OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1720 Commits
13 Branches
0 Tags
45 MiB
Tree: ab1e2678ae
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ab1e2678ae'
${ noResults }
server-tools/auth_brute_force/controllers/main.py

76 lines
3.5 KiB
Raw Normal View History

[MIG] auth_brute_force: Migration to 10.0
7 years ago
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2015 GRAP - Sylvain LE GAL
  3. # Copyright 2017 Tecnativa - David Vidal
  4. # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
  6. import logging
  8. from odoo import fields, http, registry, SUPERUSER_ID
  9. from odoo.api import Environment
  10. from odoo.http import request
  11. from odoo.addons.web.controllers.main import Home, ensure_db
  13. _logger = logging.getLogger(__name__)
  16. class LoginController(Home):
  18. @http.route()
  19. def web_login(self, redirect=None, **kw):
  20. if request.httprequest.method == 'POST':
  21. ensure_db()
  22. remote = request.httprequest.remote_addr
  23. # Get registry and cursor
  24. with registry(request.session.db).cursor() as cursor:
  25. env = Environment(cursor, SUPERUSER_ID, {})
  26. config_obj = env['ir.config_parameter']
  27. attempt_obj = env['res.authentication.attempt']
  28. banned_remote_obj = env['res.banned.remote']
  29. # Get Settings
  30. max_attempts_qty = int(config_obj.get_param(
  31. 'auth_brute_force.max_attempt_qty'))
  32. # Test if remote user is banned
  33. banned = banned_remote_obj.search([('remote', '=', remote)])
  34. if banned:
  35. request.params['password'] = ''
  36. _logger.warning(
  37. "Authentication tried from remote '%s'. The request "
  38. "has been ignored because the remote has been banned "
  39. "after %d attempts without success. Login tried : '%s'"
  40. "." % (remote, max_attempts_qty,
  41. request.params['login']))
  42. else:
  43. # Try to authenticate
  44. result = request.session.authenticate(
  45. request.session.db, request.params['login'],
  46. request.params['password'])
  47. # Log attempt
  48. attempt_obj.create({
  49. 'attempt_date': fields.Datetime.now(),
  50. 'login': request.params['login'],
  51. 'remote': remote,
  52. 'result': banned and 'banned' or (
  53. result and 'successfull' or 'failed'),
  54. })
  55. cursor.commit()
  56. if not banned and not result:
  57. # Get last bad attempts quantity
  58. attempts_qty = len(attempt_obj.search_last_failed(remote))
  59. if max_attempts_qty <= attempts_qty:
  60. # We ban the remote
  61. _logger.warning(
  62. "Authentication failed from remote '%s'. "
  63. "The remote has been banned. Login tried : '%s'"
  64. "." % (remote, request.params['login']))
  65. banned_remote_obj.sudo().create({
  66. 'remote': remote,
  67. 'ban_date': fields.Datetime.now(),
  68. })
  69. cursor.commit()
  70. else:
  71. _logger.warning(
  72. "Authentication failed from remote '%s'."
  73. " Login tried : '%s'. Attempt %d / %d." % (
  74. remote, request.params['login'], attempts_qty,
  75. max_attempts_qty))
  76. return super(LoginController, self).web_login(redirect=redirect, **kw)