OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1656 Commits
13 Branches
0 Tags
45 MiB
Tree: c68b7dd129
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c68b7dd129'
${ noResults }
server-tools/auth_brute_force/models/res_users.py

147 lines
5.3 KiB
Raw Normal View History

[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
7 years ago
[MIG] auth_brute_force: Backport from v10 Odoo v9 auth methods usually violate both old and new api; they just only work in old api, so I had to adapt some tests to use it instead. Normal backport outside of that.
7 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
7 years ago
[MIG] auth_brute_force: Backport from v10 Odoo v9 auth methods usually violate both old and new api; they just only work in old api, so I had to adapt some tests to use it instead. Normal backport outside of that.
7 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
7 years ago
[MIG] auth_brute_force: Backport from v10 Odoo v9 auth methods usually violate both old and new api; they just only work in old api, so I had to adapt some tests to use it instead. Normal backport outside of that.
7 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
7 years ago
[MIG] auth_brute_force: Backport from v10 Odoo v9 auth methods usually violate both old and new api; they just only work in old api, so I had to adapt some tests to use it instead. Normal backport outside of that.
7 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
7 years ago
[MIG] auth_brute_force: Backport from v10 Odoo v9 auth methods usually violate both old and new api; they just only work in old api, so I had to adapt some tests to use it instead. Normal backport outside of that.
7 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
7 years ago
[MIG] auth_brute_force: Backport from v10 Odoo v9 auth methods usually violate both old and new api; they just only work in old api, so I had to adapt some tests to use it instead. Normal backport outside of that.
7 years ago
[REF] auth_brute_force: Cover all auth entrypoints (#1219) To fix https://github.com/OCA/server-tools/issues/1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by https://github.com/odoo/odoo/issues/24183 and will not work until it gets fixed upstream due to the technical limitations implied.
7 years ago
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2017 Tecnativa - Jairo Llopis
  3. # License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
  5. import logging
  6. from contextlib import contextmanager
  7. from threading import current_thread
  8. from openerp import api, models, SUPERUSER_ID
  9. from openerp.exceptions import AccessDenied
  10. from openerp.service import wsgi_server
  12. _logger = logging.getLogger(__name__)
  15. class ResUsers(models.Model):
  16. _inherit = "res.users"
  18. # HACK https://github.com/odoo/odoo/issues/24183
  19. # TODO Remove in v12, and use normal odoo.http.request to get details
  20. def _register_hook(self, cr):
  21. """🐒-patch XML-RPC controller to know remote address."""
  22. original_fn = wsgi_server.application_unproxied
  24. def _patch(environ, start_response):
  25. current_thread().environ = environ
  26. return original_fn(environ, start_response)
  28. wsgi_server.application_unproxied = _patch
  30. # Helpers to track authentication attempts
  31. @classmethod
  32. @contextmanager
  33. def _auth_attempt(cls, login):
  34. """Start an authentication attempt and track its state."""
  35. try:
  36. # Check if this call is nested
  37. attempt_id = current_thread().auth_attempt_id
  38. except AttributeError:
  39. # Not nested; create a new attempt
  40. attempt_id = cls._auth_attempt_new(login)
  41. if not attempt_id:
  42. # No attempt was created, so there's nothing to do here
  43. yield
  44. return
  45. try:
  46. current_thread().auth_attempt_id = attempt_id
  47. result = "successful"
  48. try:
  49. yield
  50. except AccessDenied as error:
  51. result = getattr(error, "reason", "failed")
  52. raise
  53. finally:
  54. cls._auth_attempt_update({"result": result})
  55. finally:
  56. try:
  57. del current_thread().auth_attempt_id
  58. except AttributeError:
  59. pass # It was deleted already
  61. @classmethod
  62. def _auth_attempt_force_raise(cls, login, method):
  63. """Force a method to raise an AccessDenied on falsey return."""
  64. try:
  65. with cls._auth_attempt(login):
  66. result = method()
  67. if not result:
  68. # Force exception to record auth failure
  69. raise AccessDenied()
  70. except AccessDenied:
  71. pass # `_auth_attempt()` did the hard part already
  72. return result
  74. @classmethod
  75. def _auth_attempt_new(cls, login):
  76. """Store one authentication attempt, not knowing the result."""
  77. # Get the right remote address
  78. try:
  79. remote_addr = current_thread().environ["REMOTE_ADDR"]
  80. except (KeyError, AttributeError):
  81. remote_addr = False
  82. # Exit if it doesn't make sense to store this attempt
  83. if not remote_addr:
  84. return False
  85. # Use a separate cursor to keep changes always
  86. with cls.pool.cursor() as cr:
  87. env = api.Environment(cr, SUPERUSER_ID, {})
  88. attempt = env["res.authentication.attempt"].create({
  89. "login": login,
  90. "remote": remote_addr,
  91. })
  92. return attempt.id
  94. @classmethod
  95. def _auth_attempt_update(cls, values):
  96. """Update a given auth attempt if we still ignore its result."""
  97. auth_id = getattr(current_thread(), "auth_attempt_id", False)
  98. if not auth_id:
  99. return {} # No running auth attempt; nothing to do
  100. # Use a separate cursor to keep changes always
  101. with cls.pool.cursor() as cr:
  102. env = api.Environment(cr, SUPERUSER_ID, {})
  103. attempt = env["res.authentication.attempt"].browse(auth_id)
  104. # Update only on 1st call
  105. if not attempt.result:
  106. attempt.write(values)
  107. return attempt.copy_data()[0] if attempt else {}
  109. # Override all auth-related core methods
  110. def _login(self, db, login, password):
  111. return self._auth_attempt_force_raise(
  112. login,
  113. lambda: super(ResUsers, self)._login(db, login, password),
  114. )
  116. def authenticate(self, db, login, password, user_agent_env):
  117. return self._auth_attempt_force_raise(
  118. login,
  119. lambda: super(ResUsers, self).authenticate(
  120. db, login, password, user_agent_env),
  121. )
  123. @api.model
  124. def check_credentials(self, password):
  125. """This is the most important and specific auth check method.
  127. When we get here, it means that Odoo already checked the user exists
  128. in this database.
  130. Other auth methods usually plug here.
  131. """
  132. login = self.env.user.login
  133. with self._auth_attempt(login):
  134. # Update login, just in case we stored the UID before
  135. attempt = self._auth_attempt_update({"login": login})
  136. remote = attempt.get("remote")
  137. # Fail if the remote is banned
  138. trusted = self.env["res.authentication.attempt"]._trusted(
  139. remote,
  140. login,
  141. )
  142. if not trusted:
  143. error = AccessDenied()
  144. error.reason = "banned"
  145. raise error
  146. # Continue with other auth systems
  147. return super(ResUsers, self).check_credentials(password)