If HTTP_REMOTE_USER is in the request headers and no corresponding user is found in odoo always issues Unauthorized (avoid redirect to the login page)

If the uid in the session is not the same as the one from the binded HTTP_REMOTE_USER, always logout to clean up the session
10 years ago · 436ffcd53f
7 changed files with 24 additions and 118 deletions
--- a/auth_from_http_remote_user/init.py
+++ b/auth_from_http_remote_user/init.py
@ -20,6 +20,5 @@
 ##############################################################################

 from . import controllers
-from . import res_config
 from . import res_users
 from . import model
--- a/auth_from_http_remote_user/openerp.py
+++ b/auth_from_http_remote_user/openerp.py
@ -33,9 +33,8 @@ at startup; Add the *--load* parameter to the startup command: ::

  --load=web,web_kanban,auth_from_http_remote_user, ...

-If the field is not found or no user matches the given one, it can lets the
-system redirect to the login page (default) or issue a login error page
-depending of the configuration.
+If the field is found in the header and no user matches the given one, the
+system issue a login error page. (*401* `Unauthorized`)

 Use case.
 ---------
@ -152,9 +151,7 @@ logged in the system.
    'website': 'http://www.acsone.eu',
    'depends': ['base', 'web', 'base_setup'],
    "license": "AGPL-3",
-    'data': [
-        'res_config_view.xml',
-        'res_config_data.xml'],
+    'data': [],
    "demo": [],
    "test": [],
    "active": False,
--- a/auth_from_http_remote_user/controllers/main.py
+++ b/auth_from_http_remote_user/controllers/main.py
@ -49,12 +49,11 @@ class Home(main.Home):
            return werkzeug.exceptions.Unauthorized().get_response()
        return super(Home, self).web_client(s_action, **kw)

-    def _get_user_id_from_attributes(self, res_users, cr):
-        headers = http.request.httprequest.headers.environ
+    def _get_user_id_from_headers(self, res_users, headers, cr):
        login = headers.get(self._REMOTE_USER_ATTRIBUTE, None)
        if not login:
-            _logger.error("Required fields '%s' not found in http headers\n %s",
-                          self._REMOTE_USER_ATTRIBUTE, headers)
+            _logger.info("Expected fields '%s' not found in http headers\n %s",
+                         self._REMOTE_USER_ATTRIBUTE, headers)
            return None
        user_ids = res_users.search(cr, SUPERUSER_ID, [('login', '=', login),
                                                       ('active', '=', True)])
@ -71,22 +70,24 @@ class Home(main.Home):
                    return
                res_users = registry.get('res.users')
                # get the user
-                user_id = self._get_user_id_from_attributes(res_users,
-                                                            cr)
-                if request.session.uid and request.session.uid == user_id:
-                    return
-
-                config = registry.get('base.config.settings')
-                # get parameters for SSO
-                default_login_page_disabled = \
-                    config.is_default_login_page_disabled(cr,
-                                                          SUPERUSER_ID,
-                                                          None)
-
-                if user_id is None:
-                    if default_login_page_disabled:
+                headers = http.request.httprequest.headers.environ
+                user_id = self._get_user_id_from_headers(res_users,
+                                                         headers,
+                                                         cr)
+
+                if not user_id:
+                    if self._REMOTE_USER_ATTRIBUTE in headers:
+                        request.session.logout(keep_db=True)
                        raise http.AuthenticationError()
-                    return
+                    else:
+                        return None
+
+                request_uid = request.session.uid
+                if request_uid:
+                    if request_uid == user_id:
+                        return
+                    else:
+                        request.session.logout(keep_db=True)

                # generate a specific key for authentication
                key = randomString(utils.KEY_LENGTH, '0123456789abcdef')
--- a/auth_from_http_remote_user/model.py
+++ b/auth_from_http_remote_user/model.py
@ -22,6 +22,6 @@ from openerp.osv import orm


 class AuthFromHttpRemoteUserInstalled(orm.AbstractModel):
-    """An abstract model used to safely now if the module is installed
+    """An abstract model used to safely know if the module is installed
    """
    _name = 'auth_from_http_remote_user.installed'
--- a/auth_from_http_remote_user/res_config.py
+++ b/auth_from_http_remote_user/res_config.py
@ -1,64 +0,0 @@
-# -*- coding: utf-8 -*-
-##############################################################################
-#
-#    Author: Laurent Mignon
-#    Copyright 2014 'ACSONE SA/NV'
-#
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU Affero General Public License as
-#    published by the Free Software Foundation, either version 3 of the
-#    License, or (at your option) any later version.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU Affero General Public License for more details.
-#
-#    You should have received a copy of the GNU Affero General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-##############################################################################
-
-from openerp.osv import orm, fields
-from openerp.tools.safe_eval import safe_eval
-
-
-class auth_from_http_remote_user_configuration(orm.TransientModel):
-    _inherit = 'base.config.settings'
-
-    _columns = {
-        'default_login_page_disabled': fields.boolean("Disable login page when "
-                                                      "login with HTTP Remote "
-                                                      "User",
-                                                      help="""
-Disable the default login page.
-If the HTTP_REMOTE_HEADER field is not found or no user matches the given one,
-the system will display a login error page if the login page is disabled.
-Otherwise the normal login page will be displayed.
-    """),
-    }
-
-    def is_default_login_page_disabled(self, cr, uid, fields, context=None):
-        vals = self.get_default_default_login_page_disabled(cr,
-                                                            uid,
-                                                            fields,
-                                                            context=context)
-        return vals.get('default_login_page_disabled', False)
-
-    def get_default_default_login_page_disabled(self, cr, uid, fields,
-                                                context=None):
-        icp = self.pool.get('ir.config_parameter')
-        # we use safe_eval on the result, since the value of
-        # the parameter is a nonempty string
-        is_disabled = icp.get_param(cr, uid, 'default_login_page_disabled',
-                                    'False')
-        return {'default_login_page_disabled': safe_eval(is_disabled)}
-
-    def set_default_default_login_page_disabled(self, cr, uid, ids,
-                                                context=None):
-        config = self.browse(cr, uid, ids[0], context=context)
-        icp = self.pool.get('ir.config_parameter')
-        # we store the repr of the value, since the value of the parameter
-        # is a required string
-        icp.set_param(cr, uid, 'default_login_page_disabled',
-                      repr(config.default_login_page_disabled))
--- a/auth_from_http_remote_user/res_config_data.xml
+++ b/auth_from_http_remote_user/res_config_data.xml
@ -1,9 +0,0 @@
-<?xml version="1.0"?>
-<openerp>
-    <data noupdate="1">
-        <record model="ir.config_parameter" id="auth_from_http_remote_user.default_login_page_disabled">
-            <field name="key">auth_from_http_remote_user.default_login_page_disabled</field>
-            <field name="value">False</field>
-        </record>
-    </data>
-</openerp>
--- a/auth_from_http_remote_user/res_config_view.xml
+++ b/auth_from_http_remote_user/res_config_view.xml
@ -1,18 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<openerp>
-  <data>
-    <record id="view_general_configuration" model="ir.ui.view">
-      <field name="name">base.config.settings.auth_from_http_remote_user</field>
-      <field name="model">base.config.settings</field>
-      <field name="inherit_id" ref="base_setup.view_general_configuration" />
-      <field name="arch" type="xml">
-        <xpath expr="//field[@name='module_auth_oauth']/.." position="after">
-          <div>
-            <field name="default_login_page_disabled" class="oe_inline" />
-            <label for="default_login_page_disabled" />
-          </div>
-        </xpath>
-      </field>
-    </record>
-  </data>
-</openerp>