OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1843 Commits
13 Branches
0 Tags
45 MiB
Tree: 91e81fe482
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '91e81fe482'
${ noResults }
server-tools/auth_totp/controllers/main.py

166 lines
6.6 KiB
Raw Normal View History

[9.0][ADD] auth_totp: MFA Support (#687) * [ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied * PR commit * PR commit
8 years ago
[FIX] auth_totp: Firefox support * Fix #908, a Firefox MFA login error, by adding logic that checks for the Firefox edge case where redirect_with_hash returns a Response object rather than a string * Add test case for this scenario
7 years ago
[9.0][ADD] auth_totp: MFA Support (#687) * [ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied * PR commit * PR commit
8 years ago
[9.0][FIX][IMP] Backport of auth_totp bug fixes and improvements from v10 PR (#898) * [FIX] auth_totp: Permissions fix and other tweaks * Slightly reword README * Replace LasLabs logo with OCA one * Overload _build_model in res.users model to add two MFA fields to the model class's list of self-writeable fields, allowing these fields to be edited by users without admin permissions for their own record * Update view_users_form_simple_modif and the unit tests in the module based on the self-writeable field change * [IMP] auth_totp: Admin support * Add MFA fields to normal res.users form view for admin access * Update record rules to give admins read/unlink access to MFA authenticators * [FIX] auth_totp: User deletion * Add ondelete='cascade' to the res.users.authenticator.create wizard model to properly support deletion of users who have just created an MFA authenticator * [FIX] auth_totp: Website compatibility * Add website compatibility by modifying the decorator on one of the routes and updating the login_success request parameter as needed
7 years ago
[9.0][ADD] auth_totp: MFA Support (#687) * [ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied * PR commit * PR commit
8 years ago
[9.0][FIX][IMP] Backport of auth_totp bug fixes and improvements from v10 PR (#898) * [FIX] auth_totp: Permissions fix and other tweaks * Slightly reword README * Replace LasLabs logo with OCA one * Overload _build_model in res.users model to add two MFA fields to the model class's list of self-writeable fields, allowing these fields to be edited by users without admin permissions for their own record * Update view_users_form_simple_modif and the unit tests in the module based on the self-writeable field change * [IMP] auth_totp: Admin support * Add MFA fields to normal res.users form view for admin access * Update record rules to give admins read/unlink access to MFA authenticators * [FIX] auth_totp: User deletion * Add ondelete='cascade' to the res.users.authenticator.create wizard model to properly support deletion of users who have just created an MFA authenticator * [FIX] auth_totp: Website compatibility * Add website compatibility by modifying the decorator on one of the routes and updating the login_success request parameter as needed
7 years ago
[9.0][ADD] auth_totp: MFA Support (#687) * [ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied * PR commit * PR commit
8 years ago
[9.0][FIX][IMP] Backport of auth_totp bug fixes and improvements from v10 PR (#898) * [FIX] auth_totp: Permissions fix and other tweaks * Slightly reword README * Replace LasLabs logo with OCA one * Overload _build_model in res.users model to add two MFA fields to the model class's list of self-writeable fields, allowing these fields to be edited by users without admin permissions for their own record * Update view_users_form_simple_modif and the unit tests in the module based on the self-writeable field change * [IMP] auth_totp: Admin support * Add MFA fields to normal res.users form view for admin access * Update record rules to give admins read/unlink access to MFA authenticators * [FIX] auth_totp: User deletion * Add ondelete='cascade' to the res.users.authenticator.create wizard model to properly support deletion of users who have just created an MFA authenticator * [FIX] auth_totp: Website compatibility * Add website compatibility by modifying the decorator on one of the routes and updating the login_success request parameter as needed
7 years ago
[9.0][ADD] auth_totp: MFA Support (#687) * [ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied * PR commit * PR commit
8 years ago
[FIX] auth_totp: Firefox support * Fix #908, a Firefox MFA login error, by adding logic that checks for the Firefox edge case where redirect_with_hash returns a Response object rather than a string * Add test case for this scenario
7 years ago
[9.0][ADD] auth_totp: MFA Support (#687) * [ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied * PR commit * PR commit
8 years ago
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2016-2017 LasLabs Inc.
  3. # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
  5. from datetime import datetime, timedelta
  6. import json
  7. from werkzeug.contrib.securecookie import SecureCookie
  8. from werkzeug.wrappers import Response as WerkzeugResponse
  9. from openerp import _, http, registry, SUPERUSER_ID
  10. from openerp.api import Environment
  11. from openerp.http import Response, request
  12. from openerp.addons.web.controllers.main import Home
  13. from ..exceptions import MfaTokenInvalidError, MfaTokenExpiredError
  16. class JsonSecureCookie(SecureCookie):
  17. serialization_method = json
  20. class AuthTotp(Home):
  22. @http.route()
  23. def web_login(self, *args, **kwargs):
  24. """Add MFA logic to the web_login action in Home
  26. Overview:
  27. * Call web_login in Home
  28. * Return the result of that call if the user has not logged in yet
  29. using a password, does not have MFA enabled, or has a valid
  30. trusted device cookie
  31. * If none of these is true, generate a new MFA login token for the
  32. user, log the user out, and redirect to the MFA login form
  33. """
  35. # sudo() is required because there may be no request.env.uid (likely
  36. # since there may be no user logged in at the start of the request)
  37. user_model_sudo = request.env['res.users'].sudo()
  38. config_model_sudo = user_model_sudo.env['ir.config_parameter']
  40. response = super(AuthTotp, self).web_login(*args, **kwargs)
  42. if not request.params.get('login_success'):
  43. return response
  45. user = user_model_sudo.browse(request.uid)
  46. if not user.mfa_enabled:
  47. return response
  49. cookie_key = 'trusted_devices_%d' % user.id
  50. device_cookie = request.httprequest.cookies.get(cookie_key)
  51. if device_cookie:
  52. secret = config_model_sudo.get_param('database.secret')
  53. device_cookie = JsonSecureCookie.unserialize(device_cookie, secret)
  54. if device_cookie.get('device_id') in user.trusted_device_ids.ids:
  55. return response
  57. user.generate_mfa_login_token()
  58. request.session.logout(keep_db=True)
  59. request.params['login_success'] = False
  60. return http.local_redirect(
  61. '/auth_totp/login',
  62. query={
  63. 'mfa_login_token': user.mfa_login_token,
  64. 'redirect': request.params.get('redirect'),
  65. },
  66. keep_hash=True,
  67. )
  69. @http.route(
  70. '/auth_totp/login',
  71. type='http',
  72. auth='public',
  73. methods=['GET'],
  74. website=True,
  75. )
  76. def mfa_login_get(self, *args, **kwargs):
  77. return request.render('auth_totp.mfa_login', qcontext=request.params)
  79. @http.route('/auth_totp/login', type='http', auth='none', methods=['POST'])
  80. def mfa_login_post(self, *args, **kwargs):
  81. """Process MFA login attempt
  83. Overview:
  84. * Try to find a user based on the MFA login token. If this doesn't
  85. work, redirect to the password login page with an error message
  86. * Validate the confirmation code provided by the user. If it's not
  87. valid, redirect to the previous login step with an error message
  88. * Generate a long-term MFA login token for the user and log the
  89. user in using the token
  90. * Build a trusted device cookie and add it to the response if the
  91. trusted device option was checked
  92. * Redirect to the provided URL or to '/web' if one was not given
  93. """
  95. # sudo() is required because there is no request.env.uid (likely since
  96. # there is no user logged in at the start of the request)
  97. user_model_sudo = request.env['res.users'].sudo()
  98. device_model_sudo = user_model_sudo.env['res.users.device']
  99. config_model_sudo = user_model_sudo.env['ir.config_parameter']
  101. token = request.params.get('mfa_login_token')
  102. try:
  103. user = user_model_sudo.user_from_mfa_login_token(token)
  104. except (MfaTokenInvalidError, MfaTokenExpiredError) as exception:
  105. return http.local_redirect(
  106. '/web/login',
  107. query={
  108. 'redirect': request.params.get('redirect'),
  109. 'error': exception.message,
  110. },
  111. keep_hash=True,
  112. )
  114. confirmation_code = request.params.get('confirmation_code')
  115. if not user.validate_mfa_confirmation_code(confirmation_code):
  116. return http.local_redirect(
  117. '/auth_totp/login',
  118. query={
  119. 'redirect': request.params.get('redirect'),
  120. 'error': _(
  121. 'Your confirmation code is not correct. Please try'
  122. ' again.'
  123. ),
  124. 'mfa_login_token': token,
  125. },
  126. keep_hash=True,
  127. )
  129. # These context managers trigger a safe commit, which persists the
  130. # changes right away and is needed for the auth call
  131. with Environment.manage():
  132. with registry(request.db).cursor() as temp_cr:
  133. temp_env = Environment(temp_cr, SUPERUSER_ID, request.context)
  134. temp_user = temp_env['res.users'].browse(user.id)
  135. temp_user.generate_mfa_login_token(60 * 24 * 30)
  136. token = temp_user.mfa_login_token
  137. request.session.authenticate(request.db, user.login, token, user.id)
  138. request.params['login_success'] = True
  140. redirect = request.params.get('redirect')
  141. if not redirect:
  142. redirect = '/web'
  143. response = http.redirect_with_hash(redirect)
  144. if not isinstance(response, WerkzeugResponse):
  145. response = Response(response)
  147. if request.params.get('remember_device'):
  148. device = device_model_sudo.create({'user_id': user.id})
  149. secret = config_model_sudo.get_param('database.secret')
  150. device_cookie = JsonSecureCookie({'device_id': device.id}, secret)
  151. cookie_lifetime = timedelta(days=30)
  152. cookie_exp = datetime.utcnow() + cookie_lifetime
  153. device_cookie = device_cookie.serialize(cookie_exp)
  154. cookie_key = 'trusted_devices_%d' % user.id
  155. sec_config = config_model_sudo.get_param('auth_totp.secure_cookie')
  156. security_flag = sec_config != '0'
  157. response.set_cookie(
  158. cookie_key,
  159. device_cookie,
  160. max_age=cookie_lifetime.total_seconds(),
  161. expires=cookie_exp,
  162. httponly=True,
  163. secure=security_flag,
  164. )
  166. return response