Merge pull request #525 from OCA/17.0

Syncing from upstream OCA/server-auth (17.0)

README.md

@@ -26,6 +26,7 @@ addon | version | maintainers | summary
 [auth_api_key](auth_api_key/) | 17.0.1.1.1 |  | Authenticate http requests from an API key
 [auth_api_key_group](auth_api_key_group/) | 17.0.1.0.1 | [![simahawk](https://github.com/simahawk.png?size=30px)](https://github.com/simahawk) | Allow grouping API keys together. Grouping per se does nothing. This feature is supposed to be used by other modules to limit access to services or records based on groups of keys.
 [auth_api_key_server_env](auth_api_key_server_env/) | 17.0.1.0.0 |  | Configure api keys via server env. This can be very useful to avoid mixing your keys between your various environments when restoring databases. All you have to do is to add a new section to your configuration file according to the following convention:
+[auth_ldaps](auth_ldaps/) | 17.0.1.0.0 |  | Allows to use LDAP over SSL authentication
 [auth_oidc](auth_oidc/) | 17.0.1.1.0 | [![sbidoul](https://github.com/sbidoul.png?size=30px)](https://github.com/sbidoul) | Allow users to login through OpenID Connect Provider
 [auth_saml](auth_saml/) | 17.0.1.0.0 | [![vincent-hatakeyama](https://github.com/vincent-hatakeyama.png?size=30px)](https://github.com/vincent-hatakeyama) | SAML2 Authentication
 [auth_session_timeout](auth_session_timeout/) | 17.0.1.0.0 |  | This module disable all inactive sessions since a given delay

auth_ldaps/README.rst

@@ -0,0 +1,116 @@
+====================
+LDAPS authentication
+====================
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:7a3f2458afff7e8410aea21382679c63425026d5034e5ff2b34815040f2374ba
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-auth/tree/17.0/auth_ldaps
+    :alt: OCA/server-auth
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-auth_ldaps
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=17.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+This module allows to authenticate using a LDAP over SSL system.
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Installation
+============
+
+To verify LDAPS server certificate, you need to:
+
+1. Add the CA certificate of the LDAPS on your server as a trusted
+   certificate
+2. Check the ``Verify certificate`` flag in configuration
+
+Configuration
+=============
+
+To configure this module, you need to:
+
+1. Access Settings / General Settings / LDAP Authentication / LDAP
+   Server
+2. Check the ``Use LDAPS`` flag
+
+Usage
+=====
+
+
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_ldaps%0Aversion:%2017.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+-------
+
+* CorporateHub
+* Creu Blanca
+
+Contributors
+------------
+
+- Enric Tobella <[email protected]>
+
+- `CorporateHub <https://corporatehub.eu/>`__
+
+  - Alexey Pelykh <[email protected]>
+
+- Bhavesh Odedra <[email protected]>
+
+- `Trobz <https://trobz.com>`__:
+
+     - Hoang Diep <[email protected]>
+
+Other credits
+-------------
+
+The migration of this module from 15.0 to 16.0 was financially supported
+by Camptocamp
+
+Maintainers
+-----------
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/17.0/auth_ldaps>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

auth_ldaps/__init__.py

@@ -0,0 +1,3 @@
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl.html).
+
+from . import models

auth_ldaps/__manifest__.py

@@ -0,0 +1,19 @@
+# Copyright (C) 2017 Creu Blanca
+# Copyright (C) 2018 Brainbean Apps
+# Copyright 2020 CorporateHub (https://corporatehub.eu)
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl.html).
+
+{
+    "name": "LDAPS authentication",
+    "version": "17.0.1.0.0",
+    "category": "Tools",
+    "website": "https://github.com/OCA/server-auth",
+    "author": "CorporateHub, " "Creu Blanca, " "Odoo Community Association (OCA)",
+    "license": "AGPL-3",
+    "installable": True,
+    "application": False,
+    "summary": "Allows to use LDAP over SSL authentication",
+    "depends": ["auth_ldap"],
+    "data": ["views/res_company_ldap_views.xml"],
+    "external_dependencies": {"python": ["python-ldap"]},
+}

auth_ldaps/i18n/auth_ldaps.pot

@@ -0,0 +1,29 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# 	* auth_ldaps
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 17.0\n"
+"Report-Msgid-Bugs-To: \n"
+"Last-Translator: \n"
+"Language-Team: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: \n"
+
+#. module: auth_ldaps
+#: model:ir.model,name:auth_ldaps.model_res_company_ldap
+msgid "Company LDAP configuration"
+msgstr ""
+
+#. module: auth_ldaps
+#: model:ir.model.fields,field_description:auth_ldaps.field_res_company_ldap__skip_cert_validation
+msgid "Skip certificate validation"
+msgstr ""
+
+#. module: auth_ldaps
+#: model:ir.model.fields,field_description:auth_ldaps.field_res_company_ldap__is_ssl
+msgid "Use LDAPS"
+msgstr ""

auth_ldaps/i18n/it.po

@@ -0,0 +1,41 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# 	* auth_ldaps
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 14.0\n"
+"Report-Msgid-Bugs-To: \n"
+"PO-Revision-Date: 2021-03-02 19:45+0000\n"
+"Last-Translator: Sergio Zanchetta <[email protected]>\n"
+"Language-Team: none\n"
+"Language: it\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: nplurals=2; plural=n != 1;\n"
+"X-Generator: Weblate 4.3.2\n"
+
+#. module: auth_ldaps
+#: model:ir.model,name:auth_ldaps.model_res_company_ldap
+msgid "Company LDAP configuration"
+msgstr "Configurazione LDAP azienda"
+
+#. module: auth_ldaps
+#: model:ir.model.fields,field_description:auth_ldaps.field_res_company_ldap__skip_cert_validation
+msgid "Skip certificate validation"
+msgstr "Saltare verifica del certificato"
+
+#. module: auth_ldaps
+#: model:ir.model.fields,field_description:auth_ldaps.field_res_company_ldap__is_ssl
+msgid "Use LDAPS"
+msgstr "Utilizzare LDAPS"
+
+#~ msgid "Display Name"
+#~ msgstr "Nome visualizzato"
+
+#~ msgid "ID"
+#~ msgstr "ID"
+
+#~ msgid "Last Modified on"
+#~ msgstr "Ultima modifica il"

auth_ldaps/models/__init__.py

@@ -0,0 +1,3 @@
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl.html).
+
+from . import res_company_ldap

auth_ldaps/models/res_company_ldap.py

@@ -0,0 +1,57 @@
+# Copyright (C) Creu Blanca
+# Copyright (C) 2018 Brainbean Apps
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl.html).
+
+
+import logging
+
+import ldap
+
+from odoo import fields, models
+from odoo.tools.misc import str2bool
+
+_logger = logging.getLogger(__name__)
+
+
+class CompanyLDAP(models.Model):
+    _inherit = "res.company.ldap"
+
+    is_ssl = fields.Boolean(string="Use LDAPS", default=False)
+    skip_cert_validation = fields.Boolean(
+        string="Skip certificate validation", default=False
+    )
+
+    def _get_ldap_dicts(self):
+        res = super()._get_ldap_dicts()
+        for rec in res:
+            ldap = self.sudo().browse(rec["id"])
+            rec["is_ssl"] = ldap.is_ssl or False
+            rec["skip_cert_validation"] = ldap.skip_cert_validation or False
+        return res
+
+    def _connect(self, conf):
+        if conf["is_ssl"]:
+            uri = "ldaps://%s:%d" % (conf["ldap_server"], conf["ldap_server_port"])
+            connection = ldap.initialize(uri)
+            ldap_chase_ref_disabled = (
+                self.env["ir.config_parameter"]
+                .sudo()
+                .get_param("auth_ldap.disable_chase_ref")
+            )
+            if str2bool(ldap_chase_ref_disabled):
+                connection.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)
+            if conf["skip_cert_validation"]:
+                connection.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
+                # this creates a new tls context, which is required to apply
+                # the options, but it also clears the default options defined
+                # in the openldap's configuration file, such as the TLS_CACERT
+                # option, which specifies the file containing the trusted
+                # certificates. this causes certificate verification to fail,
+                # even if it would succeed with the default options. this is
+                # why this is only called if we want to skip certificate
+                # verification.
+                connection.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
+            if conf["ldap_tls"]:
+                connection.start_tls_s()
+            return connection
+        return super()._connect(conf)

auth_ldaps/pyproject.toml

@@ -0,0 +1,3 @@
+[build-system]
+requires = ["whool"]
+build-backend = "whool.buildapi"

auth_ldaps/readme/CONFIGURE.md

@@ -0,0 +1,5 @@
+To configure this module, you need to:
+
+1.  Access Settings / General Settings / LDAP Authentication / LDAP
+    Server
+2.  Check the `Use LDAPS` flag

auth_ldaps/readme/CONTRIBUTORS.md

@@ -0,0 +1,11 @@
+- Enric Tobella \<<[email protected]>\>
+
+- [CorporateHub](https://corporatehub.eu/)
+
+  - Alexey Pelykh \<<[email protected]>\>
+
+- Bhavesh Odedra \<<[email protected]>\>
+
+- [Trobz](https://trobz.com):
+
+  > - Hoang Diep \<<[email protected]>\>

auth_ldaps/readme/CREDITS.md

@@ -0,0 +1,2 @@
+The migration of this module from 15.0 to 16.0 was financially supported
+by Camptocamp

auth_ldaps/readme/DESCRIPTION.md

@@ -0,0 +1 @@
+This module allows to authenticate using a LDAP over SSL system.

auth_ldaps/readme/INSTALL.md

@@ -0,0 +1,5 @@
+To verify LDAPS server certificate, you need to:
+
+1.  Add the CA certificate of the LDAPS on your server as a trusted
+    certificate
+2.  Check the `Verify certificate` flag in configuration

auth_ldaps/readme/USAGE.md

@@ -0,0 +1 @@
+