OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1757 Commits
13 Branches
0 Tags
45 MiB
Tree: c8d5b50777
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c8d5b50777'
${ noResults }
server-tools/auth_totp/models/res_users.py

95 lines
3.6 KiB
Raw Normal View History

[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
[MIG] auth_totp: Upgrade to v10 * Rename manifest * Change openerp references to odoo * Bump version * Add pyotp back to requirements
8 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Permissions fix and other tweaks * Slightly reword README * Replace LasLabs logo with OCA one * Overload _build_model in res.users model to add two MFA fields to the model class's list of self-writeable fields, allowing these fields to be edited by users without admin permissions for their own record * Update view_users_form_simple_modif and the unit tests in the module based on the self-writeable field change
8 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[IMP] auth_totp: Admin support * Add MFA fields to normal res.users form view for admin access * Update record rules to give admins read/unlink access to MFA authenticators
8 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Various issues * Restructure controller and res.users logic to prevent RPC authentication for users with MFA enabled and add support for multiple simultaneous MFA sessions * Switch trusted device cookies from using the DB secret to user-level secret keys, thereby increasing security * Remove MFA login tokens and trusted device model, which are now redundant * Add migration logic that generates a trusted device cookie key for every user with MFA enabled and cleans up device model ir records to prevent warnings * Update unit tests and remainder of module accordingly
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2016-2017 LasLabs Inc.
  3. # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
  5. import uuid
  6. from odoo import _, api, fields, models
  7. from odoo.exceptions import ValidationError
  8. from odoo.http import request
  9. from ..controllers.main import JsonSecureCookie
  10. from ..exceptions import MfaLoginNeeded
  13. class ResUsers(models.Model):
  14. _inherit = 'res.users'
  16. @classmethod
  17. def _build_model(cls, pool, cr):
  18. ModelCls = super(ResUsers, cls)._build_model(pool, cr)
  19. ModelCls.SELF_WRITEABLE_FIELDS += ['mfa_enabled', 'authenticator_ids']
  20. return ModelCls
  22. mfa_enabled = fields.Boolean(string='MFA Enabled?')
  23. authenticator_ids = fields.One2many(
  24. comodel_name='res.users.authenticator',
  25. inverse_name='user_id',
  26. string='Authentication Apps/Devices',
  27. help='To delete an authentication app, remove it from this list. To'
  28. ' add a new authentication app, please use the button to the'
  29. ' right. If the button is not present, you do not have the'
  30. ' permissions to do this.',
  31. )
  32. trusted_device_cookie_key = fields.Char(
  33. compute='_compute_trusted_device_cookie_key',
  34. store=True,
  35. )
  37. @api.multi
  38. @api.depends('mfa_enabled')
  39. def _compute_trusted_device_cookie_key(self):
  40. for record in self:
  41. if record.mfa_enabled:
  42. record.trusted_device_cookie_key = uuid.uuid4()
  43. else:
  44. record.trusted_device_cookie_key = False
  46. @api.multi
  47. @api.constrains('mfa_enabled', 'authenticator_ids')
  48. def _check_enabled_with_authenticator(self):
  49. for record in self:
  50. if record.mfa_enabled and not record.authenticator_ids:
  51. raise ValidationError(_(
  52. 'You have MFA enabled but do not have any authentication'
  53. ' apps/devices set up. To keep from being locked out,'
  54. ' please add one before you activate this feature.'
  55. ))
  57. @api.model
  58. def check_credentials(self, password):
  59. """Add MFA logic to core authentication process
  61. Overview:
  62. * If user does not have MFA enabled, defer to parent logic
  63. * If user has MFA enabled and has gone through MFA login process
  64. this session or has correct device cookie, defer to parent logic
  65. * If neither of these is true, call parent logic. If successful,
  66. prevent auth while updating session to indicate that MFA login
  67. process can now commence
  68. """
  69. user_model_sudo = self.sudo()
  70. user = user_model_sudo.search([('id', '=', self.env.uid)])
  72. if not user.mfa_enabled:
  73. return super(ResUsers, self).check_credentials(password)
  75. if request:
  76. if request.session.get('mfa_login_active') == user.id:
  77. return super(ResUsers, self).check_credentials(password)
  79. cookie_key = 'trusted_devices_%d' % user.id
  80. device_cook = request.httprequest.cookies.get(cookie_key)
  81. if device_cook:
  82. secret = user.trusted_device_cookie_key
  83. device_cook = JsonSecureCookie.unserialize(device_cook, secret)
  84. if device_cook:
  85. return super(ResUsers, self).check_credentials(password)
  87. super(ResUsers, self).check_credentials(password)
  88. if request:
  89. request.session['mfa_login_needed'] = True
  90. raise MfaLoginNeeded
  92. @api.multi
  93. def validate_mfa_confirmation_code(self, confirmation_code):
  94. self.ensure_one()
  95. return self.authenticator_ids.validate_conf_code(confirmation_code)