From 48540a76a10c1302d8387ed7ee6922d92449be8d Mon Sep 17 00:00:00 2001
From: Sylvain Calador <sylvain.calador@akretion.com>
Date: Thu, 8 Mar 2018 17:19:35 +0100
Subject: [PATCH 1/4] [IMP] add the possibility to log also request environment
 variables

---
 auth_brute_force/README.rst                       |  6 ++++++
 auth_brute_force/controllers/controllers.py       | 15 +++++++++++++++
 .../models/res_authentication_attempt.py          |  2 ++
 auth_brute_force/views/view.xml                   |  2 ++
 4 files changed, 25 insertions(+)

diff --git a/auth_brute_force/README.rst b/auth_brute_force/README.rst
index 60b0a73aa..3fb779986 100644
--- a/auth_brute_force/README.rst
+++ b/auth_brute_force/README.rst
@@ -37,6 +37,11 @@ Once installed, you can change the ir.config_parameter value for the key
 'auth_brute_force.max_attempt_qty' (10 by default) that define the max number
 of attempts allowed before the user was banned.
 
+You can also add a ir.config_parameter value for the key
+'auth_brute_force.environ_log' which allow to log also specific request
+environment variables. The format comma-delimited list of varible names
+example: REMOTE_ADDR,REMOTE_PORT
+
 Usage
 -----
 
@@ -97,6 +102,7 @@ Contributors
 ------------
 
 * Sylvain LE GAL (https://twitter.com/legalsylvain)
+* Sylvain CALADOR (https://akretion.com)
 
 Maintainer
 ----------
diff --git a/auth_brute_force/controllers/controllers.py b/auth_brute_force/controllers/controllers.py
index f752eee95..14fa09e0f 100644
--- a/auth_brute_force/controllers/controllers.py
+++ b/auth_brute_force/controllers/controllers.py
@@ -49,6 +49,11 @@ class LoginController(Home):
                 [('key', '=', 'auth_brute_force.max_attempt_qty')],
                 ['value'])[0]['value'])
 
+            environ_log = config_obj.search_read(
+                cursor, SUPERUSER_ID,
+                [('key', '=', 'auth_brute_force.environ_log')],
+                ['value'])
+
             # Test if remote user is banned
             banned = banned_remote_obj.search(cursor, SUPERUSER_ID, [
                 ('remote', '=', remote)])
@@ -68,10 +73,20 @@ class LoginController(Home):
 
             # Log attempt
             cursor.commit()
+
+            environ = ''
+            if environ_log:
+                value = environ_log[0]['value']
+                log_keys = [k.strip() for k in value.split(',')]
+                for key, value in request.httprequest.environ.items():
+                    if key in log_keys:
+                        environ += '%s=%s\n' % (key, value)
+
             attempt_obj.create(cursor, SUPERUSER_ID, {
                 'attempt_date': fields.Datetime.now(),
                 'login': request.params['login'],
                 'remote': remote,
+                'environ': environ,
                 'result': banned and 'banned' or (
                     result and 'successfull' or 'failed'),
             })
diff --git a/auth_brute_force/models/res_authentication_attempt.py b/auth_brute_force/models/res_authentication_attempt.py
index 84e735bd3..ad5a90018 100644
--- a/auth_brute_force/models/res_authentication_attempt.py
+++ b/auth_brute_force/models/res_authentication_attempt.py
@@ -41,6 +41,8 @@ class ResAuthenticationAttempt(models.Model):
 
     remote = fields.Char(string='Remote ID')
 
+    environ = fields.Text(string='Environment')
+
     result = fields.Selection(
         selection=_ATTEMPT_RESULT, string='Authentication Result')
 
diff --git a/auth_brute_force/views/view.xml b/auth_brute_force/views/view.xml
index 7b7de28c3..c6267b9cf 100644
--- a/auth_brute_force/views/view.xml
+++ b/auth_brute_force/views/view.xml
@@ -29,6 +29,7 @@
                     <field name="remote" />
                     <field name="login" />
                     <field name="result" />
+                    <field name="environ" />
                 </tree>
             </field>
         </record>
@@ -48,6 +49,7 @@
             <field name="arch" type="xml">
                 <search>
                    <field name="login"/>
+                   <field name="environ"/>
                    <filter name="filter_no_success" string="Without Success" domain="[('result','!=', 'successfull')]"/>
                    <filter name="filter_banned" string="Banned" domain="[('result','=', 'banned')]"/>
                    <filter name="filter_failed" string="Failed" domain="[('result','=', 'failed')]"/>

From 4f8bd1a28e5a17f8f5d1fac888ab05dab1058968 Mon Sep 17 00:00:00 2001
From: Sylvain Calador <sylvain.calador@akretion.com>
Date: Thu, 8 Mar 2018 17:34:29 +0100
Subject: [PATCH 2/4] [FIX] Typo

---
 auth_brute_force/README.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auth_brute_force/README.rst b/auth_brute_force/README.rst
index 3fb779986..9b639574e 100644
--- a/auth_brute_force/README.rst
+++ b/auth_brute_force/README.rst
@@ -38,7 +38,7 @@ Once installed, you can change the ir.config_parameter value for the key
 of attempts allowed before the user was banned.
 
 You can also add a ir.config_parameter value for the key
-'auth_brute_force.environ_log' which allow to log also specific request
+'auth_brute_force.environ_log' which allows to log also specific request
 environment variables. The format comma-delimited list of varible names
 example: REMOTE_ADDR,REMOTE_PORT
 

From 72fbd0e94aeef2120072ee7939d32b606b14fe4f Mon Sep 17 00:00:00 2001
From: Sylvain Calador <sylvain.calador@akretion.com>
Date: Thu, 8 Mar 2018 22:53:26 +0100
Subject: [PATCH 3/4] [IMP] add a jocker '*' for discover or log all request
 environment variables

---
 auth_brute_force/README.rst                 | 7 ++++++-
 auth_brute_force/controllers/controllers.py | 6 +++---
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/auth_brute_force/README.rst b/auth_brute_force/README.rst
index 9b639574e..79ed0057e 100644
--- a/auth_brute_force/README.rst
+++ b/auth_brute_force/README.rst
@@ -39,9 +39,14 @@ of attempts allowed before the user was banned.
 
 You can also add a ir.config_parameter value for the key
 'auth_brute_force.environ_log' which allows to log also specific request
-environment variables. The format comma-delimited list of varible names
+environment variables.
+
+The format is a  comma-delimited list of variable names
 example: REMOTE_ADDR,REMOTE_PORT
 
+or you can just use the jocker '*' for log or discover all variables,
+the variable names depends of the reverse-proxy configuration.
+
 Usage
 -----
 
diff --git a/auth_brute_force/controllers/controllers.py b/auth_brute_force/controllers/controllers.py
index 14fa09e0f..acee0f3c6 100644
--- a/auth_brute_force/controllers/controllers.py
+++ b/auth_brute_force/controllers/controllers.py
@@ -76,10 +76,10 @@ class LoginController(Home):
 
             environ = ''
             if environ_log:
-                value = environ_log[0]['value']
-                log_keys = [k.strip() for k in value.split(',')]
+                filter_value = environ_log[0]['value']
+                filter_keys = [k.strip() for k in filter_value.split(',')]
                 for key, value in request.httprequest.environ.items():
-                    if key in log_keys:
+                    if key in filter_keys or filter_value == '*':
                         environ += '%s=%s\n' % (key, value)
 
             attempt_obj.create(cursor, SUPERUSER_ID, {

From 845f036c4cd00d93f6f1524f1990dafe41c9e32f Mon Sep 17 00:00:00 2001
From: Sylvain Calador <sylvain.calador@akretion.com>
Date: Thu, 8 Mar 2018 23:05:06 +0100
Subject: [PATCH 4/4] [IMP] README.rst

---
 auth_brute_force/README.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auth_brute_force/README.rst b/auth_brute_force/README.rst
index 79ed0057e..dbe931307 100644
--- a/auth_brute_force/README.rst
+++ b/auth_brute_force/README.rst
@@ -45,7 +45,7 @@ The format is a  comma-delimited list of variable names
 example: REMOTE_ADDR,REMOTE_PORT
 
 or you can just use the jocker '*' for log or discover all variables,
-the variable names depends of the reverse-proxy configuration.
+most variable names depends of WSGI specification and reverse-proxy configuration.
 
 Usage
 -----