OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1843 Commits
13 Branches
0 Tags
45 MiB
Tree: 91e81fe482
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '91e81fe482'
${ noResults }
server-tools/auth_totp/wizards/res_users_authenticator_cre...

119 lines
3.7 KiB
Raw Normal View History

[9.0][ADD] auth_totp: MFA Support (#687) * [ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied * PR commit * PR commit
8 years ago
[9.0][IMP] auth_totp: Secret key visible in wizard (#1409)
6 years ago
[9.0][ADD] auth_totp: MFA Support (#687) * [ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied * PR commit * PR commit
8 years ago
[9.0][FIX][IMP] Backport of auth_totp bug fixes and improvements from v10 PR (#898) * [FIX] auth_totp: Permissions fix and other tweaks * Slightly reword README * Replace LasLabs logo with OCA one * Overload _build_model in res.users model to add two MFA fields to the model class's list of self-writeable fields, allowing these fields to be edited by users without admin permissions for their own record * Update view_users_form_simple_modif and the unit tests in the module based on the self-writeable field change * [IMP] auth_totp: Admin support * Add MFA fields to normal res.users form view for admin access * Update record rules to give admins read/unlink access to MFA authenticators * [FIX] auth_totp: User deletion * Add ondelete='cascade' to the res.users.authenticator.create wizard model to properly support deletion of users who have just created an MFA authenticator * [FIX] auth_totp: Website compatibility * Add website compatibility by modifying the decorator on one of the routes and updating the login_success request parameter as needed
7 years ago
[9.0][ADD] auth_totp: MFA Support (#687) * [ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied * PR commit * PR commit
8 years ago
Ensure no special chars are passed to totp.provisioning_uri
7 years ago
[9.0][ADD] auth_totp: MFA Support (#687) * [ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied * PR commit * PR commit
8 years ago
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2016-2017 LasLabs Inc.
  3. # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
  5. import logging
  6. import urllib
  7. from openerp import _, api, fields, models
  8. from openerp.exceptions import ValidationError
  10. _logger = logging.getLogger(__name__)
  11. try:
  12. import pyotp
  13. except ImportError:
  14. _logger.debug(
  15. 'Could not import PyOTP. Please make sure this library is available in'
  16. ' your environment.'
  17. )
  20. class ResUsersAuthenticatorCreate(models.TransientModel):
  21. _name = 'res.users.authenticator.create'
  22. _description = 'MFA App/Device Creation Wizard'
  24. name = fields.Char(
  25. string='Authentication App/Device Name',
  26. help='A name that will help you remember this authentication'
  27. ' app/device',
  28. required=True,
  29. index=True,
  30. )
  31. secret_key = fields.Char(
  32. string='Secret Code',
  33. default=lambda s: pyotp.random_base32(),
  34. required=True,
  35. )
  36. qr_code_tag = fields.Html(
  37. compute='_compute_qr_code_tag',
  38. string='QR Code',
  39. help='Scan this image with your authentication app to add your'
  40. ' account',
  41. )
  42. user_id = fields.Many2one(
  43. comodel_name='res.users',
  44. default=lambda s: s._default_user_id(),
  45. required=True,
  46. string='Associated User',
  47. help='This is the user whose account the new authentication app/device'
  48. ' will be tied to',
  49. readonly=True,
  50. index=True,
  51. ondelete='cascade',
  52. )
  53. confirmation_code = fields.Char(
  54. string='Confirmation Code',
  55. help='Enter the latest six digit code generated by your authentication'
  56. ' app',
  57. required=True,
  58. )
  60. @api.model
  61. def _default_user_id(self):
  62. user_id = self.env.context.get('uid')
  63. return self.env['res.users'].browse(user_id)
  65. @api.multi
  66. @api.depends(
  67. 'secret_key',
  68. 'user_id.display_name',
  69. 'user_id.company_id.display_name',
  70. )
  71. def _compute_qr_code_tag(self):
  72. for record in self:
  73. if not record.user_id:
  74. continue
  76. totp = pyotp.TOTP(record.secret_key)
  77. provisioning_uri = totp.provisioning_uri(
  78. record.user_id.display_name.encode('utf-8'),
  79. issuer_name=record.user_id.company_id.display_name,
  80. )
  81. provisioning_uri = urllib.quote(provisioning_uri)
  83. qr_width = qr_height = 300
  84. tag_base = '<img src="/report/barcode/?type=QR&amp;'
  85. tag_params = 'value=%s&amp;width=%s&amp;height=%s">' % (
  86. provisioning_uri,
  87. qr_width,
  88. qr_height
  89. )
  90. record.qr_code_tag = tag_base + tag_params
  92. @api.multi
  93. def action_create(self):
  94. self.ensure_one()
  95. self._perform_validations()
  96. self._create_authenticator()
  98. action_data = self.env.ref('base.action_res_users_my').read()[0]
  99. action_data.update({'res_id': self.user_id.id})
  100. return action_data
  102. @api.multi
  103. def _perform_validations(self):
  104. totp = pyotp.TOTP(self.secret_key)
  105. if not totp.verify(self.confirmation_code):
  106. raise ValidationError(_(
  107. 'Your confirmation code is not correct. Please try again,'
  108. ' making sure that your MFA device is set to the correct time'
  109. ' and that you have entered the most recent code generated by'
  110. ' your authentication app.'
  111. ))
  113. @api.multi
  114. def _create_authenticator(self):
  115. self.env['res.users.authenticator'].create({
  116. 'name': self.name,
  117. 'secret_key': self.secret_key,
  118. 'user_id': self.user_id.id,
  119. })