OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2011 Commits
13 Branches
0 Tags
45 MiB
Tree: b135375dfa
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b135375dfa'
${ noResults }
server-tools/auth_brute_force/tests/test_brute_force.py

393 lines
14 KiB
Raw Normal View History

[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
7 years ago
[FIX] auth_brute_force: Fix addon requirement computation (#1251) Include HACK for https://github.com/odoo/odoo/pull/24833, which explains the false positive problem we were having here: an addon being importable doesn't mean it is installed.
7 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
7 years ago
[FIX] auth_brute_force: Fix addon requirement computation (#1251) Include HACK for https://github.com/odoo/odoo/pull/24833, which explains the false positive problem we were having here: an addon being importable doesn't mean it is installed.
7 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
7 years ago
[FIX] auth_brute_force: Fix addon requirement computation (#1251) Include HACK for https://github.com/odoo/odoo/pull/24833, which explains the false positive problem we were having here: an addon being importable doesn't mean it is installed.
7 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
7 years ago
[FIX] auth_brute_force: Fix addon requirement computation (#1251) Include HACK for https://github.com/odoo/odoo/pull/24833, which explains the false positive problem we were having here: an addon being importable doesn't mean it is installed.
7 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
7 years ago
[FIX] auth_brute_force: Fix addon requirement computation (#1251) Include HACK for https://github.com/odoo/odoo/pull/24833, which explains the false positive problem we were having here: an addon being importable doesn't mean it is installed.
7 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
7 years ago
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2017 Tecnativa - Jairo Llopis
  3. # License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
  5. from threading import current_thread
  6. from urllib import urlencode
  8. from decorator import decorator
  9. from mock import patch
  10. from werkzeug.utils import redirect
  12. from odoo import http
  13. from odoo.tests.common import at_install, HttpCase, post_install
  14. from odoo.tools import mute_logger
  16. from ..models import res_authentication_attempt, res_users
  19. GARBAGE_LOGGERS = (
  20. "werkzeug",
  21. res_authentication_attempt.__name__,
  22. res_users.__name__,
  23. )
  26. # HACK https://github.com/odoo/odoo/pull/24833
  27. def skip_unless_addons_installed(*addons):
  28. """Decorator to skip a test unless some addons are installed.
  30. :param *str addons:
  31. Addon names that should be installed.
  33. :param reason:
  34. Explain why you must skip this test.
  35. """
  37. @decorator
  38. def _wrapper(method, self, *args, **kwargs):
  39. installed = self.addons_installed(*addons)
  40. if not installed:
  41. missing = set(addons) - installed
  42. self.skipTest("Required addons not installed: %s" %
  43. ",".join(sorted(missing)))
  44. return method(self, *args, **kwargs)
  46. return _wrapper
  49. @at_install(False)
  50. @post_install(True)
  51. # Skip CSRF validation on tests
  52. @patch(http.__name__ + ".WebRequest.validate_csrf", return_value=True)
  53. # Skip specific browser forgery on redirections
  54. @patch(http.__name__ + ".redirect_with_hash", side_effect=redirect)
  55. # Faster tests without calls to geolocation API
  56. @patch(res_authentication_attempt.__name__ + ".urlopen", return_value="")
  57. class BruteForceCase(HttpCase):
  58. def setUp(self):
  59. super(BruteForceCase, self).setUp()
  60. # Some tests could retain environ from last test and produce fake
  61. # results without this patch
  62. # HACK https://github.com/odoo/odoo/issues/24183
  63. # TODO Remove in v12
  64. try:
  65. del current_thread().environ
  66. except AttributeError:
  67. pass
  68. # Complex password to avoid conflicts with `password_security`
  69. self.good_password = "Admin$%02584"
  70. self.data_demo = {
  71. "login": "demo",
  72. "password": "Demo%&/(908409**",
  73. }
  74. with self.cursor() as cr:
  75. env = self.env(cr)
  76. env["ir.config_parameter"].set_param(
  77. "auth_brute_force.max_by_ip_user", 3)
  78. env["ir.config_parameter"].set_param(
  79. "auth_brute_force.max_by_ip", 4)
  80. # Clean attempts to be able to count in tests
  81. env["res.authentication.attempt"].search([]).unlink()
  82. # Make sure involved users have good passwords
  83. env.user.password = self.good_password
  84. env["res.users"].search([
  85. ("login", "=", self.data_demo["login"]),
  86. ]).password = self.data_demo["password"]
  88. # HACK https://github.com/odoo/odoo/pull/24833
  89. def addons_installed(self, *addons):
  90. """Know if the specified addons are installed."""
  91. found = self.env["ir.module.module"].search([
  92. ("name", "in", addons),
  93. ("state", "not in", ["uninstalled", "uninstallable"]),
  94. ])
  95. return set(addons) - set(found.mapped("name"))
  97. @skip_unless_addons_installed("web")
  98. @mute_logger(*GARBAGE_LOGGERS)
  99. def test_web_login_existing(self, *args):
  100. """Remote is banned with real user on web login form."""
  101. data1 = {
  102. "login": "admin",
  103. "password": "1234", # Wrong
  104. }
  105. # Make sure user is logged out
  106. self.url_open("/web/session/logout", timeout=30)
  107. # Fail 3 times
  108. for n in range(3):
  109. response = self.url_open("/web/login", bytes(urlencode(data1)), 30)
  110. # If you fail, you get /web/login again
  111. self.assertTrue(
  112. response.geturl().endswith("/web/login"),
  113. "Unexpected URL %s" % response.geturl(),
  114. )
  115. # Admin banned, demo not
  116. with self.cursor() as cr:
  117. env = self.env(cr)
  118. self.assertFalse(
  119. env["res.authentication.attempt"]._trusted(
  120. "127.0.0.1",
  121. data1["login"],
  122. ),
  123. )
  124. self.assertTrue(
  125. env["res.authentication.attempt"]._trusted(
  126. "127.0.0.1",
  127. "demo",
  128. ),
  129. )
  130. # Now I know the password, but login is rejected too
  131. data1["password"] = self.good_password
  132. response = self.url_open("/web/login", bytes(urlencode(data1)), 30)
  133. self.assertTrue(
  134. response.geturl().endswith("/web/login"),
  135. "Unexpected URL %s" % response.geturl(),
  136. )
  137. # IP has been banned, demo user cannot login
  138. with self.cursor() as cr:
  139. env = self.env(cr)
  140. self.assertFalse(
  141. env["res.authentication.attempt"]._trusted(
  142. "127.0.0.1",
  143. "demo",
  144. ),
  145. )
  146. # Attempts recorded
  147. with self.cursor() as cr:
  148. env = self.env(cr)
  149. failed = env["res.authentication.attempt"].search([
  150. ("result", "=", "failed"),
  151. ("login", "=", data1["login"]),
  152. ("remote", "=", "127.0.0.1"),
  153. ])
  154. self.assertEqual(len(failed), 3)
  155. banned = env["res.authentication.attempt"].search([
  156. ("result", "=", "banned"),
  157. ("remote", "=", "127.0.0.1"),
  158. ])
  159. self.assertEqual(len(banned), 1)
  160. # Unban
  161. banned.action_whitelist_add()
  162. # Try good login, it should work now
  163. response = self.url_open("/web/login", bytes(urlencode(data1)), 30)
  164. self.assertTrue(response.geturl().endswith("/web"))
  166. @skip_unless_addons_installed("web")
  167. @mute_logger(*GARBAGE_LOGGERS)
  168. def test_web_login_unexisting(self, *args):
  169. """Remote is banned with fake user on web login form."""
  170. data1 = {
  171. "login": "administrator", # Wrong
  172. "password": self.good_password,
  173. }
  174. # Make sure user is logged out
  175. self.url_open("/web/session/logout", timeout=30)
  176. # Fail 3 times
  177. for n in range(3):
  178. response = self.url_open("/web/login", bytes(urlencode(data1)), 30)
  179. # If you fail, you get /web/login again
  180. self.assertTrue(
  181. response.geturl().endswith("/web/login"),
  182. "Unexpected URL %s" % response.geturl(),
  183. )
  184. # Admin banned, demo not
  185. with self.cursor() as cr:
  186. env = self.env(cr)
  187. self.assertFalse(
  188. env["res.authentication.attempt"]._trusted(
  189. "127.0.0.1",
  190. data1["login"],
  191. ),
  192. )
  193. self.assertTrue(
  194. env["res.authentication.attempt"]._trusted(
  195. "127.0.0.1",
  196. self.data_demo["login"],
  197. ),
  198. )
  199. # Demo user can login
  200. response = self.url_open(
  201. "/web/login",
  202. bytes(urlencode(self.data_demo)),
  203. 30,
  204. )
  205. # If you pass, you get /web
  206. self.assertTrue(
  207. response.geturl().endswith("/web"),
  208. "Unexpected URL %s" % response.geturl(),
  209. )
  210. self.url_open("/web/session/logout", timeout=30)
  211. # Attempts recorded
  212. with self.cursor() as cr:
  213. env = self.env(cr)
  214. failed = env["res.authentication.attempt"].search([
  215. ("result", "=", "failed"),
  216. ("login", "=", data1["login"]),
  217. ("remote", "=", "127.0.0.1"),
  218. ])
  219. self.assertEqual(len(failed), 3)
  220. banned = env["res.authentication.attempt"].search([
  221. ("result", "=", "banned"),
  222. ("login", "=", data1["login"]),
  223. ("remote", "=", "127.0.0.1"),
  224. ])
  225. self.assertEqual(len(banned), 0)
  227. @mute_logger(*GARBAGE_LOGGERS)
  228. def test_xmlrpc_login_existing(self, *args):
  229. """Remote is banned with real user on XML-RPC login."""
  230. data1 = {
  231. "login": "admin",
  232. "password": "1234", # Wrong
  233. }
  234. # Fail 3 times
  235. for n in range(3):
  236. self.assertFalse(self.xmlrpc_common.authenticate(
  237. self.env.cr.dbname, data1["login"], data1["password"], {}))
  238. # Admin banned, demo not
  239. with self.cursor() as cr:
  240. env = self.env(cr)
  241. self.assertFalse(
  242. env["res.authentication.attempt"]._trusted(
  243. "127.0.0.1",
  244. data1["login"],
  245. ),
  246. )
  247. self.assertTrue(
  248. env["res.authentication.attempt"]._trusted(
  249. "127.0.0.1",
  250. "demo",
  251. ),
  252. )
  253. # Now I know the password, but login is rejected too
  254. data1["password"] = self.good_password
  255. self.assertFalse(self.xmlrpc_common.authenticate(
  256. self.env.cr.dbname, data1["login"], data1["password"], {}))
  257. # IP has been banned, demo user cannot login
  258. with self.cursor() as cr:
  259. env = self.env(cr)
  260. self.assertFalse(
  261. env["res.authentication.attempt"]._trusted(
  262. "127.0.0.1",
  263. "demo",
  264. ),
  265. )
  266. # Attempts recorded
  267. with self.cursor() as cr:
  268. env = self.env(cr)
  269. failed = env["res.authentication.attempt"].search([
  270. ("result", "=", "failed"),
  271. ("login", "=", data1["login"]),
  272. ("remote", "=", "127.0.0.1"),
  273. ])
  274. self.assertEqual(len(failed), 3)
  275. banned = env["res.authentication.attempt"].search([
  276. ("result", "=", "banned"),
  277. ("remote", "=", "127.0.0.1"),
  278. ])
  279. self.assertEqual(len(banned), 1)
  280. # Unban
  281. banned.action_whitelist_add()
  282. # Try good login, it should work now
  283. self.assertTrue(self.xmlrpc_common.authenticate(
  284. self.env.cr.dbname, data1["login"], data1["password"], {}))
  286. @mute_logger(*GARBAGE_LOGGERS)
  287. def test_xmlrpc_login_unexisting(self, *args):
  288. """Remote is banned with fake user on XML-RPC login."""
  289. data1 = {
  290. "login": "administrator", # Wrong
  291. "password": self.good_password,
  292. }
  293. # Fail 3 times
  294. for n in range(3):
  295. self.assertFalse(self.xmlrpc_common.authenticate(
  296. self.env.cr.dbname, data1["login"], data1["password"], {}))
  297. # Admin banned, demo not
  298. with self.cursor() as cr:
  299. env = self.env(cr)
  300. self.assertFalse(
  301. env["res.authentication.attempt"]._trusted(
  302. "127.0.0.1",
  303. data1["login"],
  304. ),
  305. )
  306. self.assertTrue(
  307. env["res.authentication.attempt"]._trusted(
  308. "127.0.0.1",
  309. self.data_demo["login"],
  310. ),
  311. )
  312. # Demo user can login
  313. self.assertTrue(self.xmlrpc_common.authenticate(
  314. self.env.cr.dbname,
  315. self.data_demo["login"],
  316. self.data_demo["password"],
  317. {},
  318. ))
  319. # Attempts recorded
  320. with self.cursor() as cr:
  321. env = self.env(cr)
  322. failed = env["res.authentication.attempt"].search([
  323. ("result", "=", "failed"),
  324. ("login", "=", data1["login"]),
  325. ("remote", "=", "127.0.0.1"),
  326. ])
  327. self.assertEqual(len(failed), 3)
  328. banned = env["res.authentication.attempt"].search([
  329. ("result", "=", "banned"),
  330. ("login", "=", data1["login"]),
  331. ("remote", "=", "127.0.0.1"),
  332. ])
  333. self.assertEqual(len(banned), 0)
  335. @mute_logger(*GARBAGE_LOGGERS)
  336. def test_orm_login_existing(self, *args):
  337. """No bans on ORM login with an existing user."""
  338. data1 = {
  339. "login": "admin",
  340. "password": "1234", # Wrong
  341. }
  342. with self.cursor() as cr:
  343. env = self.env(cr)
  344. # Fail 3 times
  345. for n in range(3):
  346. self.assertFalse(
  347. env["res.users"].authenticate(
  348. cr.dbname, data1["login"], data1["password"], {}))
  349. self.assertEqual(
  350. env["res.authentication.attempt"].search(count=True, args=[]),
  351. 0,
  352. )
  353. self.assertTrue(
  354. env["res.authentication.attempt"]._trusted(
  355. "127.0.0.1",
  356. data1["login"],
  357. ),
  358. )
  359. # Now I know the password, and login works
  360. data1["password"] = self.good_password
  361. self.assertTrue(
  362. env["res.users"].authenticate(
  363. cr.dbname, data1["login"], data1["password"], {}))
  365. @mute_logger(*GARBAGE_LOGGERS)
  366. def test_orm_login_unexisting(self, *args):
  367. """No bans on ORM login with an unexisting user."""
  368. data1 = {
  369. "login": "administrator", # Wrong
  370. "password": self.good_password,
  371. }
  372. with self.cursor() as cr:
  373. env = self.env(cr)
  374. # Fail 3 times
  375. for n in range(3):
  376. self.assertFalse(
  377. env["res.users"].authenticate(
  378. cr.dbname, data1["login"], data1["password"], {}))
  379. self.assertEqual(
  380. env["res.authentication.attempt"].search(count=True, args=[]),
  381. 0,
  382. )
  383. self.assertTrue(
  384. env["res.authentication.attempt"]._trusted(
  385. "127.0.0.1",
  386. data1["login"],
  387. ),
  388. )
  389. # Now I know the user, and login works
  390. data1["login"] = "admin"
  391. self.assertTrue(
  392. env["res.users"].authenticate(
  393. cr.dbname, data1["login"], data1["password"], {}))