Merge pull request #1183 from akretion/8.0-auth-brute-force-log-request-environment

8.0 auth brute force log request environment

auth_brute_force/README.rst

@@ -37,6 +37,16 @@ Once installed, you can change the ir.config_parameter value for the key
 'auth_brute_force.max_attempt_qty' (10 by default) that define the max number
 of attempts allowed before the user was banned.
 
+You can also add a ir.config_parameter value for the key
+'auth_brute_force.environ_log' which allows to log also specific request
+environment variables.
+
+The format is a  comma-delimited list of variable names
+example: REMOTE_ADDR,REMOTE_PORT
+
+or you can just use the jocker '*' for log or discover all variables,
+most variable names depends of WSGI specification and reverse-proxy configuration.
+
 Usage
 -----
 
@@ -97,6 +107,7 @@ Contributors
 ------------
 
 * Sylvain LE GAL (https://twitter.com/legalsylvain)
+* Sylvain CALADOR (https://akretion.com)
 
 Maintainer
 ----------

auth_brute_force/controllers/controllers.py

@@ -49,6 +49,11 @@ class LoginController(Home):
                 [('key', '=', 'auth_brute_force.max_attempt_qty')],
                 ['value'])[0]['value'])
 
+            environ_log = config_obj.search_read(
+                cursor, SUPERUSER_ID,
+                [('key', '=', 'auth_brute_force.environ_log')],
+                ['value'])
+
             # Test if remote user is banned
             banned = banned_remote_obj.search(cursor, SUPERUSER_ID, [
                 ('remote', '=', remote)])
@@ -68,10 +73,20 @@ class LoginController(Home):
 
             # Log attempt
             cursor.commit()
+
+            environ = ''
+            if environ_log:
+                filter_value = environ_log[0]['value']
+                filter_keys = [k.strip() for k in filter_value.split(',')]
+                for key, value in request.httprequest.environ.items():
+                    if key in filter_keys or filter_value == '*':
+                        environ += '%s=%s\n' % (key, value)
+
             attempt_obj.create(cursor, SUPERUSER_ID, {
                 'attempt_date': fields.Datetime.now(),
                 'login': request.params['login'],
                 'remote': remote,
+                'environ': environ,
                 'result': banned and 'banned' or (
                     result and 'successfull' or 'failed'),
             })

auth_brute_force/models/res_authentication_attempt.py

@@ -41,6 +41,8 @@ class ResAuthenticationAttempt(models.Model):
 
     remote = fields.Char(string='Remote ID')
 
+    environ = fields.Text(string='Environment')
+
     result = fields.Selection(
         selection=_ATTEMPT_RESULT, string='Authentication Result')
 

auth_brute_force/views/view.xml

@@ -29,6 +29,7 @@
                     <field name="remote" />
                     <field name="login" />
                     <field name="result" />
+                    <field name="environ" />
                 </tree>
             </field>
         </record>
@@ -48,6 +49,7 @@
             <field name="arch" type="xml">
                 <search>
                    <field name="login"/>
+                   <field name="environ"/>
                    <filter name="filter_no_success" string="Without Success" domain="[('result','!=', 'successfull')]"/>
                    <filter name="filter_banned" string="Banned" domain="[('result','=', 'banned')]"/>
                    <filter name="filter_failed" string="Failed" domain="[('result','=', 'failed')]"/>