OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1694 Commits
13 Branches
0 Tags
45 MiB
Tree: 80ac6549d9
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '80ac6549d9'
${ noResults }
server-tools/auth_totp/models/res_users.py

105 lines
3.7 KiB
Raw Normal View History

[9.0][ADD] auth_totp: MFA Support (#687) * [ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied * PR commit * PR commit
8 years ago
[9.0][FIX][IMP] Backport of auth_totp bug fixes and improvements from v10 PR (#898) * [FIX] auth_totp: Permissions fix and other tweaks * Slightly reword README * Replace LasLabs logo with OCA one * Overload _build_model in res.users model to add two MFA fields to the model class's list of self-writeable fields, allowing these fields to be edited by users without admin permissions for their own record * Update view_users_form_simple_modif and the unit tests in the module based on the self-writeable field change * [IMP] auth_totp: Admin support * Add MFA fields to normal res.users form view for admin access * Update record rules to give admins read/unlink access to MFA authenticators * [FIX] auth_totp: User deletion * Add ondelete='cascade' to the res.users.authenticator.create wizard model to properly support deletion of users who have just created an MFA authenticator * [FIX] auth_totp: Website compatibility * Add website compatibility by modifying the decorator on one of the routes and updating the login_success request parameter as needed
7 years ago
[9.0][ADD] auth_totp: MFA Support (#687) * [ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied * PR commit * PR commit
8 years ago
[9.0][FIX][IMP] Backport of auth_totp bug fixes and improvements from v10 PR (#898) * [FIX] auth_totp: Permissions fix and other tweaks * Slightly reword README * Replace LasLabs logo with OCA one * Overload _build_model in res.users model to add two MFA fields to the model class's list of self-writeable fields, allowing these fields to be edited by users without admin permissions for their own record * Update view_users_form_simple_modif and the unit tests in the module based on the self-writeable field change * [IMP] auth_totp: Admin support * Add MFA fields to normal res.users form view for admin access * Update record rules to give admins read/unlink access to MFA authenticators * [FIX] auth_totp: User deletion * Add ondelete='cascade' to the res.users.authenticator.create wizard model to properly support deletion of users who have just created an MFA authenticator * [FIX] auth_totp: Website compatibility * Add website compatibility by modifying the decorator on one of the routes and updating the login_success request parameter as needed
7 years ago
[9.0][ADD] auth_totp: MFA Support (#687) * [ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied * PR commit * PR commit
8 years ago
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2016-2017 LasLabs Inc.
  3. # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
  5. from datetime import datetime, timedelta
  6. import random
  7. import string
  8. from openerp import _, api, fields, models
  9. from openerp.exceptions import AccessDenied, ValidationError
  10. from ..exceptions import MfaTokenInvalidError, MfaTokenExpiredError
  13. class ResUsers(models.Model):
  14. _inherit = 'res.users'
  16. @classmethod
  17. def _build_model(cls, pool, cr):
  18. model = super(ResUsers, cls)._build_model(pool, cr)
  19. ModelCls = type(model)
  20. ModelCls.SELF_WRITEABLE_FIELDS += ['mfa_enabled', 'authenticator_ids']
  21. return model
  23. mfa_enabled = fields.Boolean(string='MFA Enabled?')
  24. authenticator_ids = fields.One2many(
  25. comodel_name='res.users.authenticator',
  26. inverse_name='user_id',
  27. string='Authentication Apps/Devices',
  28. help='To delete an authentication app, remove it from this list. To'
  29. ' add a new authentication app, please use the button to the'
  30. ' right. If the button is not present, you do not have the'
  31. ' permissions to do this.',
  32. )
  33. mfa_login_token = fields.Char()
  34. mfa_login_token_exp = fields.Datetime()
  35. trusted_device_ids = fields.One2many(
  36. comodel_name='res.users.device',
  37. inverse_name='user_id',
  38. string='Trusted Devices',
  39. )
  41. @api.multi
  42. @api.constrains('mfa_enabled', 'authenticator_ids')
  43. def _check_enabled_with_authenticator(self):
  44. for record in self:
  45. if record.mfa_enabled and not record.authenticator_ids:
  46. raise ValidationError(_(
  47. 'You have MFA enabled but do not have any authentication'
  48. ' apps/devices set up. To keep from being locked out,'
  49. ' please add one before you activate this feature.'
  50. ))
  52. @api.model
  53. def check_credentials(self, password):
  54. try:
  55. return super(ResUsers, self).check_credentials(password)
  56. except AccessDenied:
  57. user = self.sudo().search([
  58. ('id', '=', self.env.uid),
  59. ('mfa_login_token', '=', password),
  60. ])
  61. user._user_from_mfa_login_token_validate()
  63. @api.multi
  64. def generate_mfa_login_token(self, lifetime_mins=15):
  65. char_set = string.ascii_letters + string.digits
  67. for record in self:
  68. record.mfa_login_token = ''.join(
  69. random.SystemRandom().choice(char_set) for __ in range(20)
  70. )
  72. expiration = datetime.now() + timedelta(minutes=lifetime_mins)
  73. record.mfa_login_token_exp = fields.Datetime.to_string(expiration)
  75. @api.model
  76. def user_from_mfa_login_token(self, token):
  77. if not token:
  78. raise MfaTokenInvalidError(_(
  79. 'Your MFA login token is not valid. Please try again.'
  80. ))
  82. user = self.search([('mfa_login_token', '=', token)])
  83. user._user_from_mfa_login_token_validate()
  85. return user
  87. @api.multi
  88. def _user_from_mfa_login_token_validate(self):
  89. try:
  90. self.ensure_one()
  91. except ValueError:
  92. raise MfaTokenInvalidError(_(
  93. 'Your MFA login token is not valid. Please try again.'
  94. ))
  96. token_exp = fields.Datetime.from_string(self.mfa_login_token_exp)
  97. if token_exp < datetime.now():
  98. raise MfaTokenExpiredError(_(
  99. 'Your MFA login token has expired. Please try again.'
  100. ))
  102. @api.multi
  103. def validate_mfa_confirmation_code(self, confirmation_code):
  104. self.ensure_one()
  105. return self.authenticator_ids.validate_conf_code(confirmation_code)