-
-
Notifications
You must be signed in to change notification settings - Fork 423
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[ADD] auth_password_pwned: check passwords against haveibeenpwned.com
- Loading branch information
Showing
12 changed files
with
736 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,100 @@ | ||
==================== | ||
Password Pwned Check | ||
==================== | ||
|
||
.. | ||
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! | ||
!! This file is generated by oca-gen-addon-readme !! | ||
!! changes will be overwritten. !! | ||
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! | ||
!! source digest: sha256:8ef5c3ff5b64085cdfcd667aed1caed570703d9eb90128e264c47f6967a2de9d | ||
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! | ||
.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png | ||
:target: https://odoo-community.org/page/development-status | ||
:alt: Beta | ||
.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png | ||
:target: http://www.gnu.org/licenses/agpl-3.0-standalone.html | ||
:alt: License: AGPL-3 | ||
.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github | ||
:target: https://github.com/OCA/server-auth/tree/15.0/auth_password_pwned | ||
:alt: OCA/server-auth | ||
.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png | ||
:target: https://translation.odoo-community.org/projects/server-auth-15-0/server-auth-15-0-auth_password_pwned | ||
:alt: Translate me on Weblate | ||
.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png | ||
:target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=15.0 | ||
:alt: Try me on Runboat | ||
|
||
|badge1| |badge2| |badge3| |badge4| |badge5| | ||
|
||
This module enforces passwords to be changed once the have appeared in a data breach. | ||
|
||
It uses https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByRange to check if the password has appeared in any | ||
data breaches. A great resource provided by Troy Hunt https://haveibeenpwned.com/About . | ||
|
||
**Table of contents** | ||
|
||
.. contents:: | ||
:local: | ||
|
||
Configuration | ||
============= | ||
|
||
ir.config_parameter options | ||
~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
||
The following config parameters change the behaviour of this addon. | ||
|
||
``auth_password_pwned.range_url`` *string* (Default: https://api.pwnedpasswords.com/range/) | ||
|
||
Change the url the plugins checks hashes against. Needs to behave like described in | ||
https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByRange . This is intended to be used for a company mirror | ||
of the API. | ||
|
||
Usage | ||
===== | ||
|
||
Install the plugin to force the users to change their password once it is considered to be publicly known. | ||
|
||
Bug Tracker | ||
=========== | ||
|
||
Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_. | ||
In case of trouble, please check there if your issue has already been reported. | ||
If you spotted it first, help us to smash it by providing a detailed and welcomed | ||
`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_password_pwned%0Aversion:%2015.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_. | ||
|
||
Do not contact contributors directly about support or help with technical issues. | ||
|
||
Credits | ||
======= | ||
|
||
Authors | ||
~~~~~~~ | ||
|
||
* WT-IO-IT GmbH | ||
|
||
Contributors | ||
~~~~~~~~~~~~ | ||
|
||
|
||
* `WT-IO-IT GmbH <https://www.wt-io-it.at>`_: | ||
* Andreas Perhab <[email protected]> | ||
|
||
Maintainers | ||
~~~~~~~~~~~ | ||
|
||
This module is maintained by the OCA. | ||
|
||
.. image:: https://odoo-community.org/logo.png | ||
:alt: Odoo Community Association | ||
:target: https://odoo-community.org | ||
|
||
OCA, or the Odoo Community Association, is a nonprofit organization whose | ||
mission is to support the collaborative development of Odoo features and | ||
promote its widespread use. | ||
|
||
This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/15.0/auth_password_pwned>`_ project on GitHub. | ||
|
||
You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
from . import controllers | ||
from . import models |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html). | ||
{ | ||
"name": "Password Pwned Check", | ||
"summary": "Prevent using pwned passwords.", | ||
"version": "15.0.1.0.0", | ||
"author": "WT-IO-IT GmbH, Odoo Community Association (OCA)", | ||
"category": "Base", | ||
"depends": [], | ||
"website": "https://github.com/OCA/server-auth", | ||
"external_dependencies": {}, | ||
"license": "AGPL-3", | ||
"data": [], | ||
"assets": {}, | ||
"demo": [], | ||
"installable": True, | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
from . import main |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html). | ||
|
||
import logging | ||
|
||
from odoo import _, http | ||
from odoo.http import request | ||
|
||
from odoo.addons.web.controllers.main import Home | ||
|
||
_logger = logging.getLogger(__name__) | ||
|
||
|
||
class AuthPasswordPwnedHome(Home): | ||
def _auth_signup_is_installed(self): | ||
return bool( | ||
request.env["ir.module.module"] | ||
.sudo() | ||
.search( | ||
[("name", "=", "auth_signup"), ("state", "in", ["installed"])], limit=1 | ||
) | ||
) | ||
|
||
def _reset_password_enabled(self): | ||
return ( | ||
request.env["ir.config_parameter"] | ||
.sudo() | ||
.get_param("auth_signup.reset_password") | ||
== "True" | ||
) | ||
|
||
@http.route() | ||
def web_login(self, *args, **kw): | ||
pwned = False | ||
reset_pw_after_validation = False | ||
if "password" in kw and request.env.user._passwordhasbeenpwned(kw["password"]): | ||
if self._auth_signup_is_installed(): | ||
if self._reset_password_enabled(): | ||
# prevent login with a pwned password and force user to reset it | ||
kw["password"] = "" | ||
request.params["password"] = "" | ||
pwned = _( | ||
"This password is known by third parties please reset it and" | ||
" use a different password." | ||
) | ||
else: | ||
# prepare to hint the user to their email | ||
# reset the password after it has been validated | ||
reset_pw_after_validation = True | ||
pwned = _( | ||
"This password is known by third parties an email has been" | ||
" sent with instructions how to reset it." | ||
) | ||
|
||
else: | ||
# display a login message and tell the user they should contact the admin | ||
# to start a safe password change procedure | ||
kw["password"] = "" | ||
request.params["password"] = "" | ||
pwned = _( | ||
"This password is known by third parties please contact an" | ||
" administrator how to get a new one." | ||
) | ||
response = super().web_login(*args, **kw) | ||
if reset_pw_after_validation and request.params.get("login_success"): | ||
# do not allow user to continue and send them a reset password email | ||
request.params["login_success"] = False | ||
request.session.logout(keep_db=True) | ||
try: | ||
request.env["res.users"].sudo().reset_password(kw["login"]) | ||
except Exception as e: | ||
# Log the exception and continue to tell the "user" an email has been sent. | ||
# reset_password only throws an exception if the login is not correct | ||
# / not active so this is most likely someone guessing usernames. | ||
_logger.error( | ||
_("Could not reset password for {login}: {exception}").format( | ||
login=kw["login"], exception=e | ||
) | ||
) | ||
# make the response render the login with our error message | ||
kw["password"] = "" | ||
request.params["password"] = "" | ||
response = super().web_login(*args, **kw) | ||
if pwned: | ||
response.qcontext["error"] = pwned | ||
return response |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
from . import res_users |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
import hashlib | ||
import logging | ||
|
||
import requests | ||
|
||
from odoo import _, models | ||
from odoo.exceptions import UserError | ||
|
||
_logger = logging.getLogger(__name__) | ||
|
||
|
||
class ResUsers(models.Model): | ||
_inherit = "res.users" | ||
|
||
def _set_password(self): | ||
self._passwordshavebeenpwned(self.mapped("password")) | ||
|
||
return super()._set_password() | ||
|
||
def _passwordshavebeenpwned(self, passwords): | ||
for password in passwords: | ||
if self._passwordhasbeenpwned(password): | ||
raise UserError( | ||
_("Password is already pwned and can no longer be used.") | ||
) | ||
|
||
def _passwordhasbeenpwned(self, password): | ||
params = self.env["ir.config_parameter"].sudo() | ||
api_url = params.get_param( | ||
"auth_password_pwned.range_url", | ||
default="https://api.pwnedpasswords.com/range/", | ||
) | ||
if api_url[-1] == "/": | ||
api_url = api_url[:-1] | ||
|
||
password_hash = hashlib.sha1(password.encode("utf-8")).hexdigest().upper() | ||
try: | ||
r = requests.get( | ||
"{api_url}/{hash}".format(api_url=api_url, hash=password_hash[:5]), | ||
headers={ | ||
"User-Agent": "Odoo OCA auth_password_pwned" | ||
" https://github.com/OCA/server-auth", | ||
}, | ||
) | ||
r.raise_for_status() | ||
response = r.text | ||
return password_hash[5:] in response | ||
except ( | ||
requests.exceptions.HTTPError, | ||
requests.exceptions.RequestException, | ||
) as error: | ||
if self.env.user.has_group("base.group_system"): | ||
# for admins display a message for them being able to fix the issue | ||
raise UserError( | ||
_(f"{api_url} cannot be reached: {error}").format(api_url, error) | ||
) from error | ||
else: | ||
# for other users log a warning | ||
_logger.warning( | ||
_(f"{api_url} cannot be reached: {error}").format(api_url, error) | ||
) | ||
# and let them log into the system (if they have the correct password) | ||
return False |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
ir.config_parameter options | ||
~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
||
The following config parameters change the behaviour of this addon. | ||
|
||
``auth_password_pwned.range_url`` *string* (Default: https://api.pwnedpasswords.com/range/) | ||
|
||
Change the url the plugins checks hashes against. Needs to behave like described in | ||
https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByRange . This is intended to be used for a company mirror | ||
of the API. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
|
||
* `WT-IO-IT GmbH <https://www.wt-io-it.at>`_: | ||
* Andreas Perhab <[email protected]> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
This module enforces passwords to be changed once the have appeared in a data breach. | ||
|
||
It uses https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByRange to check if the password has appeared in any | ||
data breaches. A great resource provided by Troy Hunt https://haveibeenpwned.com/About . |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Install the plugin to force the users to change their password once it is considered to be publicly known. |
Oops, something went wrong.