NextERP/Odoo18-Base
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
0ecbc0b7f0
Odoo18-Base/addons/auth_totp/tests/test_totp.py
KaySar12 11c1383ec6 init
2025-03-10 11:12:23 +07:00

127 lines
4.6 KiB
Python
Raw Blame History

import logging
import json
import time
from xmlrpc.client import Fault
from passlib.totp import TOTP
from odoo import http
from odoo.addons.base.tests.common import HttpCaseWithUserDemo
from odoo.tests import tagged, get_db_name
from odoo.tools import mute_logger
from ..controllers.home import Home
_logger = logging.getLogger(__name__)
class TestTOTPCommon:
def setUp(self):
super().setUp()
totp = None
# might be possible to do client-side using `crypto.subtle` instead of
# this horror show, but requires working on 64b integers, & BigInt is
# significantly less well supported than crypto
def totp_hook(self, secret=None):
nonlocal totp
if totp is None:
totp = TOTP(secret)
if secret:
return totp.generate().token
else:
# on check, take advantage of window because previous token has been
# "burned" so we can't generate the same, but tour is so fast
# we're pretty certainly within the same 30s
return totp.generate(time.time() + 30).token
# because not preprocessed by ControllerType metaclass
totp_hook.routing_type = 'json'
self.env['ir.http']._clear_routing_map()
# patch Home to add test endpoint
Home.totp_hook = http.route('/totphook', type='json', auth='none')(totp_hook)
# remove endpoint and destroy routing map
@self.addCleanup
def _cleanup():
del Home.totp_hook
self.env['ir.http']._clear_routing_map()
@tagged('post_install', '-at_install')
class TestTOTP(TestTOTPCommon, HttpCaseWithUserDemo):
def test_totp(self):
# 1. Enable 2FA
self.start_tour('/web', 'totp_tour_setup', login='demo')
# 2. Verify that RPC is blocked because 2FA is on.
self.assertFalse(
self.xmlrpc_common.authenticate(get_db_name(), 'demo', 'demo', {}),
"Should not have returned a uid"
)
self.assertFalse(
self.xmlrpc_common.authenticate(get_db_name(), 'demo', 'demo', {'interactive': True}),
'Trying to fake the auth type should not work'
)
uid = self.user_demo.id
with self.assertRaisesRegex(Fault, r'Access Denied'), mute_logger('odoo.http'):
self.xmlrpc_object.execute_kw(
get_db_name(), uid, 'demo',
'res.users', 'read', [uid, ['login']]
)
# 3. Check 2FA is required
self.start_tour('/', 'totp_login_enabled', login=None)
# 4. Check 2FA is not requested on saved device and disable it
self.start_tour('/', 'totp_login_device', login=None)
# 5. Finally, check that 2FA is in fact disabled
self.start_tour('/', 'totp_login_disabled', login=None)
# 6. Check that rpc is now re-allowed
uid = self.xmlrpc_common.authenticate(get_db_name(), 'demo', 'demo', {})
self.assertEqual(uid, self.user_demo.id)
[r] = self.xmlrpc_object.execute_kw(
get_db_name(), uid, 'demo',
'res.users', 'read', [uid, ['login']]
)
self.assertEqual(r['login'], 'demo')
def test_totp_administration(self):
self.start_tour('/web', 'totp_tour_setup', login='demo')
# If not enabled (like in demo data), landing on res.config will try
# to disable module_sale_quotation_builder and raise an issue
group_order_template = self.env.ref('sale_management.group_sale_order_template', raise_if_not_found=False)
if group_order_template:
self.env.ref('base.group_user').write({"implied_ids": [(4, group_order_template.id)]})
self.start_tour('/web', 'totp_admin_disables', login='admin')
self.start_tour('/', 'totp_login_disabled', login=None)
@mute_logger('odoo.http')
def test_totp_authenticate(self):
"""
Ensure we don't leak the session info from an half-logged-in
user.
"""
self.start_tour('/web', 'totp_tour_setup', login='demo')
self.url_open('/web/session/logout')
headers = {
"Content-Type": "application/json",
}
payload = {
"jsonrpc": "2.0",
"method": "call",
"id": 0,
"params": {
"db": get_db_name(),
"login": "demo",
"password": "demo",
"context": {},
},
}
response = self.url_open("/web/session/authenticate", data=json.dumps(payload), headers=headers)
data = response.json()
self.assertEqual(data['result']['uid'], None)
Reference in New Issue View Git Blame Copy Permalink