[FIX] password_security: password expiration 2FA

Author: BT-cjimeno

password_security/README.rst

@@ -33,12 +33,12 @@ requirements and enforces them on the user.
 
 It contains features such as
 
-- Password expiration days
-- Password length requirement
-- Password minimum number of lowercase letters
-- Password minimum number of uppercase letters
-- Password minimum number of numbers
-- Password minimum number of special characters
+-  Password expiration days
+-  Password length requirement
+-  Password minimum number of lowercase letters
+-  Password minimum number of uppercase letters
+-  Password minimum number of numbers
+-  Password minimum number of special characters
 
 **Table of contents**
 
@@ -92,28 +92,30 @@ Authors
 Contributors
 ------------
 
-- James Foster <jfoster@laslabs.com>
+-  James Foster <jfoster@laslabs.com>
 
-- Dave Lasley <dave@laslabs.com>
+-  Dave Lasley <dave@laslabs.com>
 
-- Kaushal Prajapati <kbprajapati@live.com>
+-  Kaushal Prajapati <kbprajapati@live.com>
 
-- Petar Najman <petar.najman@modoolar.com>
+-  Petar Najman <petar.najman@modoolar.com>
 
-- Shepilov Vladislav <shepilov.v@protonmail.com>
+-  Shepilov Vladislav <shepilov.v@protonmail.com>
 
-- Florian Kantelberg <florian.kantelberg@initos.com>
+-  Florian Kantelberg <florian.kantelberg@initos.com>
 
-- Dhara Solanki <dhara.solanki@initos.com>
+-  Carlos Jimeno <carlos.jimeno@bt-group.com>
 
-- `Open Source Integrators <https://opensourceintegrators.com>`__
+-  Dhara Solanki <dhara.solanki@initos.com>
 
-     - Chandresh Thakkar <cthakkar@opensourceintegrators.com>
-     - Daniel Reis <dreis@opensourceintegrators.com>
+-  `Open Source Integrators <https://opensourceintegrators.com>`__
 
-- `Onestein <https://www.onestein.nl>`__:
+      -  Chandresh Thakkar <cthakkar@opensourceintegrators.com>
+      -  Daniel Reis <dreis@opensourceintegrators.com>
 
-  - Andrea Stirpe <a.stirpe@onestein.nl>
+-  `Onestein <https://www.onestein.nl>`__:
+
+   -  Andrea Stirpe <a.stirpe@onestein.nl>
 
 Maintainers
 -----------

password_security/__manifest__.py

@@ -17,6 +17,7 @@
     "depends": [
         "auth_signup",
         "auth_password_policy_signup",
+        "auth_totp",
     ],
     "website": "https://github.com/OCA/server-auth",
     "license": "LGPL-3",

password_security/controllers/__init__.py

@@ -2,3 +2,4 @@
 # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
 
 from . import main
+from . import home

password_security/controllers/home.py

@@ -0,0 +1,23 @@
+# Copyright 2022 brain-tec AG (https://bt-group.com)
+# License LGPL-3.0 or later (https://www.gnu.org/licenses/lgpl.html).
+
+from odoo import http
+from odoo.http import request
+
+from odoo.addons.auth_totp.controllers.home import Home
+
+
+class PasswordSecurity2FAHome(Home):
+    @http.route()
+    def web_totp(self, redirect=None, **kwargs):
+        already_logged_in = request.session.uid
+        result = super().web_totp(redirect, **kwargs)
+        if already_logged_in or not (
+            request.session.uid and request.env.user._password_has_expired()
+        ):
+            return result
+        # My password is expired, kick me out
+        request.env.user.action_expire_password()
+        request.session.logout(keep_db=True)
+        redirect = request.env.user.partner_id._get_signup_url()
+        return request.redirect(redirect)

password_security/controllers/main.py

@@ -30,7 +30,8 @@ def web_login(self, *args, **kw):
         if not request.env.user:
             return response
         # Now, I'm an authenticated user
-        if not request.env.user._password_has_expired():
+        # With 2FA there is a second step, and we would not be completely logged in
+        if not (request.session.uid and request.env.user._password_has_expired()):
             return response
         # My password is expired, kick me out
         request.env.user.action_expire_password()

password_security/readme/CONTRIBUTORS.md

@@ -10,12 +10,14 @@
 
 - Florian Kantelberg \<<florian.kantelberg@initos.com>\>
 
+- Carlos Jimeno \<<carlos.jimeno@bt-group.com>\>
+
 - Dhara Solanki \<<dhara.solanki@initos.com>\>
 
 - [Open Source Integrators](https://opensourceintegrators.com)
 
   > - Chandresh Thakkar \<<cthakkar@opensourceintegrators.com>\>
   > - Daniel Reis \<<dreis@opensourceintegrators.com>\>
 
-- [Onestein](https://www.onestein.nl):  
+- [Onestein](https://www.onestein.nl):
   - Andrea Stirpe \<<a.stirpe@onestein.nl>\>

password_security/static/description/index.html

@@ -8,10 +8,11 @@
 
 /*
 :Author: David Goodger (goodger@python.org)
-:Id: $Id: html4css1.css 8954 2022-01-20 10:10:25Z milde $
+:Id: $Id: html4css1.css 9511 2024-01-13 09:50:07Z milde $
 :Copyright: This stylesheet has been placed in the public domain.
 
 Default cascading style sheet for the HTML output of Docutils.
+Despite the name, some widely supported CSS2 features are used.
 
 See https://docutils.sourceforge.io/docs/howto/html-stylesheets.html for how to
 customize this style sheet.
@@ -274,7 +275,7 @@
   margin-left: 2em ;
   margin-right: 2em }
 
-pre.code .ln { color: grey; } /* line numbers */
+pre.code .ln { color: gray; } /* line numbers */
 pre.code, code { background-color: #eeeeee }
 pre.code .comment, code .comment { color: #5C6576 }
 pre.code .keyword, code .keyword { color: #3B0D06; font-weight: bold }
@@ -300,7 +301,7 @@
 span.pre {
   white-space: pre }
 
-span.problematic {
+span.problematic, pre.problematic {
   color: red }
 
 span.section-subtitle {
@@ -445,6 +446,8 @@ <h2><a class="toc-backref" href="#toc-entry-6">Contributors</a></h2>
 </li>
 <li><p class="first">Florian Kantelberg &lt;<a class="reference external" href="mailto:florian.kantelberg&#64;initos.com">florian.kantelberg&#64;initos.com</a>&gt;</p>
 </li>
+<li><p class="first">Carlos Jimeno &lt;<a class="reference external" href="mailto:carlos.jimeno&#64;bt-group.com">carlos.jimeno&#64;bt-group.com</a>&gt;</p>
+</li>
 <li><p class="first">Dhara Solanki &lt;<a class="reference external" href="mailto:dhara.solanki&#64;initos.com">dhara.solanki&#64;initos.com</a>&gt;</p>
 </li>
 <li><p class="first"><a class="reference external" href="https://opensourceintegrators.com">Open Source Integrators</a></p>
@@ -465,7 +468,9 @@ <h2><a class="toc-backref" href="#toc-entry-6">Contributors</a></h2>
 <div class="section" id="maintainers">
 <h2><a class="toc-backref" href="#toc-entry-7">Maintainers</a></h2>
 <p>This module is maintained by the OCA.</p>
-<a class="reference external image-reference" href="https://odoo-community.org"><img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" /></a>
+<a class="reference external image-reference" href="https://odoo-community.org">
+<img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" />
+</a>
 <p>OCA, or the Odoo Community Association, is a nonprofit organization whose
 mission is to support the collaborative development of Odoo features and
 promote its widespread use.</p>

password_security/tests/__init__.py

@@ -4,3 +4,4 @@
 from . import test_password_history
 from . import test_reset_password
 from . import test_signup
+from . import test_totp

password_security/tests/test_login.py

@@ -4,8 +4,9 @@
 from datetime import datetime, timedelta
 from unittest import mock
 
-from odoo import http, registry
+from odoo import http
 from odoo.exceptions import UserError, ValidationError
+from odoo.modules.registry import Registry
 from odoo.tests.common import HOST, HttpCase, Opener, get_db_name, new_test_user, tagged
 
 
@@ -81,7 +82,7 @@ def test_05_web_login_expire_pass(self):
         # Make password expired
         three_days_ago = datetime.now() - timedelta(days=3)
 
-        with registry(get_db_name()).cursor() as cr:
+        with Registry(get_db_name()).cursor() as cr:
             env = self.env(cr)
             user = env["res.users"].search([("login", "=", self.username)])
             user.password_write_date = three_days_ago
@@ -108,7 +109,7 @@ def test_06_web_login_log_out_if_expired(self):
         # Make password expired while still logged in
         three_days_ago = datetime.now() - timedelta(days=3)
 
-        with registry(get_db_name()).cursor() as cr:
+        with Registry(get_db_name()).cursor() as cr:
             env = self.env(cr)
             user = env["res.users"].search([("login", "=", self.username)])
             user.password_write_date = three_days_ago

password_security/tests/test_totp.py

@@ -0,0 +1,28 @@
+# Copyright 2022 Braintec AG
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
+
+from datetime import datetime, timedelta
+
+from odoo.tests import HttpCase, tagged
+
+
+@tagged("post_install", "-at_install")
+class TestTOTP(HttpCase):
+    def test_totp(self):
+        # 1. Login with demo user
+        uid = self.env.ref("base.user_demo").id
+        self.assertEqual(uid, self.env.ref("base.user_demo").id)
+
+        # 2. Check that we are logged in
+        self.authenticate(user="demo", password="demo")
+        self.assertEqual(self.session.uid, uid)
+
+        # 3. Check expired password
+        # signup_type has been set to "reset"
+        self.assertEqual(self.env.user._password_has_expired(), False)
+        self.assertEqual(self.env.user.partner_id.signup_type, False)
+        self.env.user.action_expire_password()
+        self.assertEqual(self.env.user.partner_id.signup_type, "reset")
+
+        self.logout()
+        self.assertNotEqual(self.session.uid, uid)