From 436ffcd53f3be98217ddb161282c0564aa0597bb Mon Sep 17 00:00:00 2001 From: "Laurent Mignon (aka lmi)" Date: Mon, 4 Aug 2014 16:42:02 +0200 Subject: [PATCH] If HTTP_REMOTE_USER is in the request headers and no corresponding user is found in odoo always issues Unauthorized (avoid redirect to the login page) If the uid in the session is not the same as the one from the binded HTTP_REMOTE_USER, always logout to clean up the session --- auth_from_http_remote_user/__init__.py | 1 - auth_from_http_remote_user/__openerp__.py | 9 +-- .../controllers/main.py | 37 +++++------ auth_from_http_remote_user/model.py | 2 +- auth_from_http_remote_user/res_config.py | 64 ------------------- .../res_config_data.xml | 9 --- .../res_config_view.xml | 18 ------ 7 files changed, 23 insertions(+), 117 deletions(-) delete mode 100644 auth_from_http_remote_user/res_config.py delete mode 100644 auth_from_http_remote_user/res_config_data.xml delete mode 100644 auth_from_http_remote_user/res_config_view.xml diff --git a/auth_from_http_remote_user/__init__.py b/auth_from_http_remote_user/__init__.py index f2baf2765..7fb1b9d59 100644 --- a/auth_from_http_remote_user/__init__.py +++ b/auth_from_http_remote_user/__init__.py @@ -20,6 +20,5 @@ ############################################################################## from . import controllers -from . import res_config from . import res_users from . import model diff --git a/auth_from_http_remote_user/__openerp__.py b/auth_from_http_remote_user/__openerp__.py index 94928f702..5266d4d12 100644 --- a/auth_from_http_remote_user/__openerp__.py +++ b/auth_from_http_remote_user/__openerp__.py @@ -33,9 +33,8 @@ at startup; Add the *--load* parameter to the startup command: :: --load=web,web_kanban,auth_from_http_remote_user, ... -If the field is not found or no user matches the given one, it can lets the -system redirect to the login page (default) or issue a login error page -depending of the configuration. +If the field is found in the header and no user matches the given one, the +system issue a login error page. (*401* `Unauthorized`) Use case. --------- @@ -152,9 +151,7 @@ logged in the system. 'website': 'http://www.acsone.eu', 'depends': ['base', 'web', 'base_setup'], "license": "AGPL-3", - 'data': [ - 'res_config_view.xml', - 'res_config_data.xml'], + 'data': [], "demo": [], "test": [], "active": False, diff --git a/auth_from_http_remote_user/controllers/main.py b/auth_from_http_remote_user/controllers/main.py index 9f4df7fbe..13a3fa237 100644 --- a/auth_from_http_remote_user/controllers/main.py +++ b/auth_from_http_remote_user/controllers/main.py @@ -49,12 +49,11 @@ class Home(main.Home): return werkzeug.exceptions.Unauthorized().get_response() return super(Home, self).web_client(s_action, **kw) - def _get_user_id_from_attributes(self, res_users, cr): - headers = http.request.httprequest.headers.environ + def _get_user_id_from_headers(self, res_users, headers, cr): login = headers.get(self._REMOTE_USER_ATTRIBUTE, None) if not login: - _logger.error("Required fields '%s' not found in http headers\n %s", - self._REMOTE_USER_ATTRIBUTE, headers) + _logger.info("Expected fields '%s' not found in http headers\n %s", + self._REMOTE_USER_ATTRIBUTE, headers) return None user_ids = res_users.search(cr, SUPERUSER_ID, [('login', '=', login), ('active', '=', True)]) @@ -71,22 +70,24 @@ class Home(main.Home): return res_users = registry.get('res.users') # get the user - user_id = self._get_user_id_from_attributes(res_users, - cr) - if request.session.uid and request.session.uid == user_id: - return + headers = http.request.httprequest.headers.environ + user_id = self._get_user_id_from_headers(res_users, + headers, + cr) - config = registry.get('base.config.settings') - # get parameters for SSO - default_login_page_disabled = \ - config.is_default_login_page_disabled(cr, - SUPERUSER_ID, - None) - - if user_id is None: - if default_login_page_disabled: + if not user_id: + if self._REMOTE_USER_ATTRIBUTE in headers: + request.session.logout(keep_db=True) raise http.AuthenticationError() - return + else: + return None + + request_uid = request.session.uid + if request_uid: + if request_uid == user_id: + return + else: + request.session.logout(keep_db=True) # generate a specific key for authentication key = randomString(utils.KEY_LENGTH, '0123456789abcdef') diff --git a/auth_from_http_remote_user/model.py b/auth_from_http_remote_user/model.py index 4e514b833..c4ca50a33 100644 --- a/auth_from_http_remote_user/model.py +++ b/auth_from_http_remote_user/model.py @@ -22,6 +22,6 @@ from openerp.osv import orm class AuthFromHttpRemoteUserInstalled(orm.AbstractModel): - """An abstract model used to safely now if the module is installed + """An abstract model used to safely know if the module is installed """ _name = 'auth_from_http_remote_user.installed' diff --git a/auth_from_http_remote_user/res_config.py b/auth_from_http_remote_user/res_config.py deleted file mode 100644 index 37fca0bd5..000000000 --- a/auth_from_http_remote_user/res_config.py +++ /dev/null @@ -1,64 +0,0 @@ -# -*- coding: utf-8 -*- -############################################################################## -# -# Author: Laurent Mignon -# Copyright 2014 'ACSONE SA/NV' -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as -# published by the Free Software Foundation, either version 3 of the -# License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see . -# -############################################################################## - -from openerp.osv import orm, fields -from openerp.tools.safe_eval import safe_eval - - -class auth_from_http_remote_user_configuration(orm.TransientModel): - _inherit = 'base.config.settings' - - _columns = { - 'default_login_page_disabled': fields.boolean("Disable login page when " - "login with HTTP Remote " - "User", - help=""" -Disable the default login page. -If the HTTP_REMOTE_HEADER field is not found or no user matches the given one, -the system will display a login error page if the login page is disabled. -Otherwise the normal login page will be displayed. - """), - } - - def is_default_login_page_disabled(self, cr, uid, fields, context=None): - vals = self.get_default_default_login_page_disabled(cr, - uid, - fields, - context=context) - return vals.get('default_login_page_disabled', False) - - def get_default_default_login_page_disabled(self, cr, uid, fields, - context=None): - icp = self.pool.get('ir.config_parameter') - # we use safe_eval on the result, since the value of - # the parameter is a nonempty string - is_disabled = icp.get_param(cr, uid, 'default_login_page_disabled', - 'False') - return {'default_login_page_disabled': safe_eval(is_disabled)} - - def set_default_default_login_page_disabled(self, cr, uid, ids, - context=None): - config = self.browse(cr, uid, ids[0], context=context) - icp = self.pool.get('ir.config_parameter') - # we store the repr of the value, since the value of the parameter - # is a required string - icp.set_param(cr, uid, 'default_login_page_disabled', - repr(config.default_login_page_disabled)) diff --git a/auth_from_http_remote_user/res_config_data.xml b/auth_from_http_remote_user/res_config_data.xml deleted file mode 100644 index ba9a2b1c1..000000000 --- a/auth_from_http_remote_user/res_config_data.xml +++ /dev/null @@ -1,9 +0,0 @@ - - - - - auth_from_http_remote_user.default_login_page_disabled - False - - - diff --git a/auth_from_http_remote_user/res_config_view.xml b/auth_from_http_remote_user/res_config_view.xml deleted file mode 100644 index e2f8df348..000000000 --- a/auth_from_http_remote_user/res_config_view.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - base.config.settings.auth_from_http_remote_user - base.config.settings - - - -
- -
- - - - -