OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1748 Commits
13 Branches
0 Tags
45 MiB
Tree: e28dc91f9b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e28dc91f9b'
${ noResults }
server-tools/auth_totp/models/res_users.py

104 lines
3.7 KiB
Raw Normal View History

[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[MIG] auth_totp: Upgrade to v10 * Rename manifest * Change openerp references to odoo * Bump version * Add pyotp back to requirements
8 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[FIX] auth_totp: Permissions fix and other tweaks * Slightly reword README * Replace LasLabs logo with OCA one * Overload _build_model in res.users model to add two MFA fields to the model class's list of self-writeable fields, allowing these fields to be edited by users without admin permissions for their own record * Update view_users_form_simple_modif and the unit tests in the module based on the self-writeable field change
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
[IMP] auth_totp: Admin support * Add MFA fields to normal res.users form view for admin access * Update record rules to give admins read/unlink access to MFA authenticators
7 years ago
[ADD] auth_totp: MFA Support * Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDenied
8 years ago
  1. # -*- coding: utf-8 -*-
  2. # Copyright 2016-2017 LasLabs Inc.
  3. # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
  5. from datetime import datetime, timedelta
  6. import random
  7. import string
  8. from odoo import _, api, fields, models
  9. from odoo.exceptions import AccessDenied, ValidationError
  10. from ..exceptions import MfaTokenInvalidError, MfaTokenExpiredError
  13. class ResUsers(models.Model):
  14. _inherit = 'res.users'
  16. @classmethod
  17. def _build_model(cls, pool, cr):
  18. ModelCls = super(ResUsers, cls)._build_model(pool, cr)
  19. ModelCls.SELF_WRITEABLE_FIELDS += ['mfa_enabled', 'authenticator_ids']
  20. return ModelCls
  22. mfa_enabled = fields.Boolean(string='MFA Enabled?')
  23. authenticator_ids = fields.One2many(
  24. comodel_name='res.users.authenticator',
  25. inverse_name='user_id',
  26. string='Authentication Apps/Devices',
  27. help='To delete an authentication app, remove it from this list. To'
  28. ' add a new authentication app, please use the button to the'
  29. ' right. If the button is not present, you do not have the'
  30. ' permissions to do this.',
  31. )
  32. mfa_login_token = fields.Char()
  33. mfa_login_token_exp = fields.Datetime()
  34. trusted_device_ids = fields.One2many(
  35. comodel_name='res.users.device',
  36. inverse_name='user_id',
  37. string='Trusted Devices',
  38. )
  40. @api.multi
  41. @api.constrains('mfa_enabled', 'authenticator_ids')
  42. def _check_enabled_with_authenticator(self):
  43. for record in self:
  44. if record.mfa_enabled and not record.authenticator_ids:
  45. raise ValidationError(_(
  46. 'You have MFA enabled but do not have any authentication'
  47. ' apps/devices set up. To keep from being locked out,'
  48. ' please add one before you activate this feature.'
  49. ))
  51. @api.model
  52. def check_credentials(self, password):
  53. try:
  54. return super(ResUsers, self).check_credentials(password)
  55. except AccessDenied:
  56. user = self.sudo().search([
  57. ('id', '=', self.env.uid),
  58. ('mfa_login_token', '=', password),
  59. ])
  60. user._user_from_mfa_login_token_validate()
  62. @api.multi
  63. def generate_mfa_login_token(self, lifetime_mins=15):
  64. char_set = string.ascii_letters + string.digits
  66. for record in self:
  67. record.mfa_login_token = ''.join(
  68. random.SystemRandom().choice(char_set) for __ in range(20)
  69. )
  71. expiration = datetime.now() + timedelta(minutes=lifetime_mins)
  72. record.mfa_login_token_exp = fields.Datetime.to_string(expiration)
  74. @api.model
  75. def user_from_mfa_login_token(self, token):
  76. if not token:
  77. raise MfaTokenInvalidError(_(
  78. 'Your MFA login token is not valid. Please try again.'
  79. ))
  81. user = self.search([('mfa_login_token', '=', token)])
  82. user._user_from_mfa_login_token_validate()
  84. return user
  86. @api.multi
  87. def _user_from_mfa_login_token_validate(self):
  88. try:
  89. self.ensure_one()
  90. except ValueError:
  91. raise MfaTokenInvalidError(_(
  92. 'Your MFA login token is not valid. Please try again.'
  93. ))
  95. token_exp = fields.Datetime.from_string(self.mfa_login_token_exp)
  96. if token_exp < datetime.now():
  97. raise MfaTokenExpiredError(_(
  98. 'Your MFA login token has expired. Please try again.'
  99. ))
  101. @api.multi
  102. def validate_mfa_confirmation_code(self, confirmation_code):
  103. self.ensure_one()
  104. return self.authenticator_ids.validate_conf_code(confirmation_code)