[REF] auth_brute_force: Cover all auth entrypoints

.travis.yml

@@ -25,12 +25,14 @@ env:
   matrix:
   - LINT_CHECK="1"
   - TRANSIFEX="1"
-  - TESTS="1" ODOO_REPO="odoo/odoo" EXCLUDE="database_cleanup,auth_session_timeout"
-  - TESTS="1" ODOO_REPO="OCA/OCB" EXCLUDE="database_cleanup,auth_session_timeout"
+  - TESTS="1" ODOO_REPO="odoo/odoo" EXCLUDE="database_cleanup,auth_session_timeout,auth_brute_force"
+  - TESTS="1" ODOO_REPO="OCA/OCB" EXCLUDE="database_cleanup,auth_session_timeout,auth_brute_force"
   - TESTS="1" ODOO_REPO="odoo/odoo" INCLUDE="database_cleanup"
   - TESTS="1" ODOO_REPO="OCA/OCB" INCLUDE="database_cleanup"
   - TESTS="1" ODOO_REPO="odoo/odoo" INCLUDE="auth_session_timeout"
   - TESTS="1" ODOO_REPO="OCA/OCB" INCLUDE="auth_session_timeout"
+  - TESTS="1" ODOO_REPO="odoo/odoo" INCLUDE="auth_brute_force"
+  - TESTS="1" ODOO_REPO="OCA/OCB" INCLUDE="auth_brute_force"
 
 virtualenv:
   system_site_packages: true

auth_brute_force/README.rst

@@ -69,14 +69,15 @@ For further information, please visit:
 Known issues / Roadmap
 ======================
 
-* The ID used to identify a remote request is the IP provided in the request
-  (key 'REMOTE_ADDR').
+* Remove 🐒 patch for https://github.com/odoo/odoo/issues/24183 when fixed.
+
 * Depending of server and / or user network configuration, the idenfication
   of the user can be wrong, and mainly in the following cases:
-* If the Odoo server is behind an Apache / NGinx proxy without redirection,
-  all the request will be have the value '127.0.0.1' for the REMOTE_ADDR key;
-* If some users are behind the same Internet Service Provider, if a user is
-  banned, all the other users will be banned too;
+
+  * If the Odoo server is behind an Apache / NGinx proxy and it is not properly
+    configured, all requests will use the same IP address. Blocking such IP
+    could render Odoo unusable for all users! **Make sure your logs output the
+    correct IP for werkzeug traffic before installing this addon.**
 
 Bug Tracker
 ===========
@@ -94,6 +95,7 @@ Contributors
 
 * Sylvain LE GAL (https://twitter.com/legalsylvain)
 * David Vidal <david.vidal@tecnativa.com>
+* Jairo Llopis <jairo.llopis@tecnativa.com>
 
 Maintainer
 ----------

auth_brute_force/__init__.py

@@ -1,4 +1,3 @@
-# -*- encoding: utf-8 -*-
+# -*- coding: utf-8 -*-
 
 from . import models
-from . import controllers

auth_brute_force/__manifest__.py

@@ -3,22 +3,21 @@
 # Copyright 2017 Tecnativa - David Vidal
 # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
 {
-    'name': 'Authentification - Brute-force Attack',
-    'version': '10.0.1.0.0',
+    'name': 'Authentification - Brute-Force Filter',
+    'version': '10.0.2.0.0',
     'category': 'Tools',
-    'summary': "Tracks Authentication Attempts and Prevents Brute-force"
-               " Attacks module",
+    'summary': "Track Authentication Attempts and Prevent Brute-force Attacks",
     'author': "GRAP, "
               "Tecnativa, "
               "Odoo Community Association (OCA)",
-    'website': 'http://www.grap.coop',
+    'website': 'https://github.com/OCA/server-auth',
     'license': 'AGPL-3',
     'depends': [
-        'web',
-        ],
+        # If we don't depend on it, it would inhibit this addon
+        "auth_crypt",
+    ],
     'data': [
         'security/ir_model_access.yml',
-        'data/ir_config_parameter.xml',
         'views/view.xml',
         'views/action.xml',
         'views/menu.xml',

auth_brute_force/migrations/10.0.2.0.0/pre-migrate.py

@@ -0,0 +1,50 @@
+# -*- coding: utf-8 -*-
+# Copyright 2018 Tecnativa - Jairo Llopis
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+from psycopg2 import IntegrityError
+
+
+def migrate(cr, version):
+    # Fix typo across DB
+    cr.execute(
+        """ UPDATE res_authentication_attempt
+            SET result = 'successful'
+            WHERE result = 'successfull'""",
+    )
+    # Store whitelist IPs in new format
+    cr.execute(
+        """ SELECT remote
+            FROM res_banned_remote
+            WHERE active IS FALSE""",
+    )
+    remotes = {record[0] for record in cr.fetchall()}
+    try:
+        with cr.savepoint():
+            cr.execute(
+                "INSERT INTO ir_config_parameter (key, value) VALUES (%s, %s)",
+                (
+                    "auth_brute_force.whitelist_remotes",
+                    ",".join(remotes),
+                ),
+            )
+    except IntegrityError:
+        # Parameter already exists
+        cr.execute(
+            "SELECT value FROM ir_config_parameter WHERE key = %s",
+            ("auth_brute_force.whitelist_remotes",)
+        )
+        current = set(cr.fetchall()[0][0].split(","))
+        cr.execute(
+            "UPDATE ir_config_parameter SET value = %s WHERE key = %s",
+            (",".join(current | remotes),
+             "auth_brute_force.whitelist_remotes"),
+        )
+    # Update the configured IP limit parameter
+    cr.execute(
+        "UPDATE ir_config_parameter SET key = %s WHERE key = %s",
+        (
+            "auth_brute_force.whitelist_remotes",
+            "auth_brute_force.max_by_ip",
+        )
+    )

auth_brute_force/models/__init__.py

@@ -1,4 +1,4 @@
 # -*- encoding: utf-8 -*-
 
-from . import res_banned_remote
 from . import res_authentication_attempt
+from . import res_users