From 74fcce91eeefb3bf06c5c4e999caf0f06866cb48 Mon Sep 17 00:00:00 2001 From: Oleg Bulkin Date: Thu, 14 Dec 2017 12:09:53 -0800 Subject: [PATCH] PR commit --- auth_totp/controllers/main.py | 12 +++++----- .../migrations/10.0.2.0.0/post-migrate.py | 6 ++--- auth_totp/models/res_users.py | 23 ++++++++----------- 3 files changed, 19 insertions(+), 22 deletions(-) diff --git a/auth_totp/controllers/main.py b/auth_totp/controllers/main.py index d1ef90c7c..384437f9a 100644 --- a/auth_totp/controllers/main.py +++ b/auth_totp/controllers/main.py @@ -42,18 +42,18 @@ class AuthTotp(Home): @http.route('/auth_totp/login', type='http', auth='none', methods=['POST']) def mfa_login_post(self, *args, **kwargs): - """Process MFA login attempt + """Process MFA login attempt. Overview: * Identify current user based on login in session. If this doesn't - work, redirect to the password login page with an error message + work, redirect to the password login page with an error message. * Validate the confirmation code provided by the user. If it's not - valid, redirect to the previous login step with an error message + valid, redirect to the previous login step with an error message. * Update the session to indicate that the MFA login process for - this user is complete and attempt password authentication again + this user is complete and attempt password authentication again. * Build a trusted device cookie and add it to the response if the - trusted device option was checked - * Redirect to the provided URL or to '/web' if one was not given + trusted device option was checked. + * Redirect to the provided URL or to '/web' if one was not given. """ # sudo() is required because there is no request.env.uid (likely since diff --git a/auth_totp/migrations/10.0.2.0.0/post-migrate.py b/auth_totp/migrations/10.0.2.0.0/post-migrate.py index 4ea21b323..7838c6a40 100644 --- a/auth_totp/migrations/10.0.2.0.0/post-migrate.py +++ b/auth_totp/migrations/10.0.2.0.0/post-migrate.py @@ -2,18 +2,18 @@ # Copyright 2017 LasLabs Inc. # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). -import uuid +from uuid import uuid4 from odoo import api, SUPERUSER_ID def migrate(cr, version): - """Generate cookie keys for all users with MFA enabled and clean up""" + """Generate cookie keys for all users with MFA enabled and clean up.""" env = api.Environment(cr, SUPERUSER_ID, {}) user_model = env['res.users'].with_context(active_test=False) mfa_users = user_model.search([('mfa_enabled', '=', True)]) for mfa_user in mfa_users: - mfa_user.trusted_device_cookie_key = uuid.uuid4() + mfa_user.trusted_device_cookie_key = uuid4() # Clean up ir records for device model to prevent warnings removed_model = 'res.users.device' diff --git a/auth_totp/models/res_users.py b/auth_totp/models/res_users.py index d3dd86147..c04a539f5 100644 --- a/auth_totp/models/res_users.py +++ b/auth_totp/models/res_users.py @@ -2,7 +2,7 @@ # Copyright 2016-2017 LasLabs Inc. # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). -import uuid +from uuid import uuid4 from odoo import _, api, fields, models from odoo.exceptions import ValidationError from odoo.http import request @@ -39,7 +39,7 @@ class ResUsers(models.Model): def _compute_trusted_device_cookie_key(self): for record in self: if record.mfa_enabled: - record.trusted_device_cookie_key = uuid.uuid4() + record.trusted_device_cookie_key = uuid4() else: record.trusted_device_cookie_key = False @@ -56,30 +56,27 @@ class ResUsers(models.Model): @api.model def check_credentials(self, password): - """Add MFA logic to core authentication process + """Add MFA logic to core authentication process. Overview: - * If user does not have MFA enabled, defer to parent logic + * If user does not have MFA enabled, defer to parent logic. * If user has MFA enabled and has gone through MFA login process - this session or has correct device cookie, defer to parent logic + this session or has correct device cookie, defer to parent logic. * If neither of these is true, call parent logic. If successful, prevent auth while updating session to indicate that MFA login - process can now commence + process can now commence. """ - user_model_sudo = self.sudo() - user = user_model_sudo.search([('id', '=', self.env.uid)]) - - if not user.mfa_enabled: + if not self.env.user.mfa_enabled: return super(ResUsers, self).check_credentials(password) if request: - if request.session.get('mfa_login_active') == user.id: + if request.session.get('mfa_login_active') == self.env.uid: return super(ResUsers, self).check_credentials(password) - cookie_key = 'trusted_devices_%d' % user.id + cookie_key = 'trusted_devices_%d' % self.env.uid device_cook = request.httprequest.cookies.get(cookie_key) if device_cook: - secret = user.trusted_device_cookie_key + secret = self.env.user.trusted_device_cookie_key device_cook = JsonSecureCookie.unserialize(device_cook, secret) if device_cook: return super(ResUsers, self).check_credentials(password)