OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2179 Commits
13 Branches
0 Tags
45 MiB
Tree: 7b33aca2fa
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b33aca2fa'
${ noResults }
server-tools/auth_brute_force/tests/test_brute_force.py

456 lines
16 KiB
Raw Normal View History

[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
6 years ago
[FIX] auth_brute_force: Fix addon requirement computation (#1251) Include HACK for https://github.com/odoo/odoo/pull/24833, which explains the false positive problem we were having here: an addon being importable doesn't mean it is installed.
6 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
6 years ago
[FIX] auth_brute_force: Fix addon requirement computation (#1251) Include HACK for https://github.com/odoo/odoo/pull/24833, which explains the false positive problem we were having here: an addon being importable doesn't mean it is installed.
6 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
6 years ago
[FIX] auth_brute_force: Fix addon requirement computation (#1251) Include HACK for https://github.com/odoo/odoo/pull/24833, which explains the false positive problem we were having here: an addon being importable doesn't mean it is installed.
6 years ago
[RFR] Contextmanager
6 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
6 years ago
[FIX] auth_brute_force: Fix addon requirement computation (#1251) Include HACK for https://github.com/odoo/odoo/pull/24833, which explains the false positive problem we were having here: an addon being importable doesn't mean it is installed.
6 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
6 years ago
[RFR] Contextmanager
6 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
6 years ago
[FIX] auth_brute_force: Fix addon requirement computation (#1251) Include HACK for https://github.com/odoo/odoo/pull/24833, which explains the false positive problem we were having here: an addon being importable doesn't mean it is installed.
6 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
6 years ago
[RFR] Contextmanager
6 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
6 years ago
[RFR] Contextmanager
6 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
6 years ago
[RFR] Contextmanager
6 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
6 years ago
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2017 Tecnativa - Jairo Llopis
  3. # License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
  5. from threading import current_thread
  6. from urllib import urlencode
  8. from decorator import decorator
  9. from mock import patch
  10. from werkzeug.utils import redirect
  12. from odoo import http
  13. from odoo.tests.common import at_install, HttpCase, post_install
  14. from odoo.tools import mute_logger
  16. from ..models import res_authentication_attempt, res_users
  19. GARBAGE_LOGGERS = (
  20. "werkzeug",
  21. res_authentication_attempt.__name__,
  22. res_users.__name__,
  23. )
  26. # HACK https://github.com/odoo/odoo/pull/24833
  27. def skip_unless_addons_installed(*addons):
  28. """Decorator to skip a test unless some addons are installed.
  30. :param *str addons:
  31. Addon names that should be installed.
  33. :param reason:
  34. Explain why you must skip this test.
  35. """
  37. @decorator
  38. def _wrapper(method, self, *args, **kwargs):
  39. installed = self.addons_installed(*addons)
  40. if not installed:
  41. missing = set(addons) - installed
  42. self.skipTest("Required addons not installed: %s" %
  43. ",".join(sorted(missing)))
  44. return method(self, *args, **kwargs)
  46. return _wrapper
  49. def patch_cursor(func):
  50. """ Decorator that patches the current TestCursor for nested savepoint
  51. support """
  52. def acquire(cursor):
  53. cursor._depth += 1
  54. cursor._lock.acquire()
  55. cursor.execute("SAVEPOINT test_cursor%d" % cursor._depth)
  57. def release(cursor):
  58. cursor.execute("RELEASE SAVEPOINT test_cursor%d" % cursor._depth)
  59. cursor._depth -= 1
  60. cursor._lock.release()
  62. def close(cursor):
  63. cursor.release()
  65. def commit(cursor):
  66. cursor.execute("RELEASE SAVEPOINT test_cursor%d" % cursor._depth)
  67. cursor.execute("SAVEPOINT test_cursor%d" % cursor._depth)
  69. def rollback(cursor):
  70. cursor.execute(
  71. "ROLLBACK TO SAVEPOINT test_cursor%d" % cursor._depth)
  72. cursor.execute("SAVEPOINT test_cursor%d" % cursor._depth)
  74. def wrap(func, *args):
  76. def wrapped_function(self, *args):
  77. with self.cursor() as cursor:
  78. cursor.execute("SAVEPOINT test_cursor0")
  79. cursor._depth = 1
  80. cursor.execute("SAVEPOINT test_cursor%d" % cursor._depth)
  82. cursor.__acquire = cursor.acquire
  83. cursor.__release = cursor.release
  84. cursor.__commit = cursor.commit
  85. cursor.__rollback = cursor.rollback
  86. cursor.__close = cursor.close
  87. cursor.acquire = lambda: acquire(cursor)
  88. cursor.release = lambda: release(cursor)
  89. cursor.commit = lambda: commit(cursor)
  90. cursor.rollback = lambda: rollback(cursor)
  91. cursor.close = lambda: close(cursor)
  93. try:
  94. func(self, *args)
  95. finally:
  96. with self.cursor() as cursor:
  97. cursor.acquire = cursor.__acquire
  98. cursor.release = cursor.__release
  99. cursor.commit = cursor.__commit
  100. cursor.rollback = cursor.__rollback
  101. cursor.close = cursor.__close
  103. return wrapped_function
  105. return wrap
  108. @at_install(False)
  109. @post_install(True)
  110. # Skip CSRF validation on tests
  111. @patch(http.__name__ + ".WebRequest.validate_csrf", return_value=True)
  112. # Skip specific browser forgery on redirections
  113. @patch(http.__name__ + ".redirect_with_hash", side_effect=redirect)
  114. # Faster tests without calls to geolocation API
  115. @patch(res_authentication_attempt.__name__ + ".urlopen", return_value="")
  116. class BruteForceCase(HttpCase):
  117. def setUp(self):
  118. super(BruteForceCase, self).setUp()
  119. # Some tests could retain environ from last test and produce fake
  120. # results without this patch
  121. # HACK https://github.com/odoo/odoo/issues/24183
  122. # TODO Remove in v12
  123. try:
  124. del current_thread().environ
  125. except AttributeError:
  126. pass
  127. # Complex password to avoid conflicts with `password_security`
  128. self.good_password = "Admin$%02584"
  129. self.data_demo = {
  130. "login": "demo",
  131. "password": "Demo%&/(908409**",
  132. }
  133. with self.cursor() as cr:
  134. env = self.env(cr)
  135. env["ir.config_parameter"].set_param(
  136. "auth_brute_force.max_by_ip_user", 3)
  137. env["ir.config_parameter"].set_param(
  138. "auth_brute_force.max_by_ip", 4)
  139. # Clean attempts to be able to count in tests
  140. env["res.authentication.attempt"].search([]).unlink()
  141. # Make sure involved users have good passwords
  142. env.user.password = self.good_password
  143. env["res.users"].search([
  144. ("login", "=", self.data_demo["login"]),
  145. ]).password = self.data_demo["password"]
  147. # HACK https://github.com/odoo/odoo/pull/24833
  148. def addons_installed(self, *addons):
  149. """Know if the specified addons are installed."""
  150. found = self.env["ir.module.module"].search([
  151. ("name", "in", addons),
  152. ("state", "not in", ["uninstalled", "uninstallable"]),
  153. ])
  154. return set(addons) - set(found.mapped("name"))
  156. @skip_unless_addons_installed("web")
  157. @mute_logger(*GARBAGE_LOGGERS)
  158. @patch_cursor
  159. def test_web_login_existing(self, *args):
  160. """Remote is banned with real user on web login form."""
  161. data1 = {
  162. "login": "admin",
  163. "password": "1234", # Wrong
  164. }
  165. # Make sure user is logged out
  166. self.url_open("/web/session/logout", timeout=30)
  167. # Fail 3 times
  168. for n in range(3):
  169. response = self.url_open("/web/login", bytes(urlencode(data1)), 30)
  170. # If you fail, you get /web/login again
  171. self.assertTrue(
  172. response.geturl().endswith("/web/login"),
  173. "Unexpected URL %s" % response.geturl(),
  174. )
  175. # Admin banned, demo not
  176. with self.cursor() as cr:
  177. env = self.env(cr)
  178. self.assertFalse(
  179. env["res.authentication.attempt"]._trusted(
  180. "127.0.0.1",
  181. data1["login"],
  182. ),
  183. )
  184. self.assertTrue(
  185. env["res.authentication.attempt"]._trusted(
  186. "127.0.0.1",
  187. "demo",
  188. ),
  189. )
  190. # Now I know the password, but login is rejected too
  191. data1["password"] = self.good_password
  192. response = self.url_open("/web/login", bytes(urlencode(data1)), 30)
  193. self.assertTrue(
  194. response.geturl().endswith("/web/login"),
  195. "Unexpected URL %s" % response.geturl(),
  196. )
  197. # IP has been banned, demo user cannot login
  198. with self.cursor() as cr:
  199. env = self.env(cr)
  200. self.assertFalse(
  201. env["res.authentication.attempt"]._trusted(
  202. "127.0.0.1",
  203. "demo",
  204. ),
  205. )
  206. # Attempts recorded
  207. with self.cursor() as cr:
  208. env = self.env(cr)
  209. failed = env["res.authentication.attempt"].search([
  210. ("result", "=", "failed"),
  211. ("login", "=", data1["login"]),
  212. ("remote", "=", "127.0.0.1"),
  213. ])
  214. self.assertEqual(len(failed), 3)
  215. banned = env["res.authentication.attempt"].search([
  216. ("result", "=", "banned"),
  217. ("remote", "=", "127.0.0.1"),
  218. ])
  219. self.assertEqual(len(banned), 1)
  220. # Unban
  221. banned.action_whitelist_add()
  222. # Try good login, it should work now
  223. response = self.url_open("/web/login", bytes(urlencode(data1)), 30)
  224. self.assertTrue(response.geturl().endswith("/web"))
  226. @skip_unless_addons_installed("web")
  227. @mute_logger(*GARBAGE_LOGGERS)
  228. @patch_cursor
  229. def test_web_login_unexisting(self, *args):
  230. """Remote is banned with fake user on web login form."""
  231. data1 = {
  232. "login": "administrator", # Wrong
  233. "password": self.good_password,
  234. }
  235. # Make sure user is logged out
  236. self.url_open("/web/session/logout", timeout=30)
  237. # Fail 3 times
  238. for n in range(3):
  239. response = self.url_open("/web/login", bytes(urlencode(data1)), 30)
  240. # If you fail, you get /web/login again
  241. self.assertTrue(
  242. response.geturl().endswith("/web/login"),
  243. "Unexpected URL %s" % response.geturl(),
  244. )
  245. # Admin banned, demo not
  246. with self.cursor() as cr:
  247. env = self.env(cr)
  248. self.assertFalse(
  249. env["res.authentication.attempt"]._trusted(
  250. "127.0.0.1",
  251. data1["login"],
  252. ),
  253. )
  254. self.assertTrue(
  255. env["res.authentication.attempt"]._trusted(
  256. "127.0.0.1",
  257. self.data_demo["login"],
  258. ),
  259. )
  260. # Demo user can login
  261. response = self.url_open(
  262. "/web/login",
  263. bytes(urlencode(self.data_demo)),
  264. 30,
  265. )
  266. # If you pass, you get /web
  267. self.assertTrue(
  268. response.geturl().endswith("/web"),
  269. "Unexpected URL %s" % response.geturl(),
  270. )
  271. self.url_open("/web/session/logout", timeout=30)
  272. # Attempts recorded
  273. with self.cursor() as cr:
  274. env = self.env(cr)
  275. failed = env["res.authentication.attempt"].search([
  276. ("result", "=", "failed"),
  277. ("login", "=", data1["login"]),
  278. ("remote", "=", "127.0.0.1"),
  279. ])
  280. self.assertEqual(len(failed), 3)
  281. banned = env["res.authentication.attempt"].search([
  282. ("result", "=", "banned"),
  283. ("login", "=", data1["login"]),
  284. ("remote", "=", "127.0.0.1"),
  285. ])
  286. self.assertEqual(len(banned), 0)
  288. @mute_logger(*GARBAGE_LOGGERS)
  289. @patch_cursor
  290. def test_xmlrpc_login_existing(self, *args):
  291. """Remote is banned with real user on XML-RPC login."""
  292. data1 = {
  293. "login": "admin",
  294. "password": "1234", # Wrong
  295. }
  296. # Fail 3 times
  297. for n in range(3):
  298. self.assertFalse(self.xmlrpc_common.authenticate(
  299. self.env.cr.dbname, data1["login"], data1["password"], {}))
  300. # Admin banned, demo not
  301. with self.cursor() as cr:
  302. env = self.env(cr)
  303. self.assertFalse(
  304. env["res.authentication.attempt"]._trusted(
  305. "127.0.0.1",
  306. data1["login"],
  307. ),
  308. )
  309. self.assertTrue(
  310. env["res.authentication.attempt"]._trusted(
  311. "127.0.0.1",
  312. "demo",
  313. ),
  314. )
  315. # Now I know the password, but login is rejected too
  316. data1["password"] = self.good_password
  317. self.assertFalse(self.xmlrpc_common.authenticate(
  318. self.env.cr.dbname, data1["login"], data1["password"], {}))
  319. # IP has been banned, demo user cannot login
  320. with self.cursor() as cr:
  321. env = self.env(cr)
  322. self.assertFalse(
  323. env["res.authentication.attempt"]._trusted(
  324. "127.0.0.1",
  325. "demo",
  326. ),
  327. )
  328. # Attempts recorded
  329. with self.cursor() as cr:
  330. env = self.env(cr)
  331. failed = env["res.authentication.attempt"].search([
  332. ("result", "=", "failed"),
  333. ("login", "=", data1["login"]),
  334. ("remote", "=", "127.0.0.1"),
  335. ])
  336. self.assertEqual(len(failed), 3)
  337. banned = env["res.authentication.attempt"].search([
  338. ("result", "=", "banned"),
  339. ("remote", "=", "127.0.0.1"),
  340. ])
  341. self.assertEqual(len(banned), 1)
  342. # Unban
  343. banned.action_whitelist_add()
  344. # Try good login, it should work now
  345. self.assertTrue(self.xmlrpc_common.authenticate(
  346. self.env.cr.dbname, data1["login"], data1["password"], {}))
  348. @mute_logger(*GARBAGE_LOGGERS)
  349. @patch_cursor
  350. def test_xmlrpc_login_unexisting(self, *args):
  351. """Remote is banned with fake user on XML-RPC login."""
  352. data1 = {
  353. "login": "administrator", # Wrong
  354. "password": self.good_password,
  355. }
  356. # Fail 3 times
  357. for n in range(3):
  358. self.assertFalse(self.xmlrpc_common.authenticate(
  359. self.env.cr.dbname, data1["login"], data1["password"], {}))
  360. # Admin banned, demo not
  361. with self.cursor() as cr:
  362. env = self.env(cr)
  363. self.assertFalse(
  364. env["res.authentication.attempt"]._trusted(
  365. "127.0.0.1",
  366. data1["login"],
  367. ),
  368. )
  369. self.assertTrue(
  370. env["res.authentication.attempt"]._trusted(
  371. "127.0.0.1",
  372. self.data_demo["login"],
  373. ),
  374. )
  375. # Demo user can login
  376. self.assertTrue(self.xmlrpc_common.authenticate(
  377. self.env.cr.dbname,
  378. self.data_demo["login"],
  379. self.data_demo["password"],
  380. {},
  381. ))
  382. # Attempts recorded
  383. with self.cursor() as cr:
  384. env = self.env(cr)
  385. failed = env["res.authentication.attempt"].search([
  386. ("result", "=", "failed"),
  387. ("login", "=", data1["login"]),
  388. ("remote", "=", "127.0.0.1"),
  389. ])
  390. self.assertEqual(len(failed), 3)
  391. banned = env["res.authentication.attempt"].search([
  392. ("result", "=", "banned"),
  393. ("login", "=", data1["login"]),
  394. ("remote", "=", "127.0.0.1"),
  395. ])
  396. self.assertEqual(len(banned), 0)
  398. @mute_logger(*GARBAGE_LOGGERS)
  399. def test_orm_login_existing(self, *args):
  400. """No bans on ORM login with an existing user."""
  401. data1 = {
  402. "login": "admin",
  403. "password": "1234", # Wrong
  404. }
  405. with self.cursor() as cr:
  406. env = self.env(cr)
  407. # Fail 3 times
  408. for n in range(3):
  409. self.assertFalse(
  410. env["res.users"].authenticate(
  411. cr.dbname, data1["login"], data1["password"], {}))
  412. self.assertEqual(
  413. env["res.authentication.attempt"].search(count=True, args=[]),
  414. 0,
  415. )
  416. self.assertTrue(
  417. env["res.authentication.attempt"]._trusted(
  418. "127.0.0.1",
  419. data1["login"],
  420. ),
  421. )
  422. # Now I know the password, and login works
  423. data1["password"] = self.good_password
  424. self.assertTrue(
  425. env["res.users"].authenticate(
  426. cr.dbname, data1["login"], data1["password"], {}))
  428. @mute_logger(*GARBAGE_LOGGERS)
  429. def test_orm_login_unexisting(self, *args):
  430. """No bans on ORM login with an unexisting user."""
  431. data1 = {
  432. "login": "administrator", # Wrong
  433. "password": self.good_password,
  434. }
  435. with self.cursor() as cr:
  436. env = self.env(cr)
  437. # Fail 3 times
  438. for n in range(3):
  439. self.assertFalse(
  440. env["res.users"].authenticate(
  441. cr.dbname, data1["login"], data1["password"], {}))
  442. self.assertEqual(
  443. env["res.authentication.attempt"].search(count=True, args=[]),
  444. 0,
  445. )
  446. self.assertTrue(
  447. env["res.authentication.attempt"]._trusted(
  448. "127.0.0.1",
  449. data1["login"],
  450. ),
  451. )
  452. # Now I know the user, and login works
  453. data1["login"] = "admin"
  454. self.assertTrue(
  455. env["res.users"].authenticate(
  456. cr.dbname, data1["login"], data1["password"], {}))