[17.0][MIG] password_security + use ir.config_parameters#731
[17.0][MIG] password_security + use ir.config_parameters#731OCA-git-bot merged 75 commits intoOCA:17.0from
Conversation
* [ADD] res_users_password_security: New module * Create new module to lock down user passwords * [REF] res_users_password_security: PR Review fixes * Also add beta pass history rule * [ADD] res_users_password_security: Pass history and min time * Add pass history memory and threshold * Add minimum time for pass resets through web reset * Begin controller tests * Fix copyright, wrong year for new file * Add tests for password_security_home * Left to do web_auth_reset_password * Fix minimum reset threshold and finish tests * Bug fixes per review * [REF] password_security: PR review improvements * Change tech name to password_security * Use new except format * Limit 1 & new api * Cascade deletion for pass history * [REF] password_security: Fix travis + style * Fix travis errors * self to cls * Better variable names in tests * [FIX] password_security: Fix travis errors
* Bump versions * Installable to True * Add Usage section to ReadMe w/ Runbot link * `_crypt_context` now directly exposes the `CryptContext` * Change all instances of openerp to odoo
* Add current time as password_write_date for admin user in demo, disabling the reset prompt - fixes OCA#652
* Switch security to be on correct model to fix OCA#674
…ord invalid (OCA#859) * [FIX] password_security: Fix password stored * [REF] password_security: use a unified check_password private method to validate rules and history password
* Add logic to overloaded web_login action to log out users with expired passwords, preventing the password reset from being ignored * Add unit test for new logic
This translates to Spanish all missing translations, 31 in total.
Since some implementation details are changed, I had to change some tests that were actually testing the implementation instead of the desired result of the method.
In a normal Odoo deployment, somebody in group *Administration / Access Rights* should be able to create users; but if this addon is installed, it gets this error:
The requested operation cannot be completed due to security restrictions. Please contact your system administrator.
(Document type: Res Users Password History, Operation: create)
This is now tested and fixed.
[The `website` addon returns an aditional redirection][1] that makes these tests fail if ran after installing `website`. The tests were checking the returned value in a funky way anyways. Now, instead of checking the final returned value, we check directly the parameters sent to the redirection method. [1]: https://github.com/odoo/odoo/blob/3b85900fafc9469dca6e7c01fca6dac4f55d20f5/addons/website/controllers/main.py#L85-L89
Avoided requiring the module twice in JS.
Currently translated at 57.9% (22 of 38 strings) Translation: server-auth-12.0/server-auth-12.0-password_security Translate-URL: https://translation.odoo-community.org/projects/server-auth-12-0/server-auth-12-0-password_security/hr/
Currently translated at 100.0% (50 of 50 strings) Translation: server-auth-16.0/server-auth-16.0-password_security Translate-URL: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-password_security/es/
Currently translated at 100.0% (50 of 50 strings) Translation: server-auth-16.0/server-auth-16.0-password_security Translate-URL: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-password_security/it/
alexis-via
force-pushed
the
17.0-mig-password_security
branch
from
f9cf363 to
ea020fc
Compare
amh-mw
left a comment
amh-mw
left a comment
There was a problem hiding this comment.
Though I agree with the intent of the improvement, this is the second migration pull request in a row for password_security where improvements are being done in the migration pull request. I think it will be more coherent to migrate between versions as usual and then review the improvement in its own pull request.
|
The move to ir.config_parameter is in a separate commit. |
|
@amh-mw the usual flow in this kind of changes is as @alexis-via suggested (at least is what I found in a lot of cases in the OCA) |
|
Let's merge this. Then I'll help to backport it. |
| f"{openupgrade.get_legacy_name('password_upper')}, " | ||
| f"{openupgrade.get_legacy_name('password_numeric')}, " | ||
| f"{openupgrade.get_legacy_name('password_special')} " | ||
| "FROM res_company ORDER BY id LIMIT 1" |
There was a problem hiding this comment.
This could degrade security for installations with more than one company. Perhaps remove LIMIT 1 and use MAX(field) or MIN(field) as appropriate?
There was a problem hiding this comment.
The security problem is not really in this migration script but in the design of this module which had per-company settings and nobody dared to change this for years !!!
I was very surprised to be the first developer to criticize the design error and propose to fix it.
Anyway, admins will be to checks the new settings after update. I feel that mixing settings from different companies is kind of strange, so my idea was to simplify take the settings from the first company. I just updated to code to take the settings from the first active company.
|
|
||
| @openupgrade.migrate() | ||
| def migrate(env, version): | ||
| openupgrade.rename_fields( |
There was a problem hiding this comment.
Why are company fields being renamed if ir.config_parameter is replacing them? Shouldn't pre-migration copy the fields into ir.config_parameter, then post-migration drop the fields?
There was a problem hiding this comment.
This is done this way in order to avoid that odoo removes the fields.
| "upper": int(params.get_param("password_security.upper", default=1)), | ||
| "numeric": int(params.get_param("password_security.numeric", default=1)), | ||
| "special": int(params.get_param("password_security.special", default=1)), | ||
| } |
There was a problem hiding this comment.
These defaults don't match previous versions. Change all default back to zero and get rid of this method entirely?
There was a problem hiding this comment.
The only default which isn't matching with version 16.0 is minimum_hours. There is was 24 as default on the fields of res.company.
The defaults in the res.config.settings are different than the actual ones.
| # So the solution to avoid this problem and have a non-null default value: | ||
| # 1) define the ir.config_parameter fields on res.config.settings with default=0 | ||
| # 2) initialize the ir.config_parameter with a default value in the init script | ||
| # So the default value of the fields below are written in post_install.py |
There was a problem hiding this comment.
This explanation is unnecessary if all defaults are returned to zero.
There was a problem hiding this comment.
This is a very very important comment, because it explains a design decision which is not obvious at all. We should keep it.
|
@alexis-via Can you attend the comments please? |
|
LGTM Functional + code |
IsabelAForgeFlow
left a comment
IsabelAForgeFlow
left a comment
There was a problem hiding this comment.
Functional review
|
I was going to do a forward port of this fix: #713 But since the module has not been migrated yet it might be a good opportunity to include the commit in this PR from the get go. |
Replace fields on res.company by ir.config_parameter Remove dead test for v16 migration script
alexis-via
force-pushed
the
17.0-mig-password_security
branch
from
ea020fc to
3de6b17
Compare
|
/ocabot merge nobump |
|
Hey, thanks for contributing! Proceeding to merge this for you. |
|
Congratulations, your PR was merged at a9e5c35. Thanks a lot for contributing to OCA. ❤️ |
20 participants
Replaces migration PR #610
Migration to v17 + move config parameters from res.company to ir.config_parameter. That way, a user that has access to several companies cannot switch to the company with weakest password security params before changing its password, which was a kind of security hole.
By the way, the password security param of auth_password_policy was already stored in ir.config_parameter (cf https://github.com/odoo/odoo/blob/17.0/addons/auth_password_policy/models/res_config_settings.py#L8), so it's coherent to do the same here.