From 58ec085e4c3b0ccd196a94c226ca006c2e4c43f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Valyi?= Date: Tue, 22 Nov 2016 12:21:14 +0000 Subject: [PATCH] auth_admin_passkey to new API (#519) --- auth_admin_passkey/__init__.py | 27 +--- auth_admin_passkey/__openerp__.py | 27 +--- auth_admin_passkey/model/res_config.py | 76 ---------- auth_admin_passkey/model/res_users.py | 137 ------------------ .../{model => models}/__init__.py | 0 auth_admin_passkey/models/res_config.py | 53 +++++++ auth_admin_passkey/models/res_users.py | 118 +++++++++++++++ .../tests/test_auth_admin_passkey.py | 25 +--- .../{view => views}/res_config_view.xml | 0 9 files changed, 185 insertions(+), 278 deletions(-) delete mode 100644 auth_admin_passkey/model/res_config.py delete mode 100644 auth_admin_passkey/model/res_users.py rename auth_admin_passkey/{model => models}/__init__.py (100%) create mode 100644 auth_admin_passkey/models/res_config.py create mode 100644 auth_admin_passkey/models/res_users.py rename auth_admin_passkey/{view => views}/res_config_view.xml (100%) diff --git a/auth_admin_passkey/__init__.py b/auth_admin_passkey/__init__.py index 088e71f64..6751b2be1 100644 --- a/auth_admin_passkey/__init__.py +++ b/auth_admin_passkey/__init__.py @@ -1,23 +1,6 @@ -# -*- encoding: utf-8 -*- -############################################################################## -# -# Admin Passkey module for OpenERP -# Copyright (C) 2013-2014 GRAP (http://www.grap.coop) -# @author Sylvain LE GAL (https://twitter.com/legalsylvain) -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as -# published by the Free Software Foundation, either version 3 of the -# License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see . -# -############################################################################## +# -*- coding: utf-8 -*- +# Copyright (C) 2013-2014 GRAP (http://www.grap.coop) +# @author Sylvain LE GAL (https://twitter.com/legalsylvain) +# License AGPL-3 - See http://www.gnu.org/licenses/agpl-3.0.html -from . import model +from . import models diff --git a/auth_admin_passkey/__openerp__.py b/auth_admin_passkey/__openerp__.py index f8e82019c..26930eaae 100644 --- a/auth_admin_passkey/__openerp__.py +++ b/auth_admin_passkey/__openerp__.py @@ -1,24 +1,7 @@ -# -*- encoding: utf-8 -*- -############################################################################## -# -# Admin Passkey module for OpenERP -# Copyright (C) 2013-2014 GRAP (http://www.grap.coop) -# @author Sylvain LE GAL (https://twitter.com/legalsylvain) -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as -# published by the Free Software Foundation, either version 3 of the -# License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see . -# -############################################################################## +# -*- coding: utf-8 -*- +# Copyright (C) 2013-2014 GRAP (http://www.grap.coop) +# @author Sylvain LE GAL (https://twitter.com/legalsylvain) +# License AGPL-3 - See http://www.gnu.org/licenses/agpl-3.0.html { 'name': 'Authentification - Admin Passkey', @@ -32,7 +15,7 @@ ], 'data': [ 'data/ir_config_parameter.xml', - 'view/res_config_view.xml', + 'views/res_config_view.xml', ], 'demo': [], 'js': [], diff --git a/auth_admin_passkey/model/res_config.py b/auth_admin_passkey/model/res_config.py deleted file mode 100644 index 11c7fa083..000000000 --- a/auth_admin_passkey/model/res_config.py +++ /dev/null @@ -1,76 +0,0 @@ -# -*- encoding: utf-8 -*- -############################################################################## -# -# Admin Passkey module for OpenERP -# Copyright (C) 2013-2014 GRAP (http://www.grap.coop) -# @author Sylvain LE GAL (https://twitter.com/legalsylvain) -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as -# published by the Free Software Foundation, either version 3 of the -# License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see . -# -############################################################################## - -from openerp.osv import fields -from openerp.osv.orm import TransientModel -from openerp.tools.safe_eval import safe_eval - - -class base_config_settings(TransientModel): - _inherit = 'base.config.settings' - - # Getter / Setter Section - def get_default_auth_admin_passkey_send_to_admin( - self, cr, uid, ids, context=None): - icp = self.pool['ir.config_parameter'] - return { - 'auth_admin_passkey_send_to_admin': safe_eval(icp.get_param( - cr, uid, 'auth_admin_passkey.send_to_admin', 'True')), - } - - def set_auth_admin_passkey_send_to_admin(self, cr, uid, ids, context=None): - config = self.browse(cr, uid, ids[0], context=context) - icp = self.pool['ir.config_parameter'] - icp.set_param( - cr, uid, 'auth_admin_passkey.send_to_admin', - repr(config.auth_admin_passkey_send_to_admin)) - - def get_default_auth_admin_passkey_send_to_user( - self, cr, uid, ids, context=None): - icp = self.pool['ir.config_parameter'] - return { - 'auth_admin_passkey_send_to_user': safe_eval(icp.get_param( - cr, uid, 'auth_admin_passkey.send_to_user', 'True')), - } - - def set_auth_admin_passkey_send_to_user(self, cr, uid, ids, context=None): - config = self.browse(cr, uid, ids[0], context=context) - icp = self.pool['ir.config_parameter'] - icp.set_param( - cr, uid, 'auth_admin_passkey.send_to_user', - repr(config.auth_admin_passkey_send_to_user)) - - # Columns Section - _columns = { - 'auth_admin_passkey_send_to_admin': fields.boolean( - 'Send email to admin user.', - help="""When the administrator use his password to login in """ - """with a different account, OpenERP will send an email """ - """to the admin user.""", - ), - 'auth_admin_passkey_send_to_user': fields.boolean( - string='Send email to user.', - help="""When the administrator use his password to login in """ - """with a different account, OpenERP will send an email """ - """to the account user.""", - ), - } diff --git a/auth_admin_passkey/model/res_users.py b/auth_admin_passkey/model/res_users.py deleted file mode 100644 index d0a5a8aa2..000000000 --- a/auth_admin_passkey/model/res_users.py +++ /dev/null @@ -1,137 +0,0 @@ -# -*- encoding: utf-8 -*- -############################################################################## -# -# Admin Passkey module for OpenERP -# Copyright (C) 2013-2014 GRAP (http://www.grap.coop) -# @author Sylvain LE GAL (https://twitter.com/legalsylvain) -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as -# published by the Free Software Foundation, either version 3 of the -# License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see . -# -############################################################################## - -import datetime - -from openerp import SUPERUSER_ID -from openerp import pooler -from openerp import exceptions -from openerp.osv.orm import Model -from openerp.tools.translate import _ -from openerp.tools.safe_eval import safe_eval - - -class res_users(Model): - _inherit = "res.users" - - # Private Function section - def _get_translation(self, cr, lang, text): - context = {'lang': lang} # noqa: _() checks page for locals - return _(text) - - def _send_email_passkey(self, cr, user_id, user_agent_env): - """ Send a email to the admin of the system and / or the user - to inform passkey use.""" - mails = [] - mail_obj = self.pool['mail.mail'] - icp_obj = self.pool['ir.config_parameter'] - admin_user = self.browse(cr, SUPERUSER_ID, SUPERUSER_ID) - login_user = self.browse(cr, SUPERUSER_ID, user_id) - send_to_admin = safe_eval(icp_obj.get_param( - cr, SUPERUSER_ID, 'auth_admin_passkey.send_to_admin', 'True')) - send_to_user = safe_eval(icp_obj.get_param( - cr, SUPERUSER_ID, 'auth_admin_passkey.send_to_user', 'True')) - - if send_to_admin and admin_user.email: - mails.append({'email': admin_user.email, 'lang': admin_user.lang}) - if send_to_user and login_user.email: - mails.append({'email': login_user.email, 'lang': login_user.lang}) - - for mail in mails: - subject = self._get_translation( - cr, mail['lang'], _('Passkey used')) - body = self._get_translation( - cr, mail['lang'], - _("""Admin user used his passkey to login with '%s'.\n\n""" - """\n\nTechnicals informations belows : \n\n""" - """- Login date : %s\n\n""")) % ( - login_user.login, - datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")) - for k, v in user_agent_env.iteritems(): - body += ("- %s : %s\n\n") % (k, v) - mail_obj.create( - cr, SUPERUSER_ID, { - 'email_to': mail['email'], - 'subject': subject, - 'body_html': '
%s
' % body}) - - def _send_email_same_password(self, cr, login_user): - """ Send a email to the admin user to inform that another user has the - same password as him.""" - mail_obj = self.pool['mail.mail'] - admin_user = self.browse(cr, SUPERUSER_ID, SUPERUSER_ID) - if admin_user.email: - mail_obj.create(cr, SUPERUSER_ID, { - 'email_to': admin_user.email, - 'subject': self._get_translation( - cr, admin_user.lang, _('[WARNING] OpenERP Security Risk')), - 'body_html': self._get_translation( - cr, admin_user.lang, _( - """
User with login '%s' has the same """
-                        """password as you.
""")) % (login_user), - }) - - # Overload Section - def authenticate(self, db, login, password, user_agent_env): - """ Authenticate the user 'login' is password is ok or if - is admin password. In the second case, send mail to user and admin.""" - user_id = super(res_users, self).authenticate( - db, login, password, user_agent_env) - if user_id and (user_id != SUPERUSER_ID): - same_password = False - cr = pooler.get_db(db).cursor() - try: - # directly use parent 'check_credentials' function - # to really know if credentials are ok - # or if it was admin password - super(res_users, self).check_credentials( - cr, SUPERUSER_ID, password) - try: - # Test now if the user has the same password as admin user - super(res_users, self).check_credentials( - cr, user_id, password) - same_password = True - except exceptions.AccessDenied: - pass - if not same_password: - self._send_email_passkey(cr, user_id, user_agent_env) - else: - self._send_email_same_password(cr, login) - cr.commit() - except exceptions.AccessDenied: - pass - finally: - cr.close() - return user_id - - def check_credentials(self, cr, uid, password): - """ Return now True if credentials are good OR if password is admin -password.""" - if uid != SUPERUSER_ID: - try: - super(res_users, self).check_credentials( - cr, uid, password) - return True - except exceptions.AccessDenied: - return self.check_credentials(cr, SUPERUSER_ID, password) - else: - return super(res_users, self).check_credentials(cr, uid, password) diff --git a/auth_admin_passkey/model/__init__.py b/auth_admin_passkey/models/__init__.py similarity index 100% rename from auth_admin_passkey/model/__init__.py rename to auth_admin_passkey/models/__init__.py diff --git a/auth_admin_passkey/models/res_config.py b/auth_admin_passkey/models/res_config.py new file mode 100644 index 000000000..62c34d287 --- /dev/null +++ b/auth_admin_passkey/models/res_config.py @@ -0,0 +1,53 @@ +# -*- coding: utf-8 -*- +# Copyright (C) 2013-2014 GRAP (http://www.grap.coop) +# @author Sylvain LE GAL (https://twitter.com/legalsylvain) +# License AGPL-3 - See http://www.gnu.org/licenses/agpl-3.0.html + +from openerp import api, fields, models + + +class BaseConfigSettings(models.TransientModel): + _inherit = 'base.config.settings' + + # Getter / Setter Section + @api.model + def get_default_auth_admin_passkey_send_to_admin(self, fields): + return { + 'auth_admin_passkey_send_to_admin': + self.env["ir.config_parameter"].get_param( + "auth_admin_passkey.send_to_admin") + } + + @api.multi + def set_auth_admin_passkey_send_to_admin(self): + for config in self: + self.env['ir.config_parameter'].set_param( + "auth_admin_passkey.send_to_admin", + config.auth_admin_passkey_send_to_admin or '') + + @api.model + def get_default_auth_admin_passkey_send_to_user(self, fields): + return { + 'auth_admin_passkey_send_to_user': + self.env["ir.config_parameter"].get_param( + "auth_admin_passkey.send_to_user") + } + + @api.multi + def set_auth_admin_passkey_send_to_user(self): + for config in self: + self.env['ir.config_parameter'].set_param( + "auth_admin_passkey.send_to_user", + config.auth_admin_passkey_send_to_user or '') + + auth_admin_passkey_send_to_admin = fields.Boolean( + string='Send email to admin user.', + help="""When the administrator use his password to login in """ + """with a different account, OpenERP will send an email """ + """to the admin user.""") + + auth_admin_passkey_send_to_user = fields.Boolean( + string='Send email to user.', + help="""When the administrator use his password to login in """ + """with a different account, OpenERP will send an email """ + """to the account user.""") diff --git a/auth_admin_passkey/models/res_users.py b/auth_admin_passkey/models/res_users.py new file mode 100644 index 000000000..e2495143e --- /dev/null +++ b/auth_admin_passkey/models/res_users.py @@ -0,0 +1,118 @@ +# -*- coding: utf-8 -*- +# Copyright (C) 2013-2014 GRAP (http://www.grap.coop) +# @author Sylvain LE GAL (https://twitter.com/legalsylvain) +# License AGPL-3 - See http://www.gnu.org/licenses/agpl-3.0.html + +import datetime + +from openerp import _, api, exceptions, models, registry, SUPERUSER_ID +from openerp.tools.safe_eval import safe_eval + + +class ResUsers(models.Model): + _inherit = "res.users" + + def _get_translation(self, lang, text): + context = {'lang': lang} # noqa: _() checks page for locals + return _(text) + + @api.model + def _send_email_passkey(self, user_agent_env): + """ Send a email to the admin of the system and / or the user + to inform passkey use.""" + mails = [] + mail_obj = self.env['mail.mail'] + icp_obj = self.env['ir.config_parameter'] + admin_user = self.sudo().browse(SUPERUSER_ID) + login_user = self.sudo().browse(self.env.uid) + send_to_admin = safe_eval(icp_obj.sudo().get_param( + 'auth_admin_passkey.send_to_admin', + 'True')) + send_to_user = safe_eval(icp_obj.sudo().get_param( + 'auth_admin_passkey.send_to_user', + 'True')) + + if send_to_admin and admin_user.email: + mails.append({'email': admin_user.email, 'lang': admin_user.lang}) + if send_to_user and login_user.email: + mails.append({'email': login_user.email, 'lang': login_user.lang}) + for mail in mails: + subject = self._get_translation( + mail['lang'], _('Passkey used')) + body = self._get_translation( + mail['lang'], + _("""Admin user used his passkey to login with '%s'.\n\n""" + """\n\nTechnicals informations belows : \n\n""" + """- Login date : %s\n\n""")) % ( + login_user.login, + datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")) + for k, v in user_agent_env.iteritems(): + body += ("- %s : %s\n\n") % (k, v) + mail = mail_obj.sudo().create({ + 'email_to': mail['email'], + 'subject': subject, + 'body_html': '
%s
' % body}) + mail.send(auto_commit=True) + + @api.cr + def _send_email_same_password(self, login_user): + """ Send a email to the admin user to inform that another user has the + same password as him.""" + mail_obj = self.env['mail.mail'] + admin_user = self.sudo().browse(SUPERUSER_ID) + if admin_user.email: + mail = mail_obj.sudo().create({ + 'email_to': admin_user.email, + 'subject': self._get_translation( + admin_user.lang, _('[WARNING] OpenERP Security Risk')), + 'body_html': self._get_translation( + admin_user.lang, _( + """
User with login '%s' has the same """
+                        """password as you.
""")) % (login_user), + }) + mail.send(auto_commit=True) + + # Overload Section + def authenticate(self, db, login, password, user_agent_env): + """ Authenticate the user 'login' is password is ok or if + is admin password. In the second case, send mail to user and admin.""" + user_id = super(ResUsers, self).authenticate( + db, login, password, user_agent_env) + if user_id and (user_id != SUPERUSER_ID): + same_password = False + cr = registry(db).cursor() + try: + # directly use parent 'check_credentials' function + # to really know if credentials are ok + # or if it was admin password + super(ResUsers, self).check_credentials( + cr, SUPERUSER_ID, password) + try: + # Test now if the user has the same password as admin user + super(ResUsers, self).check_credentials( + cr, user_id, password) + same_password = True + except exceptions.AccessDenied: + pass + if not same_password: + self._send_email_passkey(cr, user_id, user_agent_env) + else: + self._send_email_same_password(cr, login) + except exceptions.AccessDenied: + pass + finally: + cr.close() + return user_id + + @api.model + def check_credentials(self, password): + """ Return now True if credentials are good OR if password is admin +password.""" + if self.env.uid != SUPERUSER_ID: + try: + super(ResUsers, self).check_credentials(password) + return True + except exceptions.AccessDenied: + return self.sudo().check_credentials(password) + else: + return super(ResUsers, self).check_credentials(password) diff --git a/auth_admin_passkey/tests/test_auth_admin_passkey.py b/auth_admin_passkey/tests/test_auth_admin_passkey.py index 2ce02d26c..2f0edaf9d 100644 --- a/auth_admin_passkey/tests/test_auth_admin_passkey.py +++ b/auth_admin_passkey/tests/test_auth_admin_passkey.py @@ -1,24 +1,7 @@ -# -*- encoding: utf-8 -*- -############################################################################## -# -# Admin Passkey module for OpenERP -# Copyright (C) 2013-2014 GRAP (http://www.grap.coop) -# @author Sylvain LE GAL (https://twitter.com/legalsylvain) -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as -# published by the Free Software Foundation, either version 3 of the -# License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see . -# -############################################################################## +# -*- coding: utf-8 -*- +# Copyright (C) 2013-2014 GRAP (http://www.grap.coop) +# @author Sylvain LE GAL (https://twitter.com/legalsylvain) +# License AGPL-3 - See http://www.gnu.org/licenses/agpl-3.0.html import threading diff --git a/auth_admin_passkey/view/res_config_view.xml b/auth_admin_passkey/views/res_config_view.xml similarity index 100% rename from auth_admin_passkey/view/res_config_view.xml rename to auth_admin_passkey/views/res_config_view.xml