[18.0][MIG] auth_brute_force: Migration to 18.0

auth_brute_force/README.rst

@@ -0,0 +1,154 @@
+===================================
+Authentication - Brute-Force Filter
+===================================
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:619f103b2ff519e702a28bfa3155d8e8984eb1bff7007dd2a9aa3d7ae1566a32
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-auth/tree/18.0/auth_brute_force
+    :alt: OCA/server-auth
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-auth-18-0/server-auth-18-0-auth_brute_force
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=18.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+This module registers each request done by users trying to authenticate
+into Odoo. If the authentication fails, a counter is increased for the
+given remote IP. After a defined number of attempts, Odoo will ban the
+remote IP and ignore new requests.
+
+This module applies security through obscurity
+(https://en.wikipedia.org/wiki/Security_through_obscurity). When a user
+is banned, the request is now considered as an attack. So, the UI will
+**not** indicate to the user that his IP is banned and the regular
+message 'Wrong login/password' is displayed.
+
+This module realizes a call to a web API (http://ip-api.com) to try to
+have extra information about remote IP.
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Configuration
+=============
+
+You can use these configuration parameters (menu
+``Settings / Technical / Parameters / System Parameters``) that control
+this addon behavior:
+
+- ``auth_brute_force.whitelist_remotes`` is a comma-separated list of
+  whitelisted IPs. Failures from these remotes are ignored.
+
+- ``auth_brute_force.max_by_ip`` defaults to 50, and indicates the
+  maximum successive failures allowed for an IP. After hitting the
+  limit, the IP gets banned.
+
+- ``auth_brute_force.max_by_ip_user`` defaults to 10, and indicates the
+  maximum successive failures allowed for any IP and user combination.
+  After hitting the limit, that user and IP combination is banned.
+
+- ``auth_brute_force.check_remote`` defaults to True, and indicates if
+  it it will check the information on http://ip-api.com
+
+Usage
+=====
+
+Admin user have the possibility to unblock a banned IP.
+
+Logging
+-------
+
+This module generates some WARNING logs, in the following cases:
+
+- When the IP limit is reached: *Authentication failed from remote
+  'x.x.x.x'. The remote has been banned. Login tried: xxxx.*
+
+- When the IP+user combination limit is reached: *Authentication failed
+  from remote 'x.x.x.x'. The remote and login combination has been
+  banned. Login tried: xxxx.*
+
+Screenshot
+----------
+
+**List of Attempts**
+
+https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_brute_force/.https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_brute_force/.https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_brute_force/ https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_brute_force/ihttps://raw.githubusercontent.com/OCA/server-auth/18.0/auth_brute_force/mhttps://raw.githubusercontent.com/OCA/server-auth/18.0/auth_brute_force/ahttps://raw.githubusercontent.com/OCA/server-auth/18.0/auth_brute_force/ghttps://raw.githubusercontent.com/OCA/server-auth/18.0/auth_brute_force/ehttps://raw.githubusercontent.com/OCA/server-auth/18.0/auth_brute_force/:https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_brute_force/:https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_brute_force/
+https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_brute_force//auth_brute_force/static/description/screenshot_attempts_list.png
+
+Known issues / Roadmap
+======================
+
+- Depending of server and / or user network configuration, the
+  idenfication of the user can be wrong, and mainly in the following
+  cases:
+
+  - If the Odoo server is behind an Apache / NGinx proxy and it is not
+    properly configured, all requests will use the same IP address.
+    Blocking such IP could render Odoo unusable for all users! **Make
+    sure your logs output the correct IP for werkzeug traffic before
+    installing this addon.**
+
+- The IP metadata retrieval should use a better system.
+  ``See details here <https://github.com/OCA/server-tools/pull/1219/files#r187014504>``\ \_.
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_brute_force%0Aversion:%2018.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+-------
+
+* Nitrokey GmbH
+* GRAP
+* Tecnativa
+
+Contributors
+------------
+
+- Sylvain LE GAL (https://x.com/legalsylvain)
+- David Vidal david.vidal@tecnativa.com
+- Jairo Llopis jairo.llopis@tecnativa.com
+
+Maintainers
+-----------
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/18.0/auth_brute_force>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

auth_brute_force/__init__.py

@@ -0,0 +1 @@
+from . import models

auth_brute_force/__manifest__.py

@@ -0,0 +1,16 @@
+{
+    "name": "Authentication - Brute-Force Filter",
+    "version": "18.0.1.0.0",
+    "category": "Tools",
+    "summary": "Track Authentication Attempts and Prevent Brute-force Attacks",
+    "author": "Nitrokey GmbH, GRAP, Tecnativa, Odoo Community Association (OCA)",
+    "website": "https://github.com/OCA/server-auth",
+    "license": "AGPL-3",
+    "depends": ["base"],
+    "data": [
+        "security/ir.model.access.csv",
+        "data/system_parameters.xml",
+        "views/res_authentication_attempt_views.xml",
+    ],
+    "installable": True,
+}

auth_brute_force/data/system_parameters.xml

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<odoo>
+    <!-- Ensure parameter exists with correct value -->
+    <function
+        model="ir.config_parameter"
+        name="set_param"
+        eval="('base.login_cooldown_duration', 0)"
+    />
+</odoo>

auth_brute_force/i18n/am.po

@@ -0,0 +1,144 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# * auth_brute_force
+#
+# Translators:
+# OCA Transbot <transbot@odoo-community.org>, 2017
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 10.0\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2017-08-01 02:43+0000\n"
+"PO-Revision-Date: 2017-08-01 02:43+0000\n"
+"Last-Translator: OCA Transbot <transbot@odoo-community.org>, 2017\n"
+"Language-Team: Amharic (https://www.transifex.com/oca/teams/23907/am/)\n"
+"Language: am\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: nplurals=2; plural=(n > 1);\n"
+
+#. module: auth_brute_force
+#: model_terms:ir.ui.view,arch_db:auth_brute_force.view_res_authentication_attempt_form
+msgid "Add remote to whitelist"
+msgstr ""
+
+#. module: auth_brute_force
+#: model:ir.actions.act_window,name:auth_brute_force.action_res_authentication_attempt
+#: model:ir.ui.menu,name:auth_brute_force.menu_res_authentication_attempt
+msgid "Authentication Attempts"
+msgstr ""
+
+#. module: auth_brute_force
+#: model:ir.model.fields,field_description:auth_brute_force.field_res_authentication_attempt_result
+msgid "Authentication Result"
+msgstr ""
+
+#. module: auth_brute_force
+#: model_terms:ir.ui.view,arch_db:auth_brute_force.view_res_authentication_attempt_search
+#: selection:res.authentication.attempt,result:0
+msgid "Banned"
+msgstr ""
+
+#. module: auth_brute_force
+#: model:ir.model.fields,field_description:auth_brute_force.field_res_authentication_attempt_create_uid
+msgid "Created by"
+msgstr "Creado por"
+
+#. module: auth_brute_force
+#: model:ir.model.fields,field_description:auth_brute_force.field_res_authentication_attempt_create_date
+msgid "Created on"
+msgstr "Creado en"
+
+#. module: auth_brute_force
+#: model:ir.model.fields,field_description:auth_brute_force.field_res_authentication_attempt_display_name
+msgid "Display Name"
+msgstr ""
+
+#. module: auth_brute_force
+#: model_terms:ir.ui.view,arch_db:auth_brute_force.view_res_authentication_attempt_search
+#: selection:res.authentication.attempt,result:0
+msgid "Failed"
+msgstr ""
+
+#. module: auth_brute_force
+#: model:ir.model.fields,field_description:auth_brute_force.field_res_authentication_attempt_id
+msgid "ID"
+msgstr "ID"
+
+#. module: auth_brute_force
+#: model:ir.model.fields,field_description:auth_brute_force.field_res_authentication_attempt___last_update
+msgid "Last Modified on"
+msgstr ""
+
+#. module: auth_brute_force
+#: model:ir.model.fields,field_description:auth_brute_force.field_res_authentication_attempt_write_uid
+msgid "Last Updated by"
+msgstr "Última actualización por"
+
+#. module: auth_brute_force
+#: model:ir.model.fields,field_description:auth_brute_force.field_res_authentication_attempt_write_date
+msgid "Last Updated on"
+msgstr "Última actualización en"
+
+#. module: auth_brute_force
+#: model:ir.model.fields,help:auth_brute_force.field_res_authentication_attempt_remote_metadata
+msgid "Metadata publicly available for remote IP"
+msgstr ""
+
+#. module: auth_brute_force
+#: model:ir.model.fields,field_description:auth_brute_force.field_res_authentication_attempt_remote
+msgid "Remote IP"
+msgstr ""
+
+#. module: auth_brute_force
+#: model:ir.model.fields,field_description:auth_brute_force.field_res_authentication_attempt_remote_metadata
+msgid "Remote IP metadata"
+msgstr ""
+
+#. module: auth_brute_force
+#: model_terms:ir.ui.view,arch_db:auth_brute_force.view_res_authentication_attempt_form
+msgid "Remove remote from whitelist"
+msgstr ""
+
+#. module: auth_brute_force
+#: model_terms:ir.ui.view,arch_db:auth_brute_force.view_res_authentication_attempt_form
+msgid "Set to unbanned"
+msgstr ""
+
+#. module: auth_brute_force
+#: model_terms:ir.ui.view,arch_db:auth_brute_force.view_res_authentication_attempt_search
+#: selection:res.authentication.attempt,result:0
+msgid "Successful"
+msgstr ""
+
+#. module: auth_brute_force
+#: model:ir.model.fields,field_description:auth_brute_force.field_res_authentication_attempt_login
+msgid "Tried Login"
+msgstr ""
+
+#. module: auth_brute_force
+#: model_terms:ir.ui.view,arch_db:auth_brute_force.view_res_authentication_attempt_search
+#: selection:res.authentication.attempt,result:0
+msgid "Unbanned"
+msgstr ""
+
+#. module: auth_brute_force
+#: model:ir.model,name:auth_brute_force.model_res_users
+msgid "Users"
+msgstr ""
+
+#. module: auth_brute_force
+#: model:ir.model.fields,field_description:auth_brute_force.field_res_authentication_attempt_whitelisted
+msgid "Whitelisted"
+msgstr ""
+
+#. module: auth_brute_force
+#: model_terms:ir.ui.view,arch_db:auth_brute_force.view_res_authentication_attempt_search
+msgid "Without Success"
+msgstr ""
+
+#. module: auth_brute_force
+#: model:ir.model,name:auth_brute_force.model_res_authentication_attempt
+msgid "res.authentication.attempt"
+msgstr ""