Browse Source
[ADD] auth_totp: MFA Support
[ADD] auth_totp: MFA Support
* Add relevant fields and methods to the res.users model * Overload check_credentials in res.users to allow for logins using an MFA login token rather than a password * Add the res.users.authenticator and res.users.device models, along with appropriate ACLs and record rules * Add the res.users.authenticator.create wizard model and an associated view to facilitate creation of res.users.authenticator records * Extend base.view_users_form_simple_modif with fields needed to manage the new functionality * Add an AuthTotp controller that inherits from Home in the web module and an associated view to introduce MFA logic to the login process * Add several new exception classes that inherit from AccessDeniedpull/703/head
Oleg Bulkin
8 years ago
committed by
Dave Lasley
No known key found for this signature in database
GPG Key ID: 7DDBA4BA81B934CF
24 changed files with 1593 additions and 0 deletions
-
105auth_totp/README.rst
-
8auth_totp/__init__.py
-
30auth_totp/__openerp__.py
-
5auth_totp/controllers/__init__.py
-
155auth_totp/controllers/main.py
-
14auth_totp/data/ir_config_parameter.xml
-
20auth_totp/exceptions.py
-
7auth_totp/models/__init__.py
-
97auth_totp/models/res_users.py
-
55auth_totp/models/res_users_authenticator.py
-
16auth_totp/models/res_users_device.py
-
3auth_totp/security/ir.model.access.csv
-
18auth_totp/security/res_users_authenticator_security.xml
-
BINauth_totp/static/description/icon.png
-
8auth_totp/tests/__init__.py
-
393auth_totp/tests/test_main.py
-
202auth_totp/tests/test_res_users.py
-
80auth_totp/tests/test_res_users_authenticator.py
-
151auth_totp/tests/test_res_users_authenticator_create.py
-
34auth_totp/views/auth_totp.xml
-
27auth_totp/views/res_users.xml
-
5auth_totp/wizards/__init__.py
-
117auth_totp/wizards/res_users_authenticator_create.py
-
43auth_totp/wizards/res_users_authenticator_create.xml
@ -0,0 +1,105 @@ |
|||
.. image:: https://img.shields.io/badge/license-LGPL--3-blue.svg |
|||
:target: http://www.gnu.org/licenses/lgpl.html |
|||
:alt: License: LGPL-3 |
|||
|
|||
=========== |
|||
MFA Support |
|||
=========== |
|||
|
|||
This module adds support for MFA using TOTP (time-based, one-time passwords). |
|||
It allows users to enable/disable MFA and manage authentication apps/devices |
|||
via the "Change My Preferences" view and an associated wizard. |
|||
|
|||
After logging in normally, users with MFA enabled are taken to a second screen |
|||
where they have to enter a password generated by one of their authentication |
|||
apps and are presented with the option to remember the current device. This |
|||
creates a secure, HTTP-only cookie that allows subsequent logins to bypass the |
|||
MFA step. |
|||
|
|||
Installation |
|||
============ |
|||
|
|||
1. Install the PyOTP library using pip: ``pip install pyotp`` |
|||
2. Follow the standard module install process |
|||
|
|||
Configuration |
|||
============= |
|||
|
|||
By default, the trusted device cookies introduced by this module have a |
|||
``Secure`` flag and can only be sent via HTTPS. You can disable this by going |
|||
to ``Settings > Parameters > System Parameters`` and changing the |
|||
``auth_totp.secure_cookie`` key to ``0``, but this is not recommended in |
|||
production as it increases the likelihood of cookie theft via eavesdropping. |
|||
|
|||
Usage |
|||
===== |
|||
|
|||
Install and enjoy. |
|||
|
|||
.. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas |
|||
:alt: Try me on Runbot |
|||
:target: https://runbot.odoo-community.org/runbot/149/9.0 |
|||
|
|||
Known Issues / Roadmap |
|||
====================== |
|||
|
|||
Known Issues |
|||
------------ |
|||
|
|||
* The module does not uninstall cleanly due to an Odoo bug, leaving the |
|||
``res.users.authenticator`` and ``res.users.device`` models partially in |
|||
place. This may be addressed at a later time via an Odoo fix or by adding |
|||
custom uninstall logic via an uninstall hook. |
|||
|
|||
Roadmap |
|||
------- |
|||
|
|||
* Make the various durations associated with the module configurable. They are |
|||
currently hard-coded as follows: |
|||
|
|||
* 15 minutes to enter an MFA confirmation code after a password log in |
|||
* 30 days before the MFA session expires and the user has to log in again |
|||
* 30 days before the trusted device cookie expires |
|||
|
|||
* Add logic to extend an MFA user's session each time it's validated, |
|||
effectively keeping it alive indefinitely as long as the user remains active |
|||
* Add device fingerprinting to the trusted device cookie and provide a way to |
|||
revoke trusted devices |
|||
* Add company-level settings for forcing all users to enable MFA and disabling |
|||
the trusted device option |
|||
|
|||
Bug Tracker |
|||
=========== |
|||
|
|||
Bugs are tracked on `GitHub Issues |
|||
<https://github.com/OCA/server-tools/issues>`_. In case of trouble, please |
|||
check there if your issue has already been reported. If you spotted it first, |
|||
help us smash it by providing detailed and welcomed feedback. |
|||
|
|||
Credits |
|||
======= |
|||
|
|||
Images |
|||
------ |
|||
|
|||
* Odoo Community Association: `Icon <https://github.com/OCA/maintainer-tools/blob/master/template/module/static/description/icon.svg>`_. |
|||
|
|||
Contributors |
|||
------------ |
|||
|
|||
* Oleg Bulkin <obulkin@laslabs.com> |
|||
|
|||
Maintainer |
|||
---------- |
|||
|
|||
.. image:: https://odoo-community.org/logo.png |
|||
:alt: Odoo Community Association |
|||
:target: https://odoo-community.org |
|||
|
|||
This module is maintained by the OCA. |
|||
|
|||
OCA, or the Odoo Community Association, is a nonprofit organization whose |
|||
mission is to support the collaborative development of Odoo features and |
|||
promote its widespread use. |
|||
|
|||
To contribute to this module, please visit https://odoo-community.org. |
@ -0,0 +1,8 @@ |
|||
# -*- coding: utf-8 -*- |
|||
# Copyright 2016-2017 LasLabs Inc. |
|||
# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). |
|||
|
|||
from . import controllers |
|||
from . import exceptions |
|||
from . import models |
|||
from . import wizards |
@ -0,0 +1,30 @@ |
|||
# -*- coding: utf-8 -*- |
|||
# Copyright 2016-2017 LasLabs Inc. |
|||
# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). |
|||
|
|||
{ |
|||
'name': 'MFA Support', |
|||
'summary': 'Allows users to enable MFA and add optional trusted devices', |
|||
'version': '9.0.1.0.0', |
|||
'category': 'Extra Tools', |
|||
'website': 'https://laslabs.com/', |
|||
'author': 'LasLabs, Odoo Community Association (OCA)', |
|||
'license': 'LGPL-3', |
|||
'application': False, |
|||
'installable': True, |
|||
'external_dependencies': { |
|||
'python': ['pyotp'], |
|||
}, |
|||
'depends': [ |
|||
'report', |
|||
'web', |
|||
], |
|||
'data': [ |
|||
'data/ir_config_parameter.xml', |
|||
'security/ir.model.access.csv', |
|||
'security/res_users_authenticator_security.xml', |
|||
'wizards/res_users_authenticator_create.xml', |
|||
'views/auth_totp.xml', |
|||
'views/res_users.xml', |
|||
], |
|||
} |
@ -0,0 +1,5 @@ |
|||
# -*- coding: utf-8 -*- |
|||
# Copyright 2016-2017 LasLabs Inc. |
|||
# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). |
|||
|
|||
from . import main |
@ -0,0 +1,155 @@ |
|||
# -*- coding: utf-8 -*- |
|||
# Copyright 2016-2017 LasLabs Inc. |
|||
# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). |
|||
|
|||
from datetime import datetime, timedelta |
|||
import json |
|||
from werkzeug.contrib.securecookie import SecureCookie |
|||
from openerp import _, http, registry, SUPERUSER_ID |
|||
from openerp.api import Environment |
|||
from openerp.http import Response, request |
|||
from openerp.addons.web.controllers.main import Home |
|||
from ..exceptions import MfaTokenInvalidError, MfaTokenExpiredError |
|||
|
|||
|
|||
class JsonSecureCookie(SecureCookie): |
|||
serialization_method = json |
|||
|
|||
|
|||
class AuthTotp(Home): |
|||
|
|||
@http.route() |
|||
def web_login(self, *args, **kwargs): |
|||
"""Add MFA logic to the web_login action in Home |
|||
|
|||
Overview: |
|||
* Call web_login in Home |
|||
* Return the result of that call if the user has not logged in yet |
|||
using a password, does not have MFA enabled, or has a valid |
|||
trusted device cookie |
|||
* If none of these is true, generate a new MFA login token for the |
|||
user, log the user out, and redirect to the MFA login form |
|||
""" |
|||
|
|||
# sudo() is required because there may be no request.env.uid (likely |
|||
# since there may be no user logged in at the start of the request) |
|||
user_model_sudo = request.env['res.users'].sudo() |
|||
config_model_sudo = user_model_sudo.env['ir.config_parameter'] |
|||
|
|||
response = super(AuthTotp, self).web_login(*args, **kwargs) |
|||
|
|||
if not request.params.get('login_success'): |
|||
return response |
|||
|
|||
user = user_model_sudo.browse(request.uid) |
|||
if not user.mfa_enabled: |
|||
return response |
|||
|
|||
cookie_key = 'trusted_devices_%d' % user.id |
|||
device_cookie = request.httprequest.cookies.get(cookie_key) |
|||
if device_cookie: |
|||
secret = config_model_sudo.get_param('database.secret') |
|||
device_cookie = JsonSecureCookie.unserialize(device_cookie, secret) |
|||
if device_cookie.get('device_id') in user.trusted_device_ids.ids: |
|||
return response |
|||
|
|||
user.generate_mfa_login_token() |
|||
request.session.logout(keep_db=True) |
|||
return http.local_redirect( |
|||
'/auth_totp/login', |
|||
query={ |
|||
'mfa_login_token': user.mfa_login_token, |
|||
'redirect': request.params.get('redirect'), |
|||
}, |
|||
keep_hash=True, |
|||
) |
|||
|
|||
@http.route('/auth_totp/login', type='http', auth='none', methods=['GET']) |
|||
def mfa_login_get(self, *args, **kwargs): |
|||
return request.render('auth_totp.mfa_login', qcontext=request.params) |
|||
|
|||
@http.route('/auth_totp/login', type='http', auth='none', methods=['POST']) |
|||
def mfa_login_post(self, *args, **kwargs): |
|||
"""Process MFA login attempt |
|||
|
|||
Overview: |
|||
* Try to find a user based on the MFA login token. If this doesn't |
|||
work, redirect to the password login page with an error message |
|||
* Validate the confirmation code provided by the user. If it's not |
|||
valid, redirect to the previous login step with an error message |
|||
* Generate a long-term MFA login token for the user and log the |
|||
user in using the token |
|||
* Build a trusted device cookie and add it to the response if the |
|||
trusted device option was checked |
|||
* Redirect to the provided URL or to '/web' if one was not given |
|||
""" |
|||
|
|||
# sudo() is required because there is no request.env.uid (likely since |
|||
# there is no user logged in at the start of the request) |
|||
user_model_sudo = request.env['res.users'].sudo() |
|||
device_model_sudo = user_model_sudo.env['res.users.device'] |
|||
config_model_sudo = user_model_sudo.env['ir.config_parameter'] |
|||
|
|||
token = request.params.get('mfa_login_token') |
|||
try: |
|||
user = user_model_sudo.user_from_mfa_login_token(token) |
|||
except (MfaTokenInvalidError, MfaTokenExpiredError) as exception: |
|||
return http.local_redirect( |
|||
'/web/login', |
|||
query={ |
|||
'redirect': request.params.get('redirect'), |
|||
'error': exception.message, |
|||
}, |
|||
keep_hash=True, |
|||
) |
|||
|
|||
confirmation_code = request.params.get('confirmation_code') |
|||
if not user.validate_mfa_confirmation_code(confirmation_code): |
|||
return http.local_redirect( |
|||
'/auth_totp/login', |
|||
query={ |
|||
'redirect': request.params.get('redirect'), |
|||
'error': _( |
|||
'Your confirmation code is not correct. Please try' |
|||
' again.' |
|||
), |
|||
'mfa_login_token': token, |
|||
}, |
|||
keep_hash=True, |
|||
) |
|||
|
|||
# These context managers trigger a safe commit, which persists the |
|||
# changes right away and is needed for the auth call |
|||
with Environment.manage(): |
|||
with registry(request.db).cursor() as temp_cr: |
|||
temp_env = Environment(temp_cr, SUPERUSER_ID, request.context) |
|||
temp_user = temp_env['res.users'].browse(user.id) |
|||
temp_user.generate_mfa_login_token(60 * 24 * 30) |
|||
token = temp_user.mfa_login_token |
|||
request.session.authenticate(request.db, user.login, token, user.id) |
|||
|
|||
redirect = request.params.get('redirect') |
|||
if not redirect: |
|||
redirect = '/web' |
|||
response = Response(http.redirect_with_hash(redirect)) |
|||
|
|||
if request.params.get('remember_device'): |
|||
device = device_model_sudo.create({'user_id': user.id}) |
|||
secret = config_model_sudo.get_param('database.secret') |
|||
device_cookie = JsonSecureCookie({'device_id': device.id}, secret) |
|||
cookie_lifetime = timedelta(days=30) |
|||
cookie_exp = datetime.utcnow() + cookie_lifetime |
|||
device_cookie = device_cookie.serialize(cookie_exp) |
|||
cookie_key = 'trusted_devices_%d' % user.id |
|||
sec_config = config_model_sudo.get_param('auth_totp.secure_cookie') |
|||
security_flag = sec_config != '0' |
|||
response.set_cookie( |
|||
cookie_key, |
|||
device_cookie, |
|||
max_age=cookie_lifetime.total_seconds(), |
|||
expires=cookie_exp, |
|||
httponly=True, |
|||
secure=security_flag, |
|||
) |
|||
|
|||
return response |
@ -0,0 +1,14 @@ |
|||
<?xml version="1.0" encoding="utf-8"?> |
|||
|
|||
<!-- |
|||
Copyright 2016-2017 LasLabs Inc. |
|||
License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). |
|||
--> |
|||
|
|||
<odoo noupdate="1"> |
|||
<record id="cookie_security" model="ir.config_parameter"> |
|||
<field name="key">auth_totp.secure_cookie</field> |
|||
<field name="value" eval="1"/> |
|||
<field name="group_ids" eval="[(4, ref('base.group_system'), 0)]"/> |
|||
</record> |
|||
</odoo> |
@ -0,0 +1,20 @@ |
|||
# -*- coding: utf-8 -*- |
|||
# Copyright 2016-2017 LasLabs Inc. |
|||
# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). |
|||
|
|||
from openerp.exceptions import AccessDenied |
|||
|
|||
|
|||
class MfaTokenError(AccessDenied): |
|||
|
|||
def __init__(self, message): |
|||
super(MfaTokenError, self).__init__() |
|||
self.message = message |
|||
|
|||
|
|||
class MfaTokenInvalidError(MfaTokenError): |
|||
pass |
|||
|
|||
|
|||
class MfaTokenExpiredError(MfaTokenError): |
|||
pass |
@ -0,0 +1,7 @@ |
|||
# -*- coding: utf-8 -*- |
|||
# Copyright 2016-2017 LasLabs Inc. |
|||
# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). |
|||
|
|||
from . import res_users |
|||
from . import res_users_authenticator |
|||
from . import res_users_device |
@ -0,0 +1,97 @@ |
|||
# -*- coding: utf-8 -*- |
|||
# Copyright 2016-2017 LasLabs Inc. |
|||
# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). |
|||
|
|||
from datetime import datetime, timedelta |
|||
import random |
|||
import string |
|||
from openerp import _, api, fields, models |
|||
from openerp.exceptions import AccessDenied, ValidationError |
|||
from ..exceptions import MfaTokenInvalidError, MfaTokenExpiredError |
|||
|
|||
|
|||
class ResUsers(models.Model): |
|||
_inherit = 'res.users' |
|||
|
|||
mfa_enabled = fields.Boolean(string='MFA Enabled?') |
|||
authenticator_ids = fields.One2many( |
|||
comodel_name='res.users.authenticator', |
|||
inverse_name='user_id', |
|||
string='Authentication Apps/Devices', |
|||
help='To delete an authentication app, remove it from this list. To' |
|||
' add a new authentication app, please use the button to the' |
|||
' right.', |
|||
) |
|||
mfa_login_token = fields.Char() |
|||
mfa_login_token_exp = fields.Datetime() |
|||
trusted_device_ids = fields.One2many( |
|||
comodel_name='res.users.device', |
|||
inverse_name='user_id', |
|||
string='Trusted Devices', |
|||
) |
|||
|
|||
@api.multi |
|||
@api.constrains('mfa_enabled', 'authenticator_ids') |
|||
def _check_enabled_with_authenticator(self): |
|||
for record in self: |
|||
if record.mfa_enabled and not record.authenticator_ids: |
|||
raise ValidationError(_( |
|||
'You have MFA enabled but do not have any authentication' |
|||
' apps/devices set up. To keep from being locked out,' |
|||
' please add one before you activate this feature.' |
|||
)) |
|||
|
|||
@api.model |
|||
def check_credentials(self, password): |
|||
try: |
|||
return super(ResUsers, self).check_credentials(password) |
|||
except AccessDenied: |
|||
user = self.sudo().search([ |
|||
('id', '=', self.env.uid), |
|||
('mfa_login_token', '=', password), |
|||
]) |
|||
user._user_from_mfa_login_token_validate() |
|||
|
|||
@api.multi |
|||
def generate_mfa_login_token(self, lifetime_mins=15): |
|||
char_set = string.ascii_letters + string.digits |
|||
|
|||
for record in self: |
|||
record.mfa_login_token = ''.join( |
|||
random.SystemRandom().choice(char_set) for __ in range(20) |
|||
) |
|||
|
|||
expiration = datetime.now() + timedelta(minutes=lifetime_mins) |
|||
record.mfa_login_token_exp = fields.Datetime.to_string(expiration) |
|||
|
|||
@api.model |
|||
def user_from_mfa_login_token(self, token): |
|||
if not token: |
|||
raise MfaTokenInvalidError(_( |
|||
'Your MFA login token is not valid. Please try again.' |
|||
)) |
|||
|
|||
user = self.search([('mfa_login_token', '=', token)]) |
|||
user._user_from_mfa_login_token_validate() |
|||
|
|||
return user |
|||
|
|||
@api.multi |
|||
def _user_from_mfa_login_token_validate(self): |
|||
try: |
|||
self.ensure_one() |
|||
except ValueError: |
|||
raise MfaTokenInvalidError(_( |
|||
'Your MFA login token is not valid. Please try again.' |
|||
)) |
|||
|
|||
token_exp = fields.Datetime.from_string(self.mfa_login_token_exp) |
|||
if token_exp < datetime.now(): |
|||
raise MfaTokenExpiredError(_( |
|||
'Your MFA login token has expired. Please try again.' |
|||
)) |
|||
|
|||
@api.multi |
|||
def validate_mfa_confirmation_code(self, confirmation_code): |
|||
self.ensure_one() |
|||
return self.authenticator_ids.validate_conf_code(confirmation_code) |
@ -0,0 +1,55 @@ |
|||
# -*- coding: utf-8 -*- |
|||
# Copyright 2016-2017 LasLabs Inc. |
|||
# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). |
|||
|
|||
import logging |
|||
from openerp import _, api, fields, models |
|||
|
|||
_logger = logging.getLogger(__name__) |
|||
try: |
|||
import pyotp |
|||
except ImportError: |
|||
_logger.debug( |
|||
'Could not import PyOTP. Please make sure this library is available in' |
|||
' your environment.' |
|||
) |
|||
|
|||
|
|||
class ResUsersAuthenticator(models.Model): |
|||
_name = 'res.users.authenticator' |
|||
_description = 'MFA App/Device' |
|||
_sql_constraints = [( |
|||
'user_id_name_uniq', |
|||
'UNIQUE(user_id, name)', |
|||
_( |
|||
'There is already an MFA app/device with this name associated with' |
|||
' your account. Please pick a new name and try again.' |
|||
), |
|||
)] |
|||
|
|||
name = fields.Char( |
|||
required=True, |
|||
readonly=True, |
|||
) |
|||
secret_key = fields.Char( |
|||
required=True, |
|||
readonly=True, |
|||
) |
|||
user_id = fields.Many2one( |
|||
comodel_name='res.users', |
|||
ondelete='cascade', |
|||
) |
|||
|
|||
@api.multi |
|||
@api.constrains('user_id') |
|||
def _check_has_user(self): |
|||
self.filtered(lambda r: not r.user_id).unlink() |
|||
|
|||
@api.multi |
|||
def validate_conf_code(self, confirmation_code): |
|||
for record in self: |
|||
totp = pyotp.TOTP(record.secret_key) |
|||
if totp.verify(confirmation_code): |
|||
return True |
|||
|
|||
return False |
@ -0,0 +1,16 @@ |
|||
# -*- coding: utf-8 -*- |
|||
# Copyright 2016-2017 LasLabs Inc. |
|||
# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). |
|||
|
|||
from openerp import fields, models |
|||
|
|||
|
|||
class ResUsersDevice(models.Model): |
|||
_name = 'res.users.device' |
|||
_description = 'Trusted Device for MFA Auth' |
|||
|
|||
user_id = fields.Many2one( |
|||
comodel_name='res.users', |
|||
ondelete='cascade', |
|||
required=True, |
|||
) |
@ -0,0 +1,3 @@ |
|||
id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink |
|||
authenticator_access,MFA Authenticator - User Access,model_res_users_authenticator,base.group_user,1,1,1,1 |
|||
device_access,MFA Device - Manager Access,model_res_users_device,,0,0,0,0 |
@ -0,0 +1,18 @@ |
|||
<?xml version="1.0" encoding="utf-8"?> |
|||
|
|||
<!-- |
|||
Copyright 2016-2017 LasLabs Inc. |
|||
License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). |
|||
--> |
|||
|
|||
<odoo> |
|||
<record id="auth_access_owners_only" model="ir.rule"> |
|||
<field name="name">MFA Authenticators - Owner Only</field> |
|||
<field name="model_id" ref="model_res_users_authenticator"/> |
|||
<field name="domain_force">[('user_id', '=?', user.id)]</field> |
|||
<field name="perm_read" eval="True"/> |
|||
<field name="perm_write" eval="True"/> |
|||
<field name="perm_create" eval="True"/> |
|||
<field name="perm_unlink" eval="True"/> |
|||
</record> |
|||
</odoo> |
After Width: 600 | Height: 518 | Size: 10 KiB |
@ -0,0 +1,8 @@ |
|||
# -*- coding: utf-8 -*- |
|||
# Copyright 2016-2017 LasLabs Inc. |
|||
# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). |
|||
|
|||
from . import test_main |
|||
from . import test_res_users |
|||
from . import test_res_users_authenticator |
|||
from . import test_res_users_authenticator_create |
@ -0,0 +1,393 @@ |
|||
# -*- coding: utf-8 -*- |
|||
# Copyright 2016-2017 LasLabs Inc. |
|||
# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). |
|||
|
|||
from datetime import datetime |
|||
import mock |
|||
from openerp.http import Response |
|||
from openerp.tests.common import TransactionCase |
|||
from ..controllers.main import AuthTotp |
|||
|
|||
CONTROLLER_PATH = 'openerp.addons.auth_totp.controllers.main' |
|||
REQUEST_PATH = CONTROLLER_PATH + '.request' |
|||
SUPER_PATH = CONTROLLER_PATH + '.Home.web_login' |
|||
JSON_PATH = CONTROLLER_PATH + '.JsonSecureCookie' |
|||
ENVIRONMENT_PATH = CONTROLLER_PATH + '.Environment' |
|||
RESPONSE_PATH = CONTROLLER_PATH + '.Response' |
|||
DATETIME_PATH = CONTROLLER_PATH + '.datetime' |
|||
TRANSLATE_PATH_CONT = CONTROLLER_PATH + '._' |
|||
MODEL_PATH = 'openerp.addons.auth_totp.models.res_users' |
|||
GENERATE_PATH = MODEL_PATH + '.ResUsers.generate_mfa_login_token' |
|||
VALIDATE_PATH = MODEL_PATH + '.ResUsers.validate_mfa_confirmation_code' |
|||
TRANSLATE_PATH_MOD = MODEL_PATH + '._' |
|||
|
|||
|
|||
@mock.patch(REQUEST_PATH) |
|||
class TestAuthTotp(TransactionCase): |
|||
|
|||
def setUp(self): |
|||
super(TestAuthTotp, self).setUp() |
|||
|
|||
self.test_controller = AuthTotp() |
|||
|
|||
self.test_user = self.env.ref('base.user_root') |
|||
self.env['res.users.authenticator'].create({ |
|||
'name': 'Test Authenticator', |
|||
'secret_key': 'iamatestsecretyo', |
|||
'user_id': self.test_user.id, |
|||
}) |
|||
self.test_user.mfa_enabled = True |
|||
self.test_user.generate_mfa_login_token() |
|||
self.test_user.trusted_device_ids = None |
|||
|
|||
# Needed when tests are run with no prior requests (e.g. on a new DB) |
|||
patcher = mock.patch('openerp.http.request') |
|||
self.addCleanup(patcher.stop) |
|||
patcher.start() |
|||
|
|||
@mock.patch(SUPER_PATH) |
|||
def test_web_login_no_password_login(self, super_mock, request_mock): |
|||
'''Should return wrapped result of super if no password log in''' |
|||
test_response = 'Test Response' |
|||
super_mock.return_value = test_response |
|||
request_mock.params = {} |
|||
|
|||
self.assertEqual(self.test_controller.web_login().data, test_response) |
|||
|
|||
@mock.patch(SUPER_PATH) |
|||
def test_web_login_user_no_mfa(self, super_mock, request_mock): |
|||
'''Should return wrapped result of super if user did not enable MFA''' |
|||
test_response = 'Test Response' |
|||
super_mock.return_value = test_response |
|||
request_mock.params = {'login_success': True} |
|||
request_mock.env = self.env |
|||
request_mock.uid = self.test_user.id |
|||
self.test_user.mfa_enabled = False |
|||
|
|||
self.assertEqual(self.test_controller.web_login().data, test_response) |
|||
|
|||
@mock.patch(JSON_PATH) |
|||
@mock.patch(SUPER_PATH) |
|||
def test_web_login_valid_cookie(self, super_mock, json_mock, request_mock): |
|||
'''Should return wrapped result of super if valid device cookie''' |
|||
test_response = 'Test Response' |
|||
super_mock.return_value = test_response |
|||
request_mock.params = {'login_success': True} |
|||
request_mock.env = self.env |
|||
request_mock.uid = self.test_user.id |
|||
|
|||
device_model = self.env['res.users.device'] |
|||
test_device = device_model.create({'user_id': self.test_user.id}) |
|||
json_mock.unserialize().get.return_value = test_device.id |
|||
|
|||
self.assertEqual(self.test_controller.web_login().data, test_response) |
|||
|
|||
@mock.patch(SUPER_PATH) |
|||
@mock.patch(GENERATE_PATH) |
|||
def test_web_login_no_cookie(self, gen_mock, super_mock, request_mock): |
|||
'''Should respond correctly if no device cookie with expected key''' |
|||
request_mock.env = self.env |
|||
request_mock.uid = self.test_user.id |
|||
request_mock.params = { |
|||
'login_success': True, |
|||
'redirect': 'Test Redir', |
|||
} |
|||
self.test_user.mfa_login_token = 'Test Token' |
|||
request_mock.httprequest.cookies = {} |
|||
request_mock.reset_mock() |
|||
|
|||
test_result = self.test_controller.web_login() |
|||
gen_mock.assert_called_once_with() |
|||
request_mock.session.logout.assert_called_once_with(keep_db=True) |
|||
self.assertIn( |
|||
'/auth_totp/login?redirect=Test+Redir&mfa_login_token=Test+Token', |
|||
test_result.data, |
|||
) |
|||
|
|||
@mock.patch(SUPER_PATH) |
|||
@mock.patch(JSON_PATH) |
|||
@mock.patch(GENERATE_PATH) |
|||
def test_web_login_bad_device_id( |
|||
self, gen_mock, json_mock, super_mock, request_mock |
|||
): |
|||
'''Should respond correctly if invalid device_id in device cookie''' |
|||
request_mock.env = self.env |
|||
request_mock.uid = self.test_user.id |
|||
request_mock.params = { |
|||
'login_success': True, |
|||
'redirect': 'Test Redir', |
|||
} |
|||
self.test_user.mfa_login_token = 'Test Token' |
|||
json_mock.unserialize.return_value = {'device_id': 1} |
|||
request_mock.reset_mock() |
|||
|
|||
test_result = self.test_controller.web_login() |
|||
gen_mock.assert_called_once_with() |
|||
request_mock.session.logout.assert_called_once_with(keep_db=True) |
|||
self.assertIn( |
|||
'/auth_totp/login?redirect=Test+Redir&mfa_login_token=Test+Token', |
|||
test_result.data, |
|||
) |
|||
|
|||
def test_mfa_login_get(self, request_mock): |
|||
'''Should render mfa_login template with correct context''' |
|||
request_mock.render.return_value = 'Test Value' |
|||
request_mock.reset_mock() |
|||
self.test_controller.mfa_login_get() |
|||
|
|||
request_mock.render.assert_called_once_with( |
|||
'auth_totp.mfa_login', |
|||
qcontext=request_mock.params, |
|||
) |
|||
|
|||
@mock.patch(TRANSLATE_PATH_MOD) |
|||
def test_mfa_login_post_invalid_token(self, tl_mock, request_mock): |
|||
'''Should return correct redirect if login token invalid''' |
|||
request_mock.env = self.env |
|||
request_mock.params = { |
|||
'mfa_login_token': 'Invalid Token', |
|||
'redirect': 'Test Redir', |
|||
} |
|||
tl_mock.side_effect = lambda arg: arg |
|||
tl_mock.reset_mock() |
|||
|
|||
test_result = self.test_controller.mfa_login_post() |
|||
tl_mock.assert_called_once() |
|||
self.assertIn('/web/login?redirect=Test+Redir', test_result.data) |
|||
self.assertIn( |
|||
'&error=Your+MFA+login+token+is+not+valid.', |
|||
test_result.data, |
|||
) |
|||
|
|||
@mock.patch(TRANSLATE_PATH_MOD) |
|||
def test_mfa_login_post_expired_token(self, tl_mock, request_mock): |
|||
'''Should return correct redirect if login token expired''' |
|||
request_mock.env = self.env |
|||
self.test_user.generate_mfa_login_token(-1) |
|||
request_mock.params = { |
|||
'mfa_login_token': self.test_user.mfa_login_token, |
|||
'redirect': 'Test Redir', |
|||
} |
|||
tl_mock.side_effect = lambda arg: arg |
|||
tl_mock.reset_mock() |
|||
|
|||
test_result = self.test_controller.mfa_login_post() |
|||
tl_mock.assert_called_once() |
|||
self.assertIn('/web/login?redirect=Test+Redir', test_result.data) |
|||
self.assertIn( |
|||
'&error=Your+MFA+login+token+has+expired.', |
|||
test_result.data, |
|||
) |
|||
|
|||
@mock.patch(TRANSLATE_PATH_CONT) |
|||
def test_mfa_login_post_invalid_conf_code(self, tl_mock, request_mock): |
|||
'''Should return correct redirect if confirmation code is invalid''' |
|||
request_mock.env = self.env |
|||
request_mock.params = { |
|||
'mfa_login_token': self.test_user.mfa_login_token, |
|||
'redirect': 'Test Redir', |
|||
'confirmation_code': 'Invalid Code', |
|||
} |
|||
tl_mock.side_effect = lambda arg: arg |
|||
tl_mock.reset_mock() |
|||
|
|||
test_result = self.test_controller.mfa_login_post() |
|||
tl_mock.assert_called_once() |
|||
self.assertIn('/auth_totp/login?redirect=Test+Redir', test_result.data) |
|||
self.assertIn( |
|||
'&error=Your+confirmation+code+is+not+correct.', |
|||
test_result.data, |
|||
) |
|||
self.assertIn( |
|||
'&mfa_login_token=%s' % self.test_user.mfa_login_token, |
|||
test_result.data, |
|||
) |
|||
|
|||
@mock.patch(GENERATE_PATH) |
|||
@mock.patch(VALIDATE_PATH) |
|||
def test_mfa_login_post_new_token(self, val_mock, gen_mock, request_mock): |
|||
'''Should refresh user's login token w/right lifetime if info valid''' |
|||
request_mock.env = self.env |
|||
request_mock.db = self.registry.db_name |
|||
test_token = self.test_user.mfa_login_token |
|||
request_mock.params = {'mfa_login_token': test_token} |
|||
val_mock.return_value = True |
|||
gen_mock.reset_mock() |
|||
self.test_controller.mfa_login_post() |
|||
|
|||
gen_mock.assert_called_once_with(60 * 24 * 30) |
|||
|
|||
@mock.patch(ENVIRONMENT_PATH) |
|||
@mock.patch(VALIDATE_PATH) |
|||
def test_mfa_login_post_session(self, val_mock, env_mock, request_mock): |
|||
'''Should log user in with new token as password if info valid''' |
|||
request_mock.env = self.env |
|||
request_mock.db = self.registry.db_name |
|||
old_test_token = self.test_user.mfa_login_token |
|||
request_mock.params = {'mfa_login_token': old_test_token} |
|||
val_mock.return_value = True |
|||
env_mock.return_value = self.env |
|||
request_mock.reset_mock() |
|||
self.test_controller.mfa_login_post() |
|||
|
|||
new_test_token = self.test_user.mfa_login_token |
|||
request_mock.session.authenticate.assert_called_once_with( |
|||
request_mock.db, |
|||
self.test_user.login, |
|||
new_test_token, |
|||
self.test_user.id, |
|||
) |
|||
|
|||
@mock.patch(GENERATE_PATH) |
|||
@mock.patch(VALIDATE_PATH) |
|||
def test_mfa_login_post_redirect(self, val_mock, gen_mock, request_mock): |
|||
'''Should return correct redirect if info valid and redirect present''' |
|||
request_mock.env = self.env |
|||
request_mock.db = self.registry.db_name |
|||
test_redir = 'Test Redir' |
|||
request_mock.params = { |
|||
'mfa_login_token': self.test_user.mfa_login_token, |
|||
'redirect': test_redir, |
|||
} |
|||
val_mock.return_value = True |
|||
|
|||
test_result = self.test_controller.mfa_login_post() |
|||
self.assertIn("window.location = '%s'" % test_redir, test_result.data) |
|||
|
|||
@mock.patch(GENERATE_PATH) |
|||
@mock.patch(VALIDATE_PATH) |
|||
def test_mfa_login_post_redir_def(self, val_mock, gen_mock, request_mock): |
|||
'''Should return redirect to /web if info valid and no redirect''' |
|||
request_mock.env = self.env |
|||
request_mock.db = self.registry.db_name |
|||
test_token = self.test_user.mfa_login_token |
|||
request_mock.params = {'mfa_login_token': test_token} |
|||
val_mock.return_value = True |
|||
|
|||
test_result = self.test_controller.mfa_login_post() |
|||
self.assertIn("window.location = '/web'", test_result.data) |
|||
|
|||
@mock.patch(GENERATE_PATH) |
|||
@mock.patch(VALIDATE_PATH) |
|||
def test_mfa_login_post_device(self, val_mock, gen_mock, request_mock): |
|||
'''Should add trusted device to user if remember flag set''' |
|||
request_mock.env = self.env |
|||
request_mock.db = self.registry.db_name |
|||
test_token = self.test_user.mfa_login_token |
|||
request_mock.params = { |
|||
'mfa_login_token': test_token, |
|||
'remember_device': True, |
|||
} |
|||
val_mock.return_value = True |
|||
self.test_controller.mfa_login_post() |
|||
|
|||
self.assertEqual(len(self.test_user.trusted_device_ids), 1) |
|||
|
|||
@mock.patch(RESPONSE_PATH) |
|||
@mock.patch(JSON_PATH) |
|||
@mock.patch(GENERATE_PATH) |
|||
@mock.patch(VALIDATE_PATH) |
|||
def test_mfa_login_post_cookie_werkzeug_cookie( |
|||
self, val_mock, gen_mock, json_mock, resp_mock, request_mock |
|||
): |
|||
'''Should create Werkzeug cookie w/right info if remember flag set''' |
|||
request_mock.env = self.env |
|||
request_mock.db = self.registry.db_name |
|||
test_token = self.test_user.mfa_login_token |
|||
request_mock.params = { |
|||
'mfa_login_token': test_token, |
|||
'remember_device': True, |
|||
} |
|||
val_mock.return_value = True |
|||
resp_mock().__class__ = Response |
|||
json_mock.reset_mock() |
|||
self.test_controller.mfa_login_post() |
|||
|
|||
test_device = self.test_user.trusted_device_ids |
|||
config_model = self.env['ir.config_parameter'] |
|||
test_secret = config_model.get_param('database.secret') |
|||
json_mock.assert_called_once_with( |
|||
{'device_id': test_device.id}, |
|||
test_secret, |
|||
) |
|||
|
|||
@mock.patch(DATETIME_PATH) |
|||
@mock.patch(RESPONSE_PATH) |
|||
@mock.patch(JSON_PATH) |
|||
@mock.patch(GENERATE_PATH) |
|||
@mock.patch(VALIDATE_PATH) |
|||
def test_mfa_login_post_cookie_werkzeug_cookie_exp( |
|||
self, val_mock, gen_mock, json_mock, resp_mock, dt_mock, request_mock |
|||
): |
|||
'''Should serialize Werkzeug cookie w/right exp if remember flag set''' |
|||
request_mock.env = self.env |
|||
request_mock.db = self.registry.db_name |
|||
test_token = self.test_user.mfa_login_token |
|||
request_mock.params = { |
|||
'mfa_login_token': test_token, |
|||
'remember_device': True, |
|||
} |
|||
val_mock.return_value = True |
|||
dt_mock.utcnow.return_value = datetime(2016, 12, 1) |
|||
resp_mock().__class__ = Response |
|||
json_mock.reset_mock() |
|||
self.test_controller.mfa_login_post() |
|||
|
|||
json_mock().serialize.assert_called_once_with(datetime(2016, 12, 31)) |
|||
|
|||
@mock.patch(DATETIME_PATH) |
|||
@mock.patch(RESPONSE_PATH) |
|||
@mock.patch(JSON_PATH) |
|||
@mock.patch(GENERATE_PATH) |
|||
@mock.patch(VALIDATE_PATH) |
|||
def test_mfa_login_post_cookie_final_cookie( |
|||
self, val_mock, gen_mock, json_mock, resp_mock, dt_mock, request_mock |
|||
): |
|||
'''Should add correct cookie to response if remember flag set''' |
|||
request_mock.env = self.env |
|||
request_mock.db = self.registry.db_name |
|||
test_token = self.test_user.mfa_login_token |
|||
request_mock.params = { |
|||
'mfa_login_token': test_token, |
|||
'remember_device': True, |
|||
} |
|||
val_mock.return_value = True |
|||
dt_mock.utcnow.return_value = datetime(2016, 12, 1) |
|||
config_model = self.env['ir.config_parameter'] |
|||
config_model.set_param('auth_totp.secure_cookie', '0') |
|||
resp_mock().__class__ = Response |
|||
resp_mock.reset_mock() |
|||
self.test_controller.mfa_login_post() |
|||
|
|||
resp_mock().set_cookie.assert_called_once_with( |
|||
'trusted_devices_%s' % self.test_user.id, |
|||
json_mock().serialize(), |
|||
max_age=30 * 24 * 60 * 60, |
|||
expires=datetime(2016, 12, 31), |
|||
httponly=True, |
|||
secure=False, |
|||
) |
|||
|
|||
@mock.patch(RESPONSE_PATH) |
|||
@mock.patch(GENERATE_PATH) |
|||
@mock.patch(VALIDATE_PATH) |
|||
def test_mfa_login_post_cookie_final_cookie_secure( |
|||
self, val_mock, gen_mock, resp_mock, request_mock |
|||
): |
|||
'''Should set secure cookie if config parameter set accordingly''' |
|||
request_mock.env = self.env |
|||
request_mock.db = self.registry.db_name |
|||
test_token = self.test_user.mfa_login_token |
|||
request_mock.params = { |
|||
'mfa_login_token': test_token, |
|||
'remember_device': True, |
|||
} |
|||
val_mock.return_value = True |
|||
config_model = self.env['ir.config_parameter'] |
|||
config_model.set_param('auth_totp.secure_cookie', '1') |
|||
resp_mock().__class__ = Response |
|||
resp_mock.reset_mock() |
|||
self.test_controller.mfa_login_post() |
|||
|
|||
new_test_security = resp_mock().set_cookie.mock_calls[0][2]['secure'] |
|||
self.assertIs(new_test_security, True) |
@ -0,0 +1,202 @@ |
|||
# -*- coding: utf-8 -*- |
|||
# Copyright 2016-2017 LasLabs Inc. |
|||
# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). |
|||
|
|||
from datetime import datetime |
|||
import mock |
|||
import string |
|||
from openerp.exceptions import ValidationError |
|||
from openerp.tests.common import TransactionCase |
|||
from ..exceptions import ( |
|||
MfaTokenError, |
|||
MfaTokenInvalidError, |
|||
MfaTokenExpiredError, |
|||
) |
|||
from ..models.res_users_authenticator import ResUsersAuthenticator |
|||
|
|||
DATETIME_PATH = 'openerp.addons.auth_totp.models.res_users.datetime' |
|||
|
|||
|
|||
class TestResUsers(TransactionCase): |
|||
|
|||
def setUp(self): |
|||
super(TestResUsers, self).setUp() |
|||
|
|||
self.test_user = self.env.ref('base.user_root') |
|||
self.test_user.mfa_enabled = False |
|||
self.test_user.authenticator_ids = False |
|||
self.env.uid = self.test_user.id |
|||
|
|||
def test_check_enabled_with_authenticator_mfa_no_auth(self): |
|||
'''Should raise correct error if MFA enabled without authenticators''' |
|||
with self.assertRaisesRegexp(ValidationError, 'locked out'): |
|||
self.test_user.mfa_enabled = True |
|||
|
|||
def test_check_enabled_with_authenticator_no_mfa_auth(self): |
|||
'''Should not raise error if MFA not enabled with authenticators''' |
|||
try: |
|||
self.env['res.users.authenticator'].create({ |
|||
'name': 'Test Name', |
|||
'secret_key': 'Test Key', |
|||
'user_id': self.test_user.id, |
|||
}) |
|||
except ValidationError: |
|||
self.fail('A ValidationError was raised and should not have been.') |
|||
|
|||
def test_check_enabled_with_authenticator_mfa_auth(self): |
|||
'''Should not raise error if MFA enabled with authenticators''' |
|||
try: |
|||
self.env['res.users.authenticator'].create({ |
|||
'name': 'Test Name', |
|||
'secret_key': 'Test Key', |
|||
'user_id': self.test_user.id, |
|||
}) |
|||
self.test_user.mfa_enabled = True |
|||
except ValidationError: |
|||
self.fail('A ValidationError was raised and should not have been.') |
|||
|
|||
def test_check_credentials_no_match(self): |
|||
'''Should raise appropriate error if there is no match''' |
|||
with self.assertRaises(MfaTokenInvalidError): |
|||
self.env['res.users'].check_credentials('invalid') |
|||
|
|||
@mock.patch(DATETIME_PATH) |
|||
def test_check_credentials_expired(self, datetime_mock): |
|||
'''Should raise appropriate error if match based on expired token''' |
|||
datetime_mock.now.return_value = datetime(2016, 12, 1) |
|||
self.test_user.generate_mfa_login_token() |
|||
test_token = self.test_user.mfa_login_token |
|||
datetime_mock.now.return_value = datetime(2017, 12, 1) |
|||
|
|||
with self.assertRaises(MfaTokenExpiredError): |
|||
self.env['res.users'].check_credentials(test_token) |
|||
|
|||
def test_check_credentials_current(self): |
|||
'''Should not raise error if match based on active token''' |
|||
self.test_user.generate_mfa_login_token() |
|||
test_token = self.test_user.mfa_login_token |
|||
|
|||
try: |
|||
self.env['res.users'].check_credentials(test_token) |
|||
except MfaTokenError: |
|||
self.fail('An MfaTokenError was raised and should not have been.') |
|||
|
|||
def test_generate_mfa_login_token_token_field_content(self): |
|||
'''Should set token field to 20 char string of ASCII letters/digits''' |
|||
self.test_user.generate_mfa_login_token() |
|||
test_chars = set(string.ascii_letters + string.digits) |
|||
|
|||
self.assertEqual(len(self.test_user.mfa_login_token), 20) |
|||
self.assertTrue(set(self.test_user.mfa_login_token) <= test_chars) |
|||
|
|||
def test_generate_mfa_login_token_token_field_random(self): |
|||
'''Should set token field to new value each time''' |
|||
test_tokens = set([]) |
|||
for __ in xrange(3): |
|||
self.test_user.generate_mfa_login_token() |
|||
test_tokens.add(self.test_user.mfa_login_token) |
|||
|
|||
self.assertEqual(len(test_tokens), 3) |
|||
|
|||
@mock.patch(DATETIME_PATH) |
|||
def test_generate_mfa_login_token_exp_field_default(self, datetime_mock): |
|||
'''Should set token lifetime to 15 minutes if no argument provided''' |
|||
datetime_mock.now.return_value = datetime(2016, 12, 1) |
|||
self.test_user.generate_mfa_login_token() |
|||
|
|||
self.assertEqual( |
|||
self.test_user.mfa_login_token_exp, |
|||
'2016-12-01 00:15:00' |
|||
) |
|||
|
|||
@mock.patch(DATETIME_PATH) |
|||
def test_generate_mfa_login_token_exp_field_custom(self, datetime_mock): |
|||
'''Should set token lifetime to value provided''' |
|||
datetime_mock.now.return_value = datetime(2016, 12, 1) |
|||
self.test_user.generate_mfa_login_token(45) |
|||
|
|||
self.assertEqual( |
|||
self.test_user.mfa_login_token_exp, |
|||
'2016-12-01 00:45:00' |
|||
) |
|||
|
|||
def test_user_from_mfa_login_token_validate_not_singleton(self): |
|||
'''Should raise correct error when recordset is not a singleton''' |
|||
self.test_user.copy() |
|||
test_set = self.env['res.users'].search([('id', '>', 0)], limit=2) |
|||
|
|||
with self.assertRaises(MfaTokenInvalidError): |
|||
self.env['res.users']._user_from_mfa_login_token_validate() |
|||
with self.assertRaises(MfaTokenInvalidError): |
|||
test_set._user_from_mfa_login_token_validate() |
|||
|
|||
@mock.patch(DATETIME_PATH) |
|||
def test_user_from_mfa_login_token_validate_expired(self, datetime_mock): |
|||
'''Should raise correct error when record has expired token''' |
|||
datetime_mock.now.return_value = datetime(2016, 12, 1) |
|||
self.test_user.generate_mfa_login_token() |
|||
datetime_mock.now.return_value = datetime(2017, 12, 1) |
|||
|
|||
with self.assertRaises(MfaTokenExpiredError): |
|||
self.test_user._user_from_mfa_login_token_validate() |
|||
|
|||
def test_user_from_mfa_login_token_validate_current_singleton(self): |
|||
'''Should not raise error when one record with active token''' |
|||
self.test_user.generate_mfa_login_token() |
|||
|
|||
try: |
|||
self.test_user._user_from_mfa_login_token_validate() |
|||
except MfaTokenError: |
|||
self.fail('An MfaTokenError was raised and should not have been.') |
|||
|
|||
def test_user_from_mfa_login_token_match(self): |
|||
'''Should retreive correct user when there is a current match''' |
|||
self.test_user.generate_mfa_login_token() |
|||
test_token = self.test_user.mfa_login_token |
|||
|
|||
self.assertEqual( |
|||
self.env['res.users'].user_from_mfa_login_token(test_token), |
|||
self.test_user, |
|||
) |
|||
|
|||
def test_user_from_mfa_login_token_falsy(self): |
|||
'''Should raise correct error when token is falsy''' |
|||
with self.assertRaises(MfaTokenInvalidError): |
|||
self.env['res.users'].user_from_mfa_login_token(None) |
|||
|
|||
def test_user_from_mfa_login_token_no_match(self): |
|||
'''Should raise correct error when there is no match''' |
|||
with self.assertRaises(MfaTokenInvalidError): |
|||
self.env['res.users'].user_from_mfa_login_token('Test Token') |
|||
|
|||
@mock.patch(DATETIME_PATH) |
|||
def test_user_from_mfa_login_token_match_expired(self, datetime_mock): |
|||
'''Should raise correct error when the match is expired''' |
|||
datetime_mock.now.return_value = datetime(2016, 12, 1) |
|||
self.test_user.generate_mfa_login_token() |
|||
test_token = self.test_user.mfa_login_token |
|||
datetime_mock.now.return_value = datetime(2017, 12, 1) |
|||
|
|||
with self.assertRaises(MfaTokenExpiredError): |
|||
self.env['res.users'].user_from_mfa_login_token(test_token) |
|||
|
|||
def test_validate_mfa_confirmation_code_not_singleton(self): |
|||
'''Should raise correct error when recordset is not singleton''' |
|||
test_user_2 = self.env['res.users'] |
|||
test_user_3 = self.env.ref('base.public_user') |
|||
test_set = self.test_user + test_user_3 |
|||
|
|||
with self.assertRaisesRegexp(ValueError, 'Expected singleton'): |
|||
test_user_2.validate_mfa_confirmation_code('Test Code') |
|||
with self.assertRaisesRegexp(ValueError, 'Expected singleton'): |
|||
test_set.validate_mfa_confirmation_code('Test Code') |
|||
|
|||
@mock.patch.object(ResUsersAuthenticator, 'validate_conf_code') |
|||
def test_validate_mfa_confirmation_code_singleton_return(self, mock_func): |
|||
'''Should return validate_conf_code() value if singleton recordset''' |
|||
mock_func.return_value = 'Test Result' |
|||
|
|||
self.assertEqual( |
|||
self.test_user.validate_mfa_confirmation_code('Test Code'), |
|||
'Test Result', |
|||
) |
@ -0,0 +1,80 @@ |
|||
# -*- coding: utf-8 -*- |
|||
# Copyright 2016-2017 LasLabs Inc. |
|||
# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). |
|||
|
|||
import mock |
|||
from openerp.tests.common import TransactionCase |
|||
|
|||
MOCK_PATH = 'openerp.addons.auth_totp.models.res_users_authenticator.pyotp' |
|||
|
|||
|
|||
class TestResUsersAuthenticator(TransactionCase): |
|||
|
|||
def _new_authenticator(self, extra_values=None): |
|||
base_values = { |
|||
'name': 'Test Name', |
|||
'secret_key': 'Test Key', |
|||
'user_id': self.env.ref('base.user_root').id, |
|||
} |
|||
if extra_values is not None: |
|||
base_values.update(extra_values) |
|||
|
|||
return self.env['res.users.authenticator'].create(base_values) |
|||
|
|||
def test_check_has_user(self): |
|||
'''Should delete record when it no longer has a user_id''' |
|||
test_auth = self._new_authenticator() |
|||
test_auth.user_id = False |
|||
|
|||
self.assertFalse(test_auth.exists()) |
|||
|
|||
def test_validate_conf_code_empty_recordset(self): |
|||
'''Should return False if recordset is empty''' |
|||
test_auth = self.env['res.users.authenticator'] |
|||
|
|||
self.assertFalse(test_auth.validate_conf_code('Test Code')) |
|||
|
|||
@mock.patch(MOCK_PATH) |
|||
def test_validate_conf_code_match(self, pyotp_mock): |
|||
'''Should return True if code matches at least one record in set''' |
|||
test_auth = self._new_authenticator() |
|||
test_auth_2 = self._new_authenticator({'name': 'Test Name 2'}) |
|||
test_set = test_auth + test_auth_2 |
|||
|
|||
pyotp_mock.TOTP().verify.side_effect = (True, False) |
|||
self.assertTrue(test_set.validate_conf_code('Test Code')) |
|||
pyotp_mock.TOTP().verify.side_effect = (True, True) |
|||
self.assertTrue(test_set.validate_conf_code('Test Code')) |
|||
|
|||
@mock.patch(MOCK_PATH) |
|||
def test_validate_conf_code_no_match(self, pyotp_mock): |
|||
'''Should return False if code does not match any records in set''' |
|||
test_auth = self._new_authenticator() |
|||
pyotp_mock.TOTP().verify.return_value = False |
|||
|
|||
self.assertFalse(test_auth.validate_conf_code('Test Code')) |
|||
|
|||
@mock.patch(MOCK_PATH) |
|||
def test_validate_conf_code_pyotp_use(self, pyotp_mock): |
|||
'''Should call PyOTP 2x/record with correct arguments until match''' |
|||
test_auth = self._new_authenticator() |
|||
test_auth_2 = self._new_authenticator({ |
|||
'name': 'Test Name 2', |
|||
'secret_key': 'Test Key 2', |
|||
}) |
|||
test_auth_3 = self._new_authenticator({ |
|||
'name': 'Test Name 3', |
|||
'secret_key': 'Test Key 3', |
|||
}) |
|||
test_set = test_auth + test_auth_2 + test_auth_3 |
|||
pyotp_mock.TOTP().verify.side_effect = (False, True, True) |
|||
pyotp_mock.reset_mock() |
|||
test_set.validate_conf_code('Test Code') |
|||
|
|||
pyotp_calls = [ |
|||
mock.call('Test Key'), |
|||
mock.call().verify('Test Code'), |
|||
mock.call('Test Key 2'), |
|||
mock.call().verify('Test Code'), |
|||
] |
|||
self.assertEqual(pyotp_mock.TOTP.mock_calls, pyotp_calls) |
@ -0,0 +1,151 @@ |
|||
# -*- coding: utf-8 -*- |
|||
# Copyright 2016-2017 LasLabs Inc. |
|||
# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). |
|||
|
|||
import mock |
|||
from openerp.exceptions import ValidationError |
|||
from openerp.tests.common import TransactionCase |
|||
|
|||
|
|||
@mock.patch( |
|||
'openerp.addons.auth_totp.wizards.res_users_authenticator_create.pyotp' |
|||
) |
|||
class TestResUsersAuthenticatorCreate(TransactionCase): |
|||
|
|||
def setUp(self): |
|||
super(TestResUsersAuthenticatorCreate, self).setUp() |
|||
|
|||
self.test_user = self.env.ref('base.user_root') |
|||
|
|||
def _new_wizard(self, extra_values=None): |
|||
base_values = { |
|||
'name': 'Test Authenticator', |
|||
'confirmation_code': 'Test', |
|||
'user_id': self.test_user.id, |
|||
} |
|||
if extra_values is not None: |
|||
base_values.update(extra_values) |
|||
|
|||
return self.env['res.users.authenticator.create'].create(base_values) |
|||
|
|||
def test_secret_key_default(self, pyotp_mock): |
|||
'''Should default to random string generated by PyOTP''' |
|||
pyotp_mock.random_base32.return_value = test_random = 'Test' |
|||
test_wiz = self.env['res.users.authenticator.create'] |
|||
test_key = test_wiz.default_get(['secret_key'])['secret_key'] |
|||
|
|||
self.assertEqual(test_key, test_random) |
|||
|
|||
def test_default_user_id_no_uid_in_context(self, pyotp_mock): |
|||
'''Should return empty user recordset when no uid in context''' |
|||
test_wiz = self.env['res.users.authenticator.create'].with_context( |
|||
uid=None, |
|||
) |
|||
|
|||
self.assertFalse(test_wiz._default_user_id()) |
|||
self.assertEqual(test_wiz._default_user_id()._name, 'res.users') |
|||
|
|||
def test_default_user_id_uid_in_context(self, pyotp_mock): |
|||
'''Should return correct user record when there is a uid in context''' |
|||
test_wiz = self.env['res.users.authenticator.create'].with_context( |
|||
uid=self.test_user.id, |
|||
) |
|||
|
|||
self.assertEqual(test_wiz._default_user_id(), self.test_user) |
|||
|
|||
def test_compute_qr_code_tag_no_user_id(self, pyotp_mock): |
|||
'''Should not call PyOTP or set field if no user_id present''' |
|||
test_wiz = self.env['res.users.authenticator.create'].with_context( |
|||
uid=None, |
|||
).new() |
|||
pyotp_mock.reset_mock() |
|||
|
|||
self.assertFalse(test_wiz.qr_code_tag) |
|||
pyotp_mock.assert_not_called() |
|||
|
|||
def test_compute_qr_code_tag_user_id(self, pyotp_mock): |
|||
'''Should set field to image with encoded PyOTP URI if user present''' |
|||
pyotp_mock.TOTP().provisioning_uri.return_value = 'test:uri' |
|||
test_wiz = self._new_wizard() |
|||
|
|||
self.assertEqual( |
|||
test_wiz.qr_code_tag, |
|||
'<img src="/report/barcode/?type=QR&value=' |
|||
'%s&width=300&height=300">' % 'test%3Auri', |
|||
) |
|||
|
|||
def test_compute_qr_code_tag_pyotp_use(self, pyotp_mock): |
|||
'''Should call PyOTP twice with correct arguments if user_id present''' |
|||
test_wiz = self._new_wizard() |
|||
pyotp_mock.reset_mock() |
|||
test_wiz._compute_qr_code_tag() |
|||
|
|||
pyotp_mock.TOTP.assert_called_once_with(test_wiz.secret_key) |
|||
pyotp_mock.TOTP().provisioning_uri.assert_called_once_with( |
|||
self.test_user.display_name, |
|||
issuer_name=self.test_user.company_id.display_name, |
|||
) |
|||
|
|||
def test_perform_validations_wrong_confirmation(self, pyotp_mock): |
|||
'''Should raise correct error if PyOTP cannot verify code''' |
|||
test_wiz = self._new_wizard() |
|||
pyotp_mock.TOTP().verify.return_value = False |
|||
|
|||
with self.assertRaisesRegexp(ValidationError, 'confirmation code'): |
|||
test_wiz._perform_validations() |
|||
|
|||
def test_perform_validations_right_confirmation(self, pyotp_mock): |
|||
'''Should not raise error if PyOTP can verify code''' |
|||
test_wiz = self._new_wizard() |
|||
pyotp_mock.TOTP().verify.return_value = True |
|||
|
|||
try: |
|||
test_wiz._perform_validations() |
|||
except ValidationError: |
|||
self.fail('A ValidationError was raised and should not have been.') |
|||
|
|||
def test_perform_validations_pyotp_use(self, pyotp_mock): |
|||
'''Should call PyOTP twice with correct arguments''' |
|||
test_wiz = self._new_wizard() |
|||
pyotp_mock.reset_mock() |
|||
test_wiz._perform_validations() |
|||
|
|||
pyotp_mock.TOTP.assert_called_once_with(test_wiz.secret_key) |
|||
pyotp_mock.TOTP().verify.assert_called_once_with( |
|||
test_wiz.confirmation_code, |
|||
) |
|||
|
|||
def test_create_authenticator(self, pyotp_mock): |
|||
'''Should create single authenticator record with correct info''' |
|||
test_wiz = self._new_wizard() |
|||
auth_model = self.env['res.users.authenticator'] |
|||
auth_model.search([('id', '>', 0)]).unlink() |
|||
test_wiz._create_authenticator() |
|||
test_auth = auth_model.search([('id', '>', 0)]) |
|||
|
|||
self.assertEqual(len(test_auth), 1) |
|||
self.assertEqual( |
|||
(test_auth.name, test_auth.secret_key, test_auth.user_id), |
|||
(test_wiz.name, test_wiz.secret_key, test_wiz.user_id), |
|||
) |
|||
|
|||
def test_action_create_return_info(self, pyotp_mock): |
|||
'''Should return info of user preferences action with user_id added''' |
|||
test_wiz = self._new_wizard() |
|||
test_info = self.env.ref('base.action_res_users_my').read()[0] |
|||
test_info.update({'res_id': test_wiz.user_id.id}) |
|||
|
|||
self.assertEqual(test_wiz.action_create(), test_info) |
|||
|
|||
def test_action_create_helper_use(self, pyotp_mock): |
|||
'''Should call correct helper methods with proper arguments''' |
|||
test_wiz = self._new_wizard() |
|||
|
|||
with mock.patch.multiple( |
|||
test_wiz, |
|||
_perform_validations=mock.DEFAULT, |
|||
_create_authenticator=mock.DEFAULT, |
|||
): |
|||
test_wiz.action_create() |
|||
test_wiz._perform_validations.assert_called_once_with() |
|||
test_wiz._create_authenticator.assert_called_once_with() |
@ -0,0 +1,34 @@ |
|||
<?xml version="1.0" encoding="utf-8"?> |
|||
|
|||
<!-- |
|||
Copyright 2016-2017 LasLabs Inc. |
|||
License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). |
|||
--> |
|||
|
|||
<odoo> |
|||
<template id="mfa_login" name="MFA Login Page"> |
|||
<t t-call="web.login_layout"> |
|||
<form class="oe_login_form" role="form" t-attf-action="/auth_totp/login" method="post" onsubmit="this.action = this.action + location.hash"> |
|||
<input type="hidden" name="csrf_token" t-att-value="request.csrf_token()"/> |
|||
<input type="hidden" name="redirect" t-att-value="redirect"/> |
|||
<input type="hidden" name="mfa_login_token" t-att-value="mfa_login_token"/> |
|||
<div class="form-group field-login"> |
|||
<label for="confirmation_code" class="control-label">MFA Confirmation Code</label> |
|||
<input type="text" name="confirmation_code" id="confirmation_code" class="form-control" required="required" autofocus="autofocus" autocapitalize="off"/> |
|||
</div> |
|||
<div class="form-group checkbox"> |
|||
<label> |
|||
<input type="checkbox" name="remember_device" id="remember_device"/> |
|||
<span>Remember this device</span> |
|||
</label> |
|||
</div> |
|||
<p class="alert alert-danger" t-if="error"> |
|||
<t t-esc="error"/> |
|||
</p> |
|||
<div class="clearfix oe_login_buttons"> |
|||
<button type="submit" class="btn btn-primary">Confirm</button> |
|||
</div> |
|||
</form> |
|||
</t> |
|||
</template> |
|||
</odoo> |
@ -0,0 +1,27 @@ |
|||
<?xml version="1.0" encoding="utf-8"?> |
|||
|
|||
<!-- |
|||
Copyright 2016-2017 LasLabs Inc. |
|||
License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). |
|||
--> |
|||
|
|||
<odoo> |
|||
<record id="view_users_form_simple_modif" model="ir.ui.view"> |
|||
<field name="name">Change My Preferences - MFA Settings</field> |
|||
<field name="model">res.users</field> |
|||
<field name="inherit_id" ref="base.view_users_form_simple_modif"/> |
|||
<field name="arch" type="xml"> |
|||
<xpath expr="//footer" position="before"> |
|||
<group string="MFA Settings" name="mfa_settings" col="8"> |
|||
<div colspan="8" class="oe_mb8"> |
|||
<span>Note: Please add at least one authentication app/device before enabling MFA.</span> |
|||
</div> |
|||
<field name="mfa_enabled"/> |
|||
<newline/> |
|||
<field name="authenticator_ids" widget="many2many_tags" options="{'no_create': True}" colspan="7"/> |
|||
<button string="Add New App/Device" type="action" name="%(res_users_authenticator_create_action)d" colspan="1"/> |
|||
</group> |
|||
</xpath> |
|||
</field> |
|||
</record> |
|||
</odoo> |
@ -0,0 +1,5 @@ |
|||
# -*- coding: utf-8 -*- |
|||
# Copyright 2016-2017 LasLabs Inc. |
|||
# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). |
|||
|
|||
from . import res_users_authenticator_create |
@ -0,0 +1,117 @@ |
|||
# -*- coding: utf-8 -*- |
|||
# Copyright 2016-2017 LasLabs Inc. |
|||
# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). |
|||
|
|||
import logging |
|||
import urllib |
|||
from openerp import _, api, fields, models |
|||
from openerp.exceptions import ValidationError |
|||
|
|||
_logger = logging.getLogger(__name__) |
|||
try: |
|||
import pyotp |
|||
except ImportError: |
|||
_logger.debug( |
|||
'Could not import PyOTP. Please make sure this library is available in' |
|||
' your environment.' |
|||
) |
|||
|
|||
|
|||
class ResUsersAuthenticatorCreate(models.TransientModel): |
|||
_name = 'res.users.authenticator.create' |
|||
_description = 'MFA App/Device Creation Wizard' |
|||
|
|||
name = fields.Char( |
|||
string='Authentication App/Device Name', |
|||
help='A name that will help you remember this authentication' |
|||
' app/device', |
|||
required=True, |
|||
index=True, |
|||
) |
|||
secret_key = fields.Char( |
|||
default=lambda s: pyotp.random_base32(), |
|||
required=True, |
|||
) |
|||
qr_code_tag = fields.Html( |
|||
compute='_compute_qr_code_tag', |
|||
string='QR Code', |
|||
help='Scan this image with your authentication app to add your' |
|||
' account', |
|||
) |
|||
user_id = fields.Many2one( |
|||
comodel_name='res.users', |
|||
default=lambda s: s._default_user_id(), |
|||
required=True, |
|||
string='Associated User', |
|||
help='This is the user whose account the new authentication app/device' |
|||
' will be tied to', |
|||
readonly=True, |
|||
index=True, |
|||
) |
|||
confirmation_code = fields.Char( |
|||
string='Confirmation Code', |
|||
help='Enter the latest six digit code generated by your authentication' |
|||
' app', |
|||
required=True, |
|||
) |
|||
|
|||
@api.model |
|||
def _default_user_id(self): |
|||
user_id = self.env.context.get('uid') |
|||
return self.env['res.users'].browse(user_id) |
|||
|
|||
@api.multi |
|||
@api.depends( |
|||
'secret_key', |
|||
'user_id.display_name', |
|||
'user_id.company_id.display_name', |
|||
) |
|||
def _compute_qr_code_tag(self): |
|||
for record in self: |
|||
if not record.user_id: |
|||
continue |
|||
|
|||
totp = pyotp.TOTP(record.secret_key) |
|||
provisioning_uri = totp.provisioning_uri( |
|||
record.user_id.display_name, |
|||
issuer_name=record.user_id.company_id.display_name, |
|||
) |
|||
provisioning_uri = urllib.quote(provisioning_uri) |
|||
|
|||
qr_width = qr_height = 300 |
|||
tag_base = '<img src="/report/barcode/?type=QR&' |
|||
tag_params = 'value=%s&width=%s&height=%s">' % ( |
|||
provisioning_uri, |
|||
qr_width, |
|||
qr_height |
|||
) |
|||
record.qr_code_tag = tag_base + tag_params |
|||
|
|||
@api.multi |
|||
def action_create(self): |
|||
self.ensure_one() |
|||
self._perform_validations() |
|||
self._create_authenticator() |
|||
|
|||
action_data = self.env.ref('base.action_res_users_my').read()[0] |
|||
action_data.update({'res_id': self.user_id.id}) |
|||
return action_data |
|||
|
|||
@api.multi |
|||
def _perform_validations(self): |
|||
totp = pyotp.TOTP(self.secret_key) |
|||
if not totp.verify(self.confirmation_code): |
|||
raise ValidationError(_( |
|||
'Your confirmation code is not correct. Please try again,' |
|||
' making sure that your MFA device is set to the correct time' |
|||
' and that you have entered the most recent code generated by' |
|||
' your authentication app.' |
|||
)) |
|||
|
|||
@api.multi |
|||
def _create_authenticator(self): |
|||
self.env['res.users.authenticator'].create({ |
|||
'name': self.name, |
|||
'secret_key': self.secret_key, |
|||
'user_id': self.user_id.id, |
|||
}) |
@ -0,0 +1,43 @@ |
|||
<?xml version="1.0" encoding="utf-8"?> |
|||
|
|||
<!-- |
|||
Copyright 2016-2017 LasLabs Inc. |
|||
License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html). |
|||
--> |
|||
|
|||
<odoo> |
|||
<record id="res_users_authenticator_create_view_form" model="ir.ui.view"> |
|||
<field name="name">MFA App/Device Creation Wizard</field> |
|||
<field name="model">res.users.authenticator.create</field> |
|||
<field name="arch" type="xml"> |
|||
<form string="Authenticator Info"> |
|||
<header/> |
|||
<sheet> |
|||
<div> |
|||
<span>Please provide a name for your app/device. </span> |
|||
<span>Then scan the QR code below to add this account to your authenticator app and enter in the six digit code produced by the app.</span> |
|||
</div> |
|||
<group name="data"> |
|||
<field name="name"/> |
|||
<field name="user_id"/> |
|||
<field name="qr_code_tag"/> |
|||
<field name="confirmation_code"/> |
|||
<field name="secret_key" invisible="1"/> |
|||
</group> |
|||
</sheet> |
|||
<footer> |
|||
<button special="cancel" string="Cancel" class="pull-left"/> |
|||
<button name="action_create" type="object" string="Create" class="oe_highlight pull-right"/> |
|||
</footer> |
|||
</form> |
|||
</field> |
|||
</record> |
|||
|
|||
<record id="res_users_authenticator_create_action" model="ir.actions.act_window"> |
|||
<field name="name">MFA App/Device Creation Wizard</field> |
|||
<field name="res_model">res.users.authenticator.create</field> |
|||
<field name="view_type">form</field> |
|||
<field name="view_mode">form</field> |
|||
<field name="target">new</field> |
|||
</record> |
|||
</odoo> |
Write
Preview
Loading…
Cancel
Save
Reference in new issue