[FIX] auth_totp: Issue #187

auth_from_http_remote_user/README.rst

@@ -0,0 +1,172 @@
+.. image:: https://img.shields.io/badge/license-AGPL--3-blue.png
+    :target: https://www.gnu.org/licenses/agpl
+    :alt: License: AGPL-3
+
+====================================
+Authentication From HTTP Remote User
+====================================
+
+This module initialize the session by looking for the field HTTP_REMOTE_USER in
+the HEADERS of the HTTP request and trying to bind the given value to a user.
+To be active, the module must be installed in the expected databases and loaded
+at startup; Add the *--load* parameter to the startup command: ::
+
+  --load=web,auth_from_http_remote_user, ...
+
+If the field is found in the header and no user matches the given one, the
+system issue a login error page. (*401* `Unauthorized`)
+
+Configuration
+=============
+
+The module allows integration with external security systems [#]_ that can pass
+along authentication of a user via Remote_User HTTP header field. In many
+cases, this is achieved via server like Apache HTTPD or nginx proxying Odoo.
+
+.. important:: When proxying your Odoo server with Apache or nginx, It's
+   important to filter out the Remote_User HTTP header field before your
+   request is processed by the proxy to avoid security issues. In apache you
+   can do it by using the RequestHeader directive in your VirtualHost
+   section  ::
+
+    <VirtualHost *:80>
+     ServerName MY_VHOST.com
+     ProxyRequests Off
+    ...
+
+     RequestHeader unset Remote-User early
+     ProxyPass / http://127.0.0.1:8069/  retry=10
+     ProxyPassReverse  / http://127.0.0.1:8069/
+     ProxyPreserveHost On
+    </VirtualHost>
+
+
+How to test the module with Apache [#]_
+----------------------------------------
+
+Apache can be used as a reverse proxy providing the authentication and adding
+the required field in the Http headers.
+
+Install apache:  ::
+
+   $ sudo apt-get install apache2
+
+
+Define a new vhost to Apache by putting a new file in
+/etc/apache2/sites-available: ::
+
+   $ sudo vi  /etc/apache2/sites-available/MY_VHOST.com
+
+with the following content: ::
+
+   <VirtualHost *:80>
+     ServerName MY_VHOST.com
+     ProxyRequests Off
+     <Location />
+       AuthType Basic
+       AuthName "Test Odoo auth_from_http_remote_user"
+       AuthBasicProvider file
+       AuthUserFile /etc/apache2/MY_VHOST.htpasswd
+       Require valid-user
+
+       RewriteEngine On
+       RewriteCond %{LA-U:REMOTE_USER} (.+)
+       RewriteRule . - [E=RU:%1]
+       RequestHeader set Remote-User "%{RU}e" env=RU
+     </Location>
+
+     RequestHeader unset Remote-User early
+     ProxyPass / http://127.0.0.1:8069/  retry=10
+     ProxyPassReverse  / http://127.0.0.1:8069/
+     ProxyPreserveHost On
+   </VirtualHost>
+
+.. important:: The *RequestHeader* directive is used to add the *Remote-User*
+   field in the http headers. By default an *'Http-'* prefix is added to the
+   field name.
+   In Odoo, header's fields name are normalized. As result of this
+   normalization, the 'Http-Remote-User' is available as 'HTTP_REMOTE_USER'.
+   If you don't know how your specified field is seen by Odoo, run your
+   server in debug mode once the module is activated and look for an entry
+   like: ::
+
+     DEBUG openerp1 openerp.addons.auth_from_http_remote_user.controllers.
+     session:
+     Field 'HTTP_MY_REMOTE_USER' not found in http headers
+     {'HTTP_AUTHORIZATION': 'Basic YWRtaW46YWRtaW4=', ...,
+     'HTTP_REMOTE_USER': 'demo')
+
+Enable the required apache modules: ::
+
+   $ sudo a2enmod headers
+   $ sudo a2enmod proxy
+   $ sudo a2enmod rewrite
+   $ sudo a2enmod proxy_http
+
+Enable your new vhost: ::
+
+  $ sudo a2ensite MY_VHOST.com
+
+Create the *htpassword* file used by the configured basic authentication: ::
+
+   $ sudo htpasswd -cb /etc/apache2/MY_VHOST.htpasswd admin admin
+   $ sudo htpasswd -b /etc/apache2/MY_VHOST.htpasswd demo demo
+
+For local test, add the *MY_VHOST.com* in your /etc/vhosts file.
+
+Finally reload the configuration: ::
+
+   $ sudo service apache2 reload
+
+Open your browser and go to MY_VHOST.com. If everything is well configured, you
+are prompted for a login and password outside Odoo and are automatically
+logged in the system.
+
+.. [#] Shibboleth, Tivoli access manager, ..
+.. [#] Based on a ubuntu 12.04 env
+
+Usage
+=====
+
+.. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas
+    :alt: Try me on Runbot
+    :target: https://runbot.odoo-community.org/runbot/149/12.0
+
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues
+<https://github.com/OCA/server-auth/issues>`_. In case of trouble, please
+check there if your issue has already been reported. If you spotted it first,
+help us to smash it by providing detailed and welcomed feedback.
+
+
+Credits
+=======
+
+Images
+------
+
+* Odoo Community Association: `Icon <https://github.com/OCA/maintainer-tools/blob/master/template/module/static/description/icon.svg>`_.
+
+Contributors
+------------
+
+* Laurent Mignon
+* Andrea Colangelo
+
+Maintainer
+----------
+
+.. image:: https://odoo-community.org/logo.png
+    :alt: Odoo Community Association
+    :target: https://odoo-community.org
+
+This module is maintained by the OCA.
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+To contribute to this module, please visit https://odoo-community.org.

auth_from_http_remote_user/__init__.py

@@ -0,0 +1,2 @@
+from . import controllers
+from . import models

auth_from_http_remote_user/__manifest__.py

@@ -0,0 +1,14 @@
+# Author: Laurent Mignon
+# Copyright 2014-2018 'ACSONE SA/NV'
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+{
+    'name': 'Authenticate via HTTP Remote User',
+    'version': '12.0.1.0.0',
+    'category': 'Tools',
+    'author': "Acsone SA/NV,Odoo Community Association (OCA)",
+    'maintainer': 'ACSONE SA/NV',
+    'website': 'https://github.com/OCA/server-auth',
+    'depends': ['base', 'web', 'base_setup'],
+    "license": "AGPL-3",
+}

auth_from_http_remote_user/controllers/__init__.py

@@ -0,0 +1,5 @@
+# Author: Laurent Mignon
+# Copyright 2014-2018 'ACSONE SA/NV'
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+from . import main

auth_from_http_remote_user/controllers/main.py

@@ -0,0 +1,82 @@
+# Author: Laurent Mignon
+# Copyright 2014-2018 'ACSONE SA/NV'
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+import logging
+import werkzeug
+
+from odoo import http
+from odoo import api
+from odoo import SUPERUSER_ID
+from odoo.http import request
+from odoo.addons.web.controllers import main
+
+from .. import utils
+
+_logger = logging.getLogger(__name__)
+
+
+class Home(main.Home):
+    _REMOTE_USER_ATTRIBUTE = 'HTTP_REMOTE_USER'
+
+    @http.route('/web', type='http', auth="none")
+    def web_client(self, s_action=None, **kw):
+        main.ensure_db()
+        try:
+            self._bind_http_remote_user(http.request.session.db)
+        except http.AuthenticationError:
+            return werkzeug.exceptions.Unauthorized().get_response()
+        return super().web_client(s_action, **kw)
+
+    def search_user(self, users, login):
+        """Search for an active user by login name"""
+        user = users.sudo().search([
+            ('login', '=', login),
+            ('active', '=', True)],
+            limit=1
+        )
+        if user:
+            return user[0]
+        return None
+
+    def login_http_remote_user(self, env, user):
+        """Specific login for HTTP user.
+
+        Generate a key for authentication and update the user
+        """
+        key = utils.randomString(utils.KEY_LENGTH, '0123456789abcdef')
+        user.with_env(env).sudo().write({'sso_key': key})
+        return key
+
+    def _bind_http_remote_user(self, db_name):
+        headers = http.request.httprequest.headers.environ
+        login = headers.get(self._REMOTE_USER_ATTRIBUTE, None)
+        if not login:
+            # No SSO user in header, continue usual behavior
+            return
+        request_login = request.session.login
+        if request_login:
+            if request_login == login:
+                # Already authenticated
+                return
+            else:
+                request.session.logout(keep_db=True)
+        try:
+            user = self.search_user(request.env['res.users'], login)
+            if not user:
+                # HTTP_REMOTE_USER login not found in database
+                request.session.logout(keep_db=True)
+                raise http.AuthenticationError()
+            # Login SSO user using separate environment as the authentication
+            # later on is done in a specific environment as well
+            with api.Environment.manage():
+                with request.env.registry.cursor() as cr:
+                    env = api.Environment(cr, SUPERUSER_ID, {})
+                    key = self.login_http_remote_user(env, user)
+            request.session.authenticate(db_name, login=login,
+                                         password=key, uid=user.id)
+        except http.AuthenticationError as e:
+            raise
+        except Exception as e:
+            _logger.error("Error binding HTTP remote user", exc_info=True)
+            raise

auth_from_http_remote_user/i18n/am.po

@@ -0,0 +1,32 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# * auth_from_http_remote_user
+#
+# Translators:
+msgid ""
+msgstr ""
+"Project-Id-Version: server-tools (8.0)\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2016-09-16 09:29+0000\n"
+"PO-Revision-Date: 2015-09-18 13:54+0000\n"
+"Last-Translator: <>\n"
+"Language-Team: Amharic (http://www.transifex.com/oca/OCA-server-tools-8-0/"
+"language/am/)\n"
+"Language: am\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: nplurals=2; plural=(n > 1);\n"
+
+#. module: auth_from_http_remote_user
+#: model:ir.model.fields,field_description:auth_from_http_remote_user.field_res_users_sso_key
+msgid "SSO Key"
+msgstr ""
+
+#. module: auth_from_http_remote_user
+#: model:ir.model,name:auth_from_http_remote_user.model_res_users
+msgid "Users"
+msgstr ""
+
+#~ msgid "ID"
+#~ msgstr "ID"

auth_from_http_remote_user/i18n/ar.po

@@ -0,0 +1,39 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# * auth_from_http_remote_user
+#
+# Translators:
+msgid ""
+msgstr ""
+"Project-Id-Version: server-tools (8.0)\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2017-01-12 03:50+0000\n"
+"PO-Revision-Date: 2015-09-18 13:54+0000\n"
+"Last-Translator: <>\n"
+"Language-Team: Arabic (http://www.transifex.com/oca/OCA-server-tools-8-0/"
+"language/ar/)\n"
+"Language: ar\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: nplurals=6; plural=n==0 ? 0 : n==1 ? 1 : n==2 ? 2 : n%100>=3 "
+"&& n%100<=10 ? 3 : n%100>=11 && n%100<=99 ? 4 : 5;\n"
+
+#. module: auth_from_http_remote_user
+#: model:ir.model.fields,field_description:auth_from_http_remote_user.field_res_users_sso_key
+msgid "SSO Key"
+msgstr ""
+
+#. module: auth_from_http_remote_user
+#: model:ir.model,name:auth_from_http_remote_user.model_res_users
+msgid "Users"
+msgstr "المستخدمون"
+
+#~ msgid "Display Name"
+#~ msgstr "اسم العرض"
+
+#~ msgid "ID"
+#~ msgstr "المعرف"
+
+#~ msgid "Last Modified on"
+#~ msgstr "آخر تعديل في"

auth_from_http_remote_user/i18n/auth_from_http_remote_user.pot

@@ -0,0 +1,25 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+#	* auth_from_http_remote_user
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 11.0\n"
+"Report-Msgid-Bugs-To: \n"
+"Last-Translator: <>\n"
+"Language-Team: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: \n"
+
+#. module: auth_from_http_remote_user
+#: model:ir.model.fields,field_description:auth_from_http_remote_user.field_res_users_sso_key
+msgid "SSO Key"
+msgstr ""
+
+#. module: auth_from_http_remote_user
+#: model:ir.model,name:auth_from_http_remote_user.model_res_users
+msgid "Users"
+msgstr ""
+