OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1324 Commits
13 Branches
0 Tags
45 MiB
Tree: b5fc807dbf
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b5fc807dbf'
${ noResults }
server-tools/auth_totp/controllers/main.py

163 lines
6.5 KiB
Raw Normal View History

[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[MIG] auth_totp: Upgrade to v10 * Rename manifest * Change openerp references to odoo * Bump version * Add pyotp back to requirements
8 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Website compatibility * Add website compatibility by modifying the decorator on one of the routes and updating the login_success request parameter as needed
8 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Website compatibility * Add website compatibility by modifying the decorator on one of the routes and updating the login_success request parameter as needed
8 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Website compatibility * Add website compatibility by modifying the decorator on one of the routes and updating the login_success request parameter as needed
8 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2016-2017 LasLabs Inc.
  3. # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
  5. from datetime import datetime, timedelta
  6. import json
  7. from werkzeug.contrib.securecookie import SecureCookie
  8. from odoo import _, http, registry, SUPERUSER_ID
  9. from odoo.api import Environment
  10. from odoo.http import Response, request
  11. from odoo.addons.web.controllers.main import Home
  12. from ..exceptions import MfaTokenInvalidError, MfaTokenExpiredError
  15. class JsonSecureCookie(SecureCookie):
  16. serialization_method = json
  19. class AuthTotp(Home):
  21. @http.route()
  22. def web_login(self, *args, **kwargs):
  23. """Add MFA logic to the web_login action in Home
  25. Overview:
  26. * Call web_login in Home
  27. * Return the result of that call if the user has not logged in yet
  28. using a password, does not have MFA enabled, or has a valid
  29. trusted device cookie
  30. * If none of these is true, generate a new MFA login token for the
  31. user, log the user out, and redirect to the MFA login form
  32. """
  34. # sudo() is required because there may be no request.env.uid (likely
  35. # since there may be no user logged in at the start of the request)
  36. user_model_sudo = request.env['res.users'].sudo()
  37. config_model_sudo = user_model_sudo.env['ir.config_parameter']
  39. response = super(AuthTotp, self).web_login(*args, **kwargs)
  41. if not request.params.get('login_success'):
  42. return response
  44. user = user_model_sudo.browse(request.uid)
  45. if not user.mfa_enabled:
  46. return response
  48. cookie_key = 'trusted_devices_%d' % user.id
  49. device_cookie = request.httprequest.cookies.get(cookie_key)
  50. if device_cookie:
  51. secret = config_model_sudo.get_param('database.secret')
  52. device_cookie = JsonSecureCookie.unserialize(device_cookie, secret)
  53. if device_cookie.get('device_id') in user.trusted_device_ids.ids:
  54. return response
  56. user.generate_mfa_login_token()
  57. request.session.logout(keep_db=True)
  58. request.params['login_success'] = False
  59. return http.local_redirect(
  60. '/auth_totp/login',
  61. query={
  62. 'mfa_login_token': user.mfa_login_token,
  63. 'redirect': request.params.get('redirect'),
  64. },
  65. keep_hash=True,
  66. )
  68. @http.route(
  69. '/auth_totp/login',
  70. type='http',
  71. auth='public',
  72. methods=['GET'],
  73. website=True,
  74. )
  75. def mfa_login_get(self, *args, **kwargs):
  76. return request.render('auth_totp.mfa_login', qcontext=request.params)
  78. @http.route('/auth_totp/login', type='http', auth='none', methods=['POST'])
  79. def mfa_login_post(self, *args, **kwargs):
  80. """Process MFA login attempt
  82. Overview:
  83. * Try to find a user based on the MFA login token. If this doesn't
  84. work, redirect to the password login page with an error message
  85. * Validate the confirmation code provided by the user. If it's not
  86. valid, redirect to the previous login step with an error message
  87. * Generate a long-term MFA login token for the user and log the
  88. user in using the token
  89. * Build a trusted device cookie and add it to the response if the
  90. trusted device option was checked
  91. * Redirect to the provided URL or to '/web' if one was not given
  92. """
  94. # sudo() is required because there is no request.env.uid (likely since
  95. # there is no user logged in at the start of the request)
  96. user_model_sudo = request.env['res.users'].sudo()
  97. device_model_sudo = user_model_sudo.env['res.users.device']
  98. config_model_sudo = user_model_sudo.env['ir.config_parameter']
  100. token = request.params.get('mfa_login_token')
  101. try:
  102. user = user_model_sudo.user_from_mfa_login_token(token)
  103. except (MfaTokenInvalidError, MfaTokenExpiredError) as exception:
  104. return http.local_redirect(
  105. '/web/login',
  106. query={
  107. 'redirect': request.params.get('redirect'),
  108. 'error': exception.message,
  109. },
  110. keep_hash=True,
  111. )
  113. confirmation_code = request.params.get('confirmation_code')
  114. if not user.validate_mfa_confirmation_code(confirmation_code):
  115. return http.local_redirect(
  116. '/auth_totp/login',
  117. query={
  118. 'redirect': request.params.get('redirect'),
  119. 'error': _(
  120. 'Your confirmation code is not correct. Please try'
  121. ' again.'
  122. ),
  123. 'mfa_login_token': token,
  124. },
  125. keep_hash=True,
  126. )
  128. # These context managers trigger a safe commit, which persists the
  129. # changes right away and is needed for the auth call
  130. with Environment.manage():
  131. with registry(request.db).cursor() as temp_cr:
  132. temp_env = Environment(temp_cr, SUPERUSER_ID, request.context)
  133. temp_user = temp_env['res.users'].browse(user.id)
  134. temp_user.generate_mfa_login_token(60 * 24 * 30)
  135. token = temp_user.mfa_login_token
  136. request.session.authenticate(request.db, user.login, token, user.id)
  137. request.params['login_success'] = True
  139. redirect = request.params.get('redirect')
  140. if not redirect:
  141. redirect = '/web'
  142. response = Response(http.redirect_with_hash(redirect))
  144. if request.params.get('remember_device'):
  145. device = device_model_sudo.create({'user_id': user.id})
  146. secret = config_model_sudo.get_param('database.secret')
  147. device_cookie = JsonSecureCookie({'device_id': device.id}, secret)
  148. cookie_lifetime = timedelta(days=30)
  149. cookie_exp = datetime.utcnow() + cookie_lifetime
  150. device_cookie = device_cookie.serialize(cookie_exp)
  151. cookie_key = 'trusted_devices_%d' % user.id
  152. sec_config = config_model_sudo.get_param('auth_totp.secure_cookie')
  153. security_flag = sec_config != '0'
  154. response.set_cookie(
  155. cookie_key,
  156. device_cookie,
  157. max_age=cookie_lifetime.total_seconds(),
  158. expires=cookie_exp,
  159. httponly=True,
  160. secure=security_flag,
  161. )
  163. return response