If HTTP_REMOTE_USER is in the request headers and no corresponding user is found in odoo always issues Unauthorized (avoid redirect to the login page)
If the uid in the session is not the same as the one from the binded HTTP_REMOTE_USER, always logout to clean up the sessionpull/34/head
Laurent Mignon (aka lmi)
parent
8c7115e2d3
commit
436ffcd53f
|
|
@ -20,6 +20,5 @@
|
||||||
##############################################################################
|
##############################################################################
|
||||||
|
|
||||||
from . import controllers
|
from . import controllers
|
||||||
from . import res_config
|
|
||||||
from . import res_users
|
from . import res_users
|
||||||
from . import model
|
from . import model
|
||||||
|
|
|
||||||
|
|
@ -33,9 +33,8 @@ at startup; Add the *--load* parameter to the startup command: ::
|
||||||
|
|
||||||
--load=web,web_kanban,auth_from_http_remote_user, ...
|
--load=web,web_kanban,auth_from_http_remote_user, ...
|
||||||
|
|
||||||
If the field is not found or no user matches the given one, it can lets the
|
If the field is found in the header and no user matches the given one, the
|
||||||
system redirect to the login page (default) or issue a login error page
|
system issue a login error page. (*401* `Unauthorized`)
|
||||||
depending of the configuration.
|
|
||||||
|
|
||||||
Use case.
|
Use case.
|
||||||
---------
|
---------
|
||||||
|
|
@ -152,9 +151,7 @@ logged in the system.
|
||||||
'website': 'http://www.acsone.eu',
|
'website': 'http://www.acsone.eu',
|
||||||
'depends': ['base', 'web', 'base_setup'],
|
'depends': ['base', 'web', 'base_setup'],
|
||||||
"license": "AGPL-3",
|
"license": "AGPL-3",
|
||||||
'data': [
|
'data': [],
|
||||||
'res_config_view.xml',
|
|
||||||
'res_config_data.xml'],
|
|
||||||
"demo": [],
|
"demo": [],
|
||||||
"test": [],
|
"test": [],
|
||||||
"active": False,
|
"active": False,
|
||||||
|
|
|
||||||
|
|
@ -49,11 +49,10 @@ class Home(main.Home):
|
||||||
return werkzeug.exceptions.Unauthorized().get_response()
|
return werkzeug.exceptions.Unauthorized().get_response()
|
||||||
return super(Home, self).web_client(s_action, **kw)
|
return super(Home, self).web_client(s_action, **kw)
|
||||||
|
|
||||||
def _get_user_id_from_attributes(self, res_users, cr):
|
def _get_user_id_from_headers(self, res_users, headers, cr):
|
||||||
headers = http.request.httprequest.headers.environ
|
|
||||||
login = headers.get(self._REMOTE_USER_ATTRIBUTE, None)
|
login = headers.get(self._REMOTE_USER_ATTRIBUTE, None)
|
||||||
if not login:
|
if not login:
|
||||||
_logger.error("Required fields '%s' not found in http headers\n %s",
|
_logger.info("Expected fields '%s' not found in http headers\n %s",
|
||||||
self._REMOTE_USER_ATTRIBUTE, headers)
|
self._REMOTE_USER_ATTRIBUTE, headers)
|
||||||
return None
|
return None
|
||||||
user_ids = res_users.search(cr, SUPERUSER_ID, [('login', '=', login),
|
user_ids = res_users.search(cr, SUPERUSER_ID, [('login', '=', login),
|
||||||
|
|
@ -71,22 +70,24 @@ class Home(main.Home):
|
||||||
return
|
return
|
||||||
res_users = registry.get('res.users')
|
res_users = registry.get('res.users')
|
||||||
# get the user
|
# get the user
|
||||||
user_id = self._get_user_id_from_attributes(res_users,
|
headers = http.request.httprequest.headers.environ
|
||||||
|
user_id = self._get_user_id_from_headers(res_users,
|
||||||
|
headers,
|
||||||
cr)
|
cr)
|
||||||
if request.session.uid and request.session.uid == user_id:
|
|
||||||
return
|
|
||||||
|
|
||||||
config = registry.get('base.config.settings')
|
if not user_id:
|
||||||
# get parameters for SSO
|
if self._REMOTE_USER_ATTRIBUTE in headers:
|
||||||
default_login_page_disabled = \
|
request.session.logout(keep_db=True)
|
||||||
config.is_default_login_page_disabled(cr,
|
|
||||||
SUPERUSER_ID,
|
|
||||||
None)
|
|
||||||
|
|
||||||
if user_id is None:
|
|
||||||
if default_login_page_disabled:
|
|
||||||
raise http.AuthenticationError()
|
raise http.AuthenticationError()
|
||||||
|
else:
|
||||||
|
return None
|
||||||
|
|
||||||
|
request_uid = request.session.uid
|
||||||
|
if request_uid:
|
||||||
|
if request_uid == user_id:
|
||||||
return
|
return
|
||||||
|
else:
|
||||||
|
request.session.logout(keep_db=True)
|
||||||
|
|
||||||
# generate a specific key for authentication
|
# generate a specific key for authentication
|
||||||
key = randomString(utils.KEY_LENGTH, '0123456789abcdef')
|
key = randomString(utils.KEY_LENGTH, '0123456789abcdef')
|
||||||
|
|
|
||||||
|
|
@ -22,6 +22,6 @@ from openerp.osv import orm
|
||||||
|
|
||||||
|
|
||||||
class AuthFromHttpRemoteUserInstalled(orm.AbstractModel):
|
class AuthFromHttpRemoteUserInstalled(orm.AbstractModel):
|
||||||
"""An abstract model used to safely now if the module is installed
|
"""An abstract model used to safely know if the module is installed
|
||||||
"""
|
"""
|
||||||
_name = 'auth_from_http_remote_user.installed'
|
_name = 'auth_from_http_remote_user.installed'
|
||||||
|
|
|
||||||
|
|
@ -1,64 +0,0 @@
|
||||||
# -*- coding: utf-8 -*-
|
|
||||||
##############################################################################
|
|
||||||
#
|
|
||||||
# Author: Laurent Mignon
|
|
||||||
# Copyright 2014 'ACSONE SA/NV'
|
|
||||||
#
|
|
||||||
# This program is free software: you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU Affero General Public License as
|
|
||||||
# published by the Free Software Foundation, either version 3 of the
|
|
||||||
# License, or (at your option) any later version.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU Affero General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU Affero General Public License
|
|
||||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
#
|
|
||||||
##############################################################################
|
|
||||||
|
|
||||||
from openerp.osv import orm, fields
|
|
||||||
from openerp.tools.safe_eval import safe_eval
|
|
||||||
|
|
||||||
|
|
||||||
class auth_from_http_remote_user_configuration(orm.TransientModel):
|
|
||||||
_inherit = 'base.config.settings'
|
|
||||||
|
|
||||||
_columns = {
|
|
||||||
'default_login_page_disabled': fields.boolean("Disable login page when "
|
|
||||||
"login with HTTP Remote "
|
|
||||||
"User",
|
|
||||||
help="""
|
|
||||||
Disable the default login page.
|
|
||||||
If the HTTP_REMOTE_HEADER field is not found or no user matches the given one,
|
|
||||||
the system will display a login error page if the login page is disabled.
|
|
||||||
Otherwise the normal login page will be displayed.
|
|
||||||
"""),
|
|
||||||
}
|
|
||||||
|
|
||||||
def is_default_login_page_disabled(self, cr, uid, fields, context=None):
|
|
||||||
vals = self.get_default_default_login_page_disabled(cr,
|
|
||||||
uid,
|
|
||||||
fields,
|
|
||||||
context=context)
|
|
||||||
return vals.get('default_login_page_disabled', False)
|
|
||||||
|
|
||||||
def get_default_default_login_page_disabled(self, cr, uid, fields,
|
|
||||||
context=None):
|
|
||||||
icp = self.pool.get('ir.config_parameter')
|
|
||||||
# we use safe_eval on the result, since the value of
|
|
||||||
# the parameter is a nonempty string
|
|
||||||
is_disabled = icp.get_param(cr, uid, 'default_login_page_disabled',
|
|
||||||
'False')
|
|
||||||
return {'default_login_page_disabled': safe_eval(is_disabled)}
|
|
||||||
|
|
||||||
def set_default_default_login_page_disabled(self, cr, uid, ids,
|
|
||||||
context=None):
|
|
||||||
config = self.browse(cr, uid, ids[0], context=context)
|
|
||||||
icp = self.pool.get('ir.config_parameter')
|
|
||||||
# we store the repr of the value, since the value of the parameter
|
|
||||||
# is a required string
|
|
||||||
icp.set_param(cr, uid, 'default_login_page_disabled',
|
|
||||||
repr(config.default_login_page_disabled))
|
|
||||||
|
|
@ -1,9 +0,0 @@
|
||||||
<?xml version="1.0"?>
|
|
||||||
<openerp>
|
|
||||||
<data noupdate="1">
|
|
||||||
<record model="ir.config_parameter" id="auth_from_http_remote_user.default_login_page_disabled">
|
|
||||||
<field name="key">auth_from_http_remote_user.default_login_page_disabled</field>
|
|
||||||
<field name="value">False</field>
|
|
||||||
</record>
|
|
||||||
</data>
|
|
||||||
</openerp>
|
|
||||||
|
|
@ -1,18 +0,0 @@
|
||||||
<?xml version="1.0" encoding="utf-8"?>
|
|
||||||
<openerp>
|
|
||||||
<data>
|
|
||||||
<record id="view_general_configuration" model="ir.ui.view">
|
|
||||||
<field name="name">base.config.settings.auth_from_http_remote_user</field>
|
|
||||||
<field name="model">base.config.settings</field>
|
|
||||||
<field name="inherit_id" ref="base_setup.view_general_configuration" />
|
|
||||||
<field name="arch" type="xml">
|
|
||||||
<xpath expr="//field[@name='module_auth_oauth']/.." position="after">
|
|
||||||
<div>
|
|
||||||
<field name="default_login_page_disabled" class="oe_inline" />
|
|
||||||
<label for="default_login_page_disabled" />
|
|
||||||
</div>
|
|
||||||
</xpath>
|
|
||||||
</field>
|
|
||||||
</record>
|
|
||||||
</data>
|
|
||||||
</openerp>
|
|
||||||
Loading…
Reference in New Issue