-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[REF] auth_brute_force: Cover all auth entrypoints #1219
Changes from 3 commits
d44f0a0
71ac406
e445ffa
cf64c2c
3d47554
c8379c4
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -69,14 +69,15 @@ For further information, please visit: | |
Known issues / Roadmap | ||
====================== | ||
|
||
* The ID used to identify a remote request is the IP provided in the request | ||
(key 'REMOTE_ADDR'). | ||
* Remove 🐒 patch for https://github.com/odoo/odoo/issues/24183 when fixed. | ||
|
||
* Depending of server and / or user network configuration, the idenfication | ||
of the user can be wrong, and mainly in the following cases: | ||
* If the Odoo server is behind an Apache / NGinx proxy without redirection, | ||
all the request will be have the value '127.0.0.1' for the REMOTE_ADDR key; | ||
* If some users are behind the same Internet Service Provider, if a user is | ||
banned, all the other users will be banned too; | ||
|
||
* If the Odoo server is behind an Apache / NGinx proxy and it is not properly | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Incorrect indentation There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It's because it's a sub-point for previous point. |
||
configured, all requests will use the same IP address. Blocking such IP | ||
could render Odoo unusable for all users! **Make sure your logs output the | ||
correct IP for werkzeug traffic before installing this addon.** | ||
|
||
Bug Tracker | ||
=========== | ||
|
@@ -94,6 +95,7 @@ Contributors | |
|
||
* Sylvain LE GAL (https://twitter.com/legalsylvain) | ||
* David Vidal <david.vidal@tecnativa.com> | ||
* Jairo Llopis <jairo.llopis@tecnativa.com> | ||
|
||
Maintainer | ||
---------- | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,3 @@ | ||
# -*- encoding: utf-8 -*- | ||
# -*- coding: utf-8 -*- | ||
|
||
from . import models | ||
from . import controllers |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,22 +3,21 @@ | |
# Copyright 2017 Tecnativa - David Vidal | ||
# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html). | ||
{ | ||
'name': 'Authentification - Brute-force Attack', | ||
'version': '10.0.1.0.0', | ||
'name': 'Authentification - Brute-Force Filter', | ||
'version': '10.0.2.0.0', | ||
'category': 'Tools', | ||
'summary': "Tracks Authentication Attempts and Prevents Brute-force" | ||
" Attacks module", | ||
'summary': "Track Authentication Attempts and Prevent Brute-force Attacks", | ||
'author': "GRAP, " | ||
"Tecnativa, " | ||
"Odoo Community Association (OCA)", | ||
'website': 'http://www.grap.coop', | ||
'website': 'https://github.com/OCA/server-auth', | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. But this PR is in serve-tools 🤔 |
||
'license': 'AGPL-3', | ||
'depends': [ | ||
'web', | ||
], | ||
# If we don't depend on it, it would inhibit this addon | ||
"auth_crypt", | ||
], | ||
'data': [ | ||
'security/ir_model_access.yml', | ||
'data/ir_config_parameter.xml', | ||
'views/view.xml', | ||
'views/action.xml', | ||
'views/menu.xml', | ||
|
This file was deleted.
This file was deleted.
This file was deleted.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
# -*- coding: utf-8 -*- | ||
# Copyright 2018 Tecnativa - Jairo Llopis | ||
# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl). | ||
|
||
from psycopg2 import IntegrityError | ||
|
||
|
||
def migrate(cr, version): | ||
# Fix typo across DB | ||
cr.execute( | ||
""" UPDATE res_authentication_attempt | ||
SET result = 'successful' | ||
WHERE result = 'successfull'""", | ||
) | ||
# Store whitelist IPs in new format | ||
cr.execute( | ||
""" SELECT remote | ||
FROM res_banned_remote | ||
WHERE active IS FALSE""", | ||
) | ||
remotes = {record[0] for record in cr.fetchall()} | ||
try: | ||
with cr.savepoint(): | ||
cr.execute( | ||
"INSERT INTO ir_config_parameter (key, value) VALUES (%s, %s)", | ||
( | ||
"auth_brute_force.whitelist_remotes", | ||
",".join(remotes), | ||
), | ||
) | ||
except IntegrityError: | ||
# Parameter already exists | ||
cr.execute( | ||
"SELECT value FROM ir_config_parameter WHERE key = %s", | ||
("auth_brute_force.whitelist_remotes",) | ||
) | ||
current = set(cr.fetchall()[0][0].split(",")) | ||
cr.execute( | ||
"UPDATE ir_config_parameter SET value = %s WHERE key = %s", | ||
(",".join(current | remotes), | ||
"auth_brute_force.whitelist_remotes"), | ||
) | ||
# Update the configured IP limit parameter | ||
cr.execute( | ||
"UPDATE ir_config_parameter SET key = %s WHERE key = %s", | ||
( | ||
"auth_brute_force.whitelist_remotes", | ||
"auth_brute_force.max_by_ip", | ||
) | ||
) |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
# -*- encoding: utf-8 -*- | ||
|
||
from . import res_banned_remote | ||
from . import res_authentication_attempt | ||
from . import res_users |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This issue was closed. Solved for v12