Browse Source

Merge pull request #1183 from akretion/8.0-auth-brute-force-log-request-environment

8.0 auth brute force log request environment
pull/1213/head
beau sebastien 7 years ago
committed by GitHub
parent
commit
6f0acfd6de
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
  1. 11
      auth_brute_force/README.rst
  2. 15
      auth_brute_force/controllers/controllers.py
  3. 2
      auth_brute_force/models/res_authentication_attempt.py
  4. 2
      auth_brute_force/views/view.xml

11
auth_brute_force/README.rst

@ -37,6 +37,16 @@ Once installed, you can change the ir.config_parameter value for the key
'auth_brute_force.max_attempt_qty' (10 by default) that define the max number
of attempts allowed before the user was banned.
You can also add a ir.config_parameter value for the key
'auth_brute_force.environ_log' which allows to log also specific request
environment variables.
The format is a comma-delimited list of variable names
example: REMOTE_ADDR,REMOTE_PORT
or you can just use the jocker '*' for log or discover all variables,
most variable names depends of WSGI specification and reverse-proxy configuration.
Usage
-----
@ -97,6 +107,7 @@ Contributors
------------
* Sylvain LE GAL (https://twitter.com/legalsylvain)
* Sylvain CALADOR (https://akretion.com)
Maintainer
----------

15
auth_brute_force/controllers/controllers.py

@ -49,6 +49,11 @@ class LoginController(Home):
[('key', '=', 'auth_brute_force.max_attempt_qty')],
['value'])[0]['value'])
environ_log = config_obj.search_read(
cursor, SUPERUSER_ID,
[('key', '=', 'auth_brute_force.environ_log')],
['value'])
# Test if remote user is banned
banned = banned_remote_obj.search(cursor, SUPERUSER_ID, [
('remote', '=', remote)])
@ -68,10 +73,20 @@ class LoginController(Home):
# Log attempt
cursor.commit()
environ = ''
if environ_log:
filter_value = environ_log[0]['value']
filter_keys = [k.strip() for k in filter_value.split(',')]
for key, value in request.httprequest.environ.items():
if key in filter_keys or filter_value == '*':
environ += '%s=%s\n' % (key, value)
attempt_obj.create(cursor, SUPERUSER_ID, {
'attempt_date': fields.Datetime.now(),
'login': request.params['login'],
'remote': remote,
'environ': environ,
'result': banned and 'banned' or (
result and 'successfull' or 'failed'),
})

2
auth_brute_force/models/res_authentication_attempt.py

@ -41,6 +41,8 @@ class ResAuthenticationAttempt(models.Model):
remote = fields.Char(string='Remote ID')
environ = fields.Text(string='Environment')
result = fields.Selection(
selection=_ATTEMPT_RESULT, string='Authentication Result')

2
auth_brute_force/views/view.xml

@ -29,6 +29,7 @@
<field name="remote" />
<field name="login" />
<field name="result" />
<field name="environ" />
</tree>
</field>
</record>
@ -48,6 +49,7 @@
<field name="arch" type="xml">
<search>
<field name="login"/>
<field name="environ"/>
<filter name="filter_no_success" string="Without Success" domain="[('result','!=', 'successfull')]"/>
<filter name="filter_banned" string="Banned" domain="[('result','=', 'banned')]"/>
<filter name="filter_failed" string="Failed" domain="[('result','=', 'failed')]"/>

Loading…
Cancel
Save