You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

165 lines
5.4 KiB

11 years ago
11 years ago
11 years ago
  1. # -*- coding: utf-8 -*-
  2. ##############################################################################
  3. #
  4. # Author: Laurent Mignon
  5. # Copyright 2014 'ACSONE SA/NV'
  6. #
  7. # This program is free software: you can redistribute it and/or modify
  8. # it under the terms of the GNU Affero General Public License as
  9. # published by the Free Software Foundation, either version 3 of the
  10. # License, or (at your option) any later version.
  11. #
  12. # This program is distributed in the hope that it will be useful,
  13. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. # GNU Affero General Public License for more details.
  16. #
  17. # You should have received a copy of the GNU Affero General Public License
  18. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  19. #
  20. ##############################################################################
  21. {
  22. 'name': 'Authenticate via HTTP Remote User',
  23. 'version': '1.0',
  24. 'category': 'Tools',
  25. 'description': """
  26. Allow users to be automatically logged in.
  27. ==========================================
  28. This module initialize the session by looking for the field HTTP_REMOTE_USER in
  29. the HEADER of the HTTP request and trying to bind the given value to a user.
  30. To be active, the module must be installed in the expected databases and loaded
  31. at startup; Add the *--load* parameter to the startup command: ::
  32. --load=web,web_kanban,auth_from_http_remote_user, ...
  33. If the field is not found or no user matches the given one, it can lets the
  34. system redirect to the login page (default) or issue a login error page
  35. depending of the configuration.
  36. Use case.
  37. ---------
  38. The module allows integration with external security systems [#]_ that can pass
  39. along authentication of a user via Remote_User HTTP header field. In many cases,
  40. this is achieved via server like Apache HTTPD or nginx proxying Odoo.
  41. .. important:: When proxying your Odoo server with Apache or nginx, It's
  42. important to filter out the Remote_User HTTP header field before your
  43. request is processed by the proxy to avoid security issues. In apache you
  44. can do it by using the RequestHeader directive in your VirtualHost
  45. section ::
  46. <VirtualHost *:80>
  47. ServerName MY_VHOST.com
  48. ProxyRequests Off
  49. ...
  50. RequestHeader unset Remote-User early
  51. ProxyPass / http://127.0.0.1:8069/ retry=10
  52. ProxyPassReverse / http://127.0.0.1:8069/
  53. ProxyPreserveHost On
  54. </VirtualHost>
  55. How to test the module with Apache [#]_
  56. ----------------------------------------
  57. Apache can be used as a reverse proxy providing the authentication and adding
  58. the required field in the Http headers.
  59. Install apache: ::
  60. $ sudo apt-get install apache2
  61. Define a new vhost to Apache by putting a new file in
  62. /etc/apache2/sites-available: ::
  63. $ sudo vi /etc/apache2/sites-available/MY_VHOST.com
  64. with the following content: ::
  65. <VirtualHost *:80>
  66. ServerName MY_VHOST.com
  67. ProxyRequests Off
  68. <Location />
  69. AuthType Basic
  70. AuthName "Test Odoo auth_from_http_remote_user"
  71. AuthBasicProvider file
  72. AuthUserFile /etc/apache2/MY_VHOST.htpasswd
  73. Require valid-user
  74. RewriteEngine On
  75. RewriteCond %{LA-U:REMOTE_USER} (.+)
  76. RewriteRule . - [E=RU:%1]
  77. RequestHeader set Remote-User "%{RU}e" env=RU
  78. </Location>
  79. RequestHeader unset Remote-User early
  80. ProxyPass / http://127.0.0.1:8069/ retry=10
  81. ProxyPassReverse / http://127.0.0.1:8069/
  82. ProxyPreserveHost On
  83. </VirtualHost>
  84. .. important:: The *RequestHeader* directive is used to add the *Remote-User*
  85. field in the http headers. By default an *'Http-'* prefix is added to the
  86. field name.
  87. In Odoo, header's fields name are normalized. As result of this
  88. normalization, the 'Http-Remote-User' is available as 'HTTP_REMOTE_USER'.
  89. If you don't know how your specified field is seen by Odoo, run your
  90. server in debug mode once the module is activated and look for an entry
  91. like: ::
  92. DEBUG openerp1 openerp.addons.auth_from_http_remote_user.controllers.
  93. session:
  94. Field 'HTTP_MY_REMOTE_USER' not found in http headers
  95. {'HTTP_AUTHORIZATION': 'Basic YWRtaW46YWRtaW4=', ...,
  96. 'HTTP_REMOTE_USER': 'demo')
  97. Enable the required apache modules: ::
  98. $ sudo a2enmod headers
  99. $ sudo a2enmod proxy
  100. $ sudo a2enmod rewrite
  101. $ sudo a2enmod proxy_http
  102. Enable your new vhost: ::
  103. $ sudo a2ensite MY_VHOST.com
  104. Create the *htpassword* file used by the configured basic authentication: ::
  105. $ sudo htpasswd -cb /etc/apache2/MY_VHOST.htpasswd admin admin
  106. $ sudo htpasswd -b /etc/apache2/MY_VHOST.htpasswd demo demo
  107. For local test, add the *MY_VHOST.com* in your /etc/vhosts file.
  108. Finally reload the configuration: ::
  109. $ sudo service apache2 reload
  110. Open your browser and go to MY_VHOST.com. If everything is well configured, you
  111. are prompted for a login and password outside Odoo and are automatically
  112. logged in the system.
  113. .. [#] Shibolleth, Tivoli access manager, ..
  114. .. [#] Based on a ubuntu 12.04 env
  115. """,
  116. 'author': 'Acsone SA/NV',
  117. 'maintainer': 'ACSONE SA/NV',
  118. 'website': 'http://www.acsone.eu',
  119. 'depends': ['base', 'web', 'base_setup'],
  120. "license": "AGPL-3",
  121. 'data': [
  122. 'res_config_view.xml',
  123. 'res_config_data.xml'],
  124. "demo": [],
  125. "test": [],
  126. "active": False,
  127. "license": "AGPL-3",
  128. "installable": True,
  129. "auto_install": False,
  130. "application": False,
  131. }