Merge pull request #1183 from akretion/8.0-auth-brute-force-log-request-environment

8.0 auth brute force log request environment
7 years ago · 6f0acfd6de
4 changed files with 30 additions and 0 deletions
--- a/auth_brute_force/README.rst
+++ b/auth_brute_force/README.rst
@ -37,6 +37,16 @@ Once installed, you can change the ir.config_parameter value for the key
 'auth_brute_force.max_attempt_qty' (10 by default) that define the max number
 of attempts allowed before the user was banned.

+You can also add a ir.config_parameter value for the key
+'auth_brute_force.environ_log' which allows to log also specific request
+environment variables.
+
+The format is a  comma-delimited list of variable names
+example: REMOTE_ADDR,REMOTE_PORT
+
+or you can just use the jocker '*' for log or discover all variables,
+most variable names depends of WSGI specification and reverse-proxy configuration.
+
 Usage
 -----

@ -97,6 +107,7 @@ Contributors
 ------------

 * Sylvain LE GAL (https://twitter.com/legalsylvain)
+* Sylvain CALADOR (https://akretion.com)

 Maintainer
 ----------
--- a/auth_brute_force/controllers/controllers.py
+++ b/auth_brute_force/controllers/controllers.py
@ -49,6 +49,11 @@ class LoginController(Home):
                [('key', '=', 'auth_brute_force.max_attempt_qty')],
                ['value'])[0]['value'])

+            environ_log = config_obj.search_read(
+                cursor, SUPERUSER_ID,
+                [('key', '=', 'auth_brute_force.environ_log')],
+                ['value'])
+
            # Test if remote user is banned
            banned = banned_remote_obj.search(cursor, SUPERUSER_ID, [
                ('remote', '=', remote)])
@ -68,10 +73,20 @@ class LoginController(Home):

            # Log attempt
            cursor.commit()
+
+            environ = ''
+            if environ_log:
+                filter_value = environ_log[0]['value']
+                filter_keys = [k.strip() for k in filter_value.split(',')]
+                for key, value in request.httprequest.environ.items():
+                    if key in filter_keys or filter_value == '*':
+                        environ += '%s=%s\n' % (key, value)
+
            attempt_obj.create(cursor, SUPERUSER_ID, {
                'attempt_date': fields.Datetime.now(),
                'login': request.params['login'],
                'remote': remote,
+                'environ': environ,
                'result': banned and 'banned' or (
                    result and 'successfull' or 'failed'),
            })
--- a/auth_brute_force/models/res_authentication_attempt.py
+++ b/auth_brute_force/models/res_authentication_attempt.py
@ -41,6 +41,8 @@ class ResAuthenticationAttempt(models.Model):

    remote = fields.Char(string='Remote ID')

+    environ = fields.Text(string='Environment')
+
    result = fields.Selection(
        selection=_ATTEMPT_RESULT, string='Authentication Result')

--- a/auth_brute_force/views/view.xml
+++ b/auth_brute_force/views/view.xml
@ -29,6 +29,7 @@
                    <field name="remote" />
                    <field name="login" />
                    <field name="result" />
+                    <field name="environ" />
                </tree>
            </field>
        </record>
@ -48,6 +49,7 @@
            <field name="arch" type="xml">
                <search>
                   <field name="login"/>
+                   <field name="environ"/>
                   <filter name="filter_no_success" string="Without Success" domain="[('result','!=', 'successfull')]"/>
                   <filter name="filter_banned" string="Banned" domain="[('result','=', 'banned')]"/>
                   <filter name="filter_failed" string="Failed" domain="[('result','=', 'failed')]"/>