod
  17. def _build_model(cls, pool, cr):
  18. ModelCls = super(ResUsers, cls)._build_model(pool, cr)
  19. ModelCls.SELF_WRITEABLE_FIELDS += ['mfa_enabled', 'authenticator_ids']
  20. return ModelCls
  22. mfa_enabled = fields.Boolean(string='MFA Enabled?')
  23. authenticator_ids = fields.One2many(
  24. comodel_name='res.users.authenticator',
  25. inverse_name='user_id',
  26. string='Authentication Apps/Devices',
  27. help='To delete an authentication app, remove it from this list. To'
  28. ' add a new authentication app, please use the button to the'
  29. ' right. If the button is not present, you do not have the'
  30. ' permissions to do this.',
  31. )
  32. trusted_device_cookie_key = fields.Char(
  33. compute='_compute_trusted_device_cookie_key',
  34. store=True,
  35. )
  37. @api.multi
  38. @api.depends('mfa_enabled')
  39. def _compute_trusted_device_cookie_key(self):
  40. for record in self:
  41. if record.mfa_enabled:
  42. record.trusted_device_cookie_key = uuid4()
  43. else:
  44. record.trusted_device_cookie_key = False
  46. @api.multi
  47. @api.constrains('mfa_enabled', 'authenticator_ids')
  48. def _check_enabled_with_authenticator(self):
  49. for record in self:
  50. if record.mfa_enabled and not record.authenticator_ids:
  51. raise ValidationError(_(
  52. 'You have MFA enabled but do not have any authentication'
  53. ' apps/devices set up. To keep from being locked out,'
  54. ' please add one before you activate this feature.'
  55. ))
  57. @api.model
  58. def check_credentials(self, password):
  59. """Add MFA logic to core authentication process.
  61. Overview:
  62. * If user does not have MFA enabled, defer to parent logic.
  63. * If user has MFA enabled and has gone through MFA login process
  64. this session or has correct device cookie, defer to parent logic.
  65. * If neither of these is true, call parent logic. If successful,
  66. prevent auth while updating session to indicate that MFA login
  67. process can now commence.
  68. """
  69. if not self.env.user.mfa_enabled:
  70. return super(ResUsers, self).check_credentials(password)
  72. if request:
  73. if request.session.get('mfa_login_active') == self.env.uid:
  74. return super(ResUsers, self).check_credentials(password)
  76. cookie_key = 'trusted_devices_%d' % self.env.uid
  77. device_cook = request.httprequest.cookies.get(cookie_key)
  78. if device_cook:
  79. secret = self.env.user.trusted_device_cookie_key
  80. device_cook = JsonSecureCookie.unserialize(device_cook, secret)
  81. if device_cook:
  82. return super(ResUsers, self).check_credentials(password)
  84. super(ResUsers, self).check_credentials(password)
  85. if request:
  86. request.session['mfa_login_needed'] = True
  87. raise MfaLoginNeeded
  89. @api.multi
  90. def validate_mfa_confirmation_code(self, confirmation_code):
  91. self.ensure_one()
  92. return self.authenticator_ids.validate_conf_code(confirmation_code)