From aedb350d7f166350a5a86efef5abf6f410417bec Mon Sep 17 00:00:00 2001 From: Maxime Chambreuil Date: Mon, 26 Mar 2018 14:17:22 -0600 Subject: [PATCH 01/60] [IMP] Move files in a subdirectory [IMP] Cleanup --- auth_saml/README.rst | 124 +++++++++ auth_saml/__init__.py | 4 + auth_saml/__openerp__.py | 53 ++++ auth_saml/controllers/__init__.py | 3 + auth_saml/controllers/main.py | 218 +++++++++++++++ auth_saml/data/auth_saml.xml | 86 ++++++ auth_saml/data/ir_config_parameter.xml | 13 + auth_saml/doc/Makefile | 238 +++++++++++++++++ auth_saml/doc/NEWS.rst | 1 + auth_saml/doc/TODO.rst | 7 + auth_saml/doc/autotodo | 69 +++++ auth_saml/doc/autotodo.py | 111 ++++++++ auth_saml/doc/conf.py | 335 ++++++++++++++++++++++++ auth_saml/doc/getting_started.rst | 88 +++++++ auth_saml/doc/index.rst | 21 ++ auth_saml/doc/models.gv | 7 + auth_saml/doc/models.rst | 7 + auth_saml/doc/requirements | 2 + auth_saml/doc/tests.rst | 10 + auth_saml/i18n/fr.po | 201 ++++++++++++++ auth_saml/models/__init__.py | 6 + auth_saml/models/auth_saml.py | 81 ++++++ auth_saml/models/base_settings.py | 86 ++++++ auth_saml/models/res_users.py | 285 ++++++++++++++++++++ auth_saml/models/saml_token.py | 28 ++ auth_saml/scripts/2.0-cleanup.sql | 2 + auth_saml/scripts/clear_passwords.sql | 5 + auth_saml/security/ir.model.access.csv | 4 + auth_saml/static/description/index.html | 82 ++++++ auth_saml/tests/__init__.py | 3 + auth_saml/tests/test_auth_saml.py | 20 ++ auth_saml/tests/util/__init__.py | 0 auth_saml/tests/util/odoo_tests.py | 47 ++++ auth_saml/tests/util/singleton.py | 30 +++ auth_saml/tests/util/uuidgen.py | 22 ++ auth_saml/views/auth_saml.xml | 71 +++++ auth_saml/views/base_settings.xml | 25 ++ auth_saml/views/res_users.xml | 26 ++ 38 files changed, 2421 insertions(+) create mode 100644 auth_saml/README.rst create mode 100644 auth_saml/__init__.py create mode 100644 auth_saml/__openerp__.py create mode 100644 auth_saml/controllers/__init__.py create mode 100644 auth_saml/controllers/main.py create mode 100644 auth_saml/data/auth_saml.xml create mode 100644 auth_saml/data/ir_config_parameter.xml create mode 100644 auth_saml/doc/Makefile create mode 120000 auth_saml/doc/NEWS.rst create mode 100644 auth_saml/doc/TODO.rst create mode 100644 auth_saml/doc/autotodo create mode 100644 auth_saml/doc/autotodo.py create mode 100644 auth_saml/doc/conf.py create mode 100644 auth_saml/doc/getting_started.rst create mode 100644 auth_saml/doc/index.rst create mode 100644 auth_saml/doc/models.gv create mode 100644 auth_saml/doc/models.rst create mode 100644 auth_saml/doc/requirements create mode 100644 auth_saml/doc/tests.rst create mode 100644 auth_saml/i18n/fr.po create mode 100644 auth_saml/models/__init__.py create mode 100644 auth_saml/models/auth_saml.py create mode 100644 auth_saml/models/base_settings.py create mode 100644 auth_saml/models/res_users.py create mode 100644 auth_saml/models/saml_token.py create mode 100644 auth_saml/scripts/2.0-cleanup.sql create mode 100644 auth_saml/scripts/clear_passwords.sql create mode 100644 auth_saml/security/ir.model.access.csv create mode 100755 auth_saml/static/description/index.html create mode 100644 auth_saml/tests/__init__.py create mode 100644 auth_saml/tests/test_auth_saml.py create mode 100644 auth_saml/tests/util/__init__.py create mode 100644 auth_saml/tests/util/odoo_tests.py create mode 100644 auth_saml/tests/util/singleton.py create mode 100644 auth_saml/tests/util/uuidgen.py create mode 100644 auth_saml/views/auth_saml.xml create mode 100644 auth_saml/views/base_settings.xml create mode 100644 auth_saml/views/res_users.xml diff --git a/auth_saml/README.rst b/auth_saml/README.rst new file mode 100644 index 0000000000..9a4ca61274 --- /dev/null +++ b/auth_saml/README.rst @@ -0,0 +1,124 @@ +.. image:: https://img.shields.io/badge/licence-AGPL--3-blue.svg + :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html + :alt: License: AGPL-3 + +==================== +SAML2 authentication +==================== + +Let users log into Odoo via an SAML2 provider. + +This module allows to deport the management of users and passwords in an +external authentication system to provide SSO functionality (Single Sign On) +between Odoo and other applications of your ecosystem. + +.. WARNING:: + This module requires auth_crypt. This is because you still have the + option if not recommended to allow users to have a password stored in odoo + at the same time as having a SALM provider and id. + + +Benefits +======== + +* Reducing the time spent typing different passwords for different accounts. + +* Reducing the time spent in IT support for password oversights. + +* Centralizing authentication systems. + +* Securing all input levels / exit / access to multiple systems without + prompting users. + +* The centralization of access control information for compliance testing to + different standards. + + +Installation +============ + +Install as you would install any Odoo addon. + +Dependencies +------------ + +This addon requires `lasso`_. + +.. _lasso: http://lasso.entrouvert.org + + +Configuration +============= + +There are SAML-related settings in Configuration > General settings. + + +Usage +===== + +To use this module, you need an IDP server, properly set up. Go through the +"Getting started" section for more information. + + +Demo +==== + +.. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas + :alt: Try me on Runbot + :target: https://runbot.odoo-community.org/runbot/149/8.0 + + +Known issues / Roadmap +====================== + +* Checks to ensure no Odoo user with SAML also has an Odoo password. +* Setting to disable that rule. + +2.0 +--- + +* SAML tokens are not stored in res_users anymore to avoid locks on that table. + + +Bug Tracker +=========== + +Bugs are tracked on `GitHub Issues `_. +In case of trouble, please check there if your issue has already been reported. +If you spotted it first, help us smashing it by providing a detailed and welcomed feedback `here `_. + + +Credits +======= + +Contributors +------------ + +In order of appearance: + +- Florent Aide +- Vincent Hatakeyama +- Alexandre Brun +- Jeremy Co Kim Len +- Houzéfa Abbasbhay +- Jeffery Chen Fan +- Bhavesh Odedra + + +Maintainer +---------- + +.. image:: https://odoo-community.org/logo.png + :alt: Odoo Community Association + :target: https://odoo-community.org + +This module is maintained by the OCA. + +OCA, or the Odoo Community Association, is a nonprofit organization whose +mission is to support the collaborative development of Odoo features and +promote its widespread use. + +To contribute to this module, please visit http://odoo-community.org. diff --git a/auth_saml/__init__.py b/auth_saml/__init__.py new file mode 100644 index 0000000000..66ecd5d658 --- /dev/null +++ b/auth_saml/__init__.py @@ -0,0 +1,4 @@ +# flake8: noqa + +from . import controllers +from . import models diff --git a/auth_saml/__openerp__.py b/auth_saml/__openerp__.py new file mode 100644 index 0000000000..7300fee2d4 --- /dev/null +++ b/auth_saml/__openerp__.py @@ -0,0 +1,53 @@ +# -*- coding: utf-8 -*- +############################################################################## +# +# Saml2 Authentication for Odoo +# Copyright (C) 2010-2016 XCG Consulting +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . +# +############################################################################## + + +{ + 'name': 'Saml2 Authentication', + 'version': '3.0', + 'category': 'Tools', + 'author': 'XCG Consulting, Odoo Community Association (OCA)', + 'maintainer': 'XCG Consulting', + 'website': 'http://odoo.consulting', + 'license': 'AGPL-3', + 'depends': [ + 'base', + 'base_setup', + 'web', + 'auth_crypt', + ], + + 'data': [ + 'data/auth_saml.xml', + 'data/ir_config_parameter.xml', + + 'security/ir.model.access.csv', + + 'views/auth_saml.xml', + 'views/base_settings.xml', + 'views/res_users.xml', + ], + 'installable': True, + 'auto_install': False, + 'external_dependencies': { + 'python': ['lasso'], + }, +} diff --git a/auth_saml/controllers/__init__.py b/auth_saml/controllers/__init__.py new file mode 100644 index 0000000000..6663c573bf --- /dev/null +++ b/auth_saml/controllers/__init__.py @@ -0,0 +1,3 @@ +# flake8: noqa + +from . import main diff --git a/auth_saml/controllers/main.py b/auth_saml/controllers/main.py new file mode 100644 index 0000000000..37a82c90d6 --- /dev/null +++ b/auth_saml/controllers/main.py @@ -0,0 +1,218 @@ +# -*- coding: utf-8 -*- + +import functools +import logging + +import simplejson +import werkzeug.utils + +import openerp +from openerp import _ +from openerp import http +from openerp.http import request +from openerp import SUPERUSER_ID +# import openerp.addons.web.http as oeweb +from openerp.addons.web.controllers.main import set_cookie_and_redirect +from openerp.addons.web.controllers.main import ensure_db +from openerp.addons.web.controllers.main import login_and_redirect + +_logger = logging.getLogger(__name__) + + +# ---------------------------------------------------------- +# helpers +# ---------------------------------------------------------- + + +def fragment_to_query_string(func): + @functools.wraps(func) + def wrapper(self, req, **kw): + if not kw: + return """""" + return func(self, req, **kw) + return wrapper + + +# ---------------------------------------------------------- +# Controller +# ---------------------------------------------------------- + + +class SAMLLogin(openerp.addons.web.controllers.main.Home): + + def list_providers(self): + try: + provider_obj = request.registry.get('auth.saml.provider') + providers = provider_obj.search_read( + request.cr, SUPERUSER_ID, [('enabled', '=', True)] + ) + except Exception, e: + _logger.exception("SAML2: %s" % str(e)) + providers = [] + + return providers + + @http.route() + def web_login(self, *args, **kw): + ensure_db() + if ( + request.httprequest.method == 'GET' and + request.session.uid and + request.params.get('redirect') + ): + + # Redirect if already logged in and redirect param is present + return http.redirect_with_hash(request.params.get('redirect')) + + providers = self.list_providers() + + response = super(SAMLLogin, self).web_login(*args, **kw) + if response.is_qweb: + error = request.params.get('saml_error') + if error == '1': + error = _("Sign up is not allowed on this database.") + elif error == '2': + error = _("Access Denied") + elif error == '3': + error = _( + "You do not have access to this database or your " + "invitation has expired. Please ask for an invitation " + "and be sure to follow the link in your invitation email." + ) + else: + error = None + + response.qcontext['providers'] = providers + + if error: + response.qcontext['error'] = error + + return response + + +class AuthSAMLController(http.Controller): + + def get_state(self, provider_id): + """Compute a state to be sent to the IDP so it can forward it back to + us. + + :rtype: Dictionary. + """ + + redirect = request.params.get('redirect') or 'web' + if not redirect.startswith(('//', 'http://', 'https://')): + redirect = '%s%s' % ( + request.httprequest.url_root, + redirect[1:] if redirect[0] == '/' else redirect + ) + + state = { + "d": request.session.db, + "p": provider_id, + "r": werkzeug.url_quote_plus(redirect), + } + return state + + @http.route('/auth_saml/get_auth_request', type='http', auth='none') + def get_auth_request(self, pid): + """state is the JSONified state object and we need to pass + it inside our request as the RelayState argument + """ + + provider_id = int(pid) + provider_osv = request.registry.get('auth.saml.provider') + + auth_request = None + + # store a RelayState on the request to our IDP so that the IDP + # can send us back this info alongside the obtained token + state = self.get_state(provider_id) + + try: + auth_request = provider_osv._get_auth_request( + request.cr, SUPERUSER_ID, provider_id, state + ) + + except Exception, e: + _logger.exception("SAML2: %s" % str(e)) + + # TODO: handle case when auth_request comes back as None + + redirect = werkzeug.utils.redirect(auth_request, 303) + redirect.autocorrect_location_header = True + return redirect + + @http.route('/auth_saml/signin', type='http', auth='none', csrf=False) + @fragment_to_query_string + def signin(self, req, **kw): + """client obtained a saml token and passed it back + to us... we need to validate it + """ + saml_response = kw.get('SAMLResponse', None) + + if kw.get('RelayState', None) is None: + # here we are in front of a client that went through + # some routes that "lost" its relaystate... this can happen + # if the client visited his IDP and successfully logged in + # then the IDP gave him a portal with his available applications + # but the provided link does not include the necessary relaystate + url = "/?type=signup" + redirect = werkzeug.utils.redirect(url, 303) + redirect.autocorrect_location_header = True + return redirect + + state = simplejson.loads(kw['RelayState']) + provider = state['p'] + + with request.registry.cursor() as cr: + try: + u = request.registry.get('res.users') + credentials = u.auth_saml( + cr, SUPERUSER_ID, provider, saml_response + ) + cr.commit() + action = state.get('a') + menu = state.get('m') + url = '/' + if action: + url = '/#action=%s' % action + elif menu: + url = '/#menu_id=%s' % menu + + return login_and_redirect(*credentials, redirect_url=url) + + except AttributeError, e: + # auth_signup is not installed + _logger.error("auth_signup not installed on database " + "saml sign up cancelled.") + url = "/#action=login&saml_error=1" + + except openerp.exceptions.AccessDenied: + # saml credentials not valid, + # user could be on a temporary session + _logger.info('SAML2: access denied, redirect to main page ' + 'in case a valid session exists, ' + 'without setting cookies') + + url = "/#action=login&saml_error=3" + redirect = werkzeug.utils.redirect(url, 303) + redirect.autocorrect_location_header = False + return redirect + + except Exception, e: + # signup error + _logger.exception("SAML2: %s" % str(e)) + url = "/#action=login&saml_error=2" + + return set_cookie_and_redirect(url) + +# vim:expandtab:tabstop=4:softtabstop=4:shiftwidth=4: diff --git a/auth_saml/data/auth_saml.xml b/auth_saml/data/auth_saml.xml new file mode 100644 index 0000000000..a4af56921e --- /dev/null +++ b/auth_saml/data/auth_saml.xml @@ -0,0 +1,86 @@ + + + + + Local Authentic server + + + + + + + MIIDIzCCAgugAwIBAgIJANUBoick1pDpMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV + BAoTCkVudHJvdXZlcnQwHhcNMTAxMjE0MTUzMzAyWhcNMTEwMTEzMTUzMzAyWjAV + MRMwEQYDVQQKEwpFbnRyb3V2ZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB + CgKCAQEAvxFkfPdndlGgQPDZgFGXbrNAc/79PULZBuNdWFHDD9P5hNhZn9Kqm4Cp + 06Pe/A6u+g5wLnYvbZQcFCgfQAEzziJtb3J55OOlB7iMEI/T2AX2WzrUH8QT8NGh + ABONKU2Gg4XiyeXNhH5R7zdHlUwcWq3ZwNbtbY0TVc+n665EbrfV/59xihSqsoFr + kmBLH0CoepUXtAzA7WDYn8AzusIuMx3n8844pJwgxhTB7Gjuboptlz9Hri8JRdXi + VT9OS9Wt69ubcNoM6zuKASmtm48UuGnhj8v6XwvbjKZrL9kA+xf8ziazZfvvw/VG + Tm+IVFYB7d1x457jY5zjjXJvNysoowIDAQABo3YwdDAdBgNVHQ4EFgQUeF8ePnu0 + fcAK50iBQDgAhHkOu8kwRQYDVR0jBD4wPIAUeF8ePnu0fcAK50iBQDgAhHkOu8mh + GaQXMBUxEzARBgNVBAoTCkVudHJvdXZlcnSCCQDVAaInJNaQ6TAMBgNVHRMEBTAD + AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAy8l3GhUtpPHx0FxzbRHVaaUSgMwYKGPhE + IdGhqekKUJIx8et4xpEMFBl5XQjBNq/mp5vO3SPb2h2PVSks7xWnG3cvEkqJSOeo + fEEhkqnM45b2MH1S5uxp4i8UilPG6kmQiXU2rEUBdRk9xnRWos7epVivTSIv1Ncp + lG6l41SXp6YgIb2ToT+rOKdIGIQuGDlzeR88fDxWEU0vEujZv/v1PE1YOV0xKjTT + JumlBc6IViKhJeo1wiBBrVRIIkKKevHKQzteK8pWm9CYWculxT26TZ4VWzGbo06j + o2zbumirrLLqnt1gmBDvDvlOwC/zAAyL4chbz66eQHTiIYZZvYgy + + + + + + + + + + + + ]]> + + + + + MIID7jCCA1egAwIBAgIBATANBgkqhkiG9w0BAQUFADCBkzELMAkGA1UEBhMCRlIxDDAKBgNVBAgTA0lERjEOMAwGA1UEBxMFUGFyaXMxDDAKBgNVBAoTA1hDRzEMMAoGA1UECxMDRFNJMQswCQYDVQQDEwJDQTEOMAwGA1UEKRMFWENHQ0ExLTArBgkqhkiG9w0BCQEWHmZsb3JlbnQuYWlkZUB4Y2ctY29uc3VsdGluZy5mcjAgFw0xMzEyMTcxMjExNTJaGA8yMjg3MTAwMTEyMTE1MlowgZUxCzAJBgNVBAYTAkZSMQwwCgYDVQQIEwNJREYxDjAMBgNVBAcTBVBhcmlzMQwwCgYDVQQKEwNYQ0cxDDAKBgNVBAsTA0RTSTEMMAoGA1UEAxMDc3AxMQ8wDQYDVQQpEwZYQ0dTUDExLTArBgkqhkiG9w0BCQEWHmZsb3JlbnQuYWlkZUB4Y2ctY29uc3VsdGluZy5mcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzmzLtPlT6yJOomYstLom6XstTD8E5FQKfPP7UxTcRMXuJynFBSSl6SRVPpUKZQ8maNxOygdeZ5J6vBk2mZEnvk25ZTsXjJDnNZffswi8g/Naxadvh+5kkEx5hjILPTA5jMf7sS/7Am3Kd46vlEIov3OTd2Wh8SII1WgbFLOpy/0CAwEAAaOCAUowggFGMAkGA1UdEwQCMAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUPfwm8rjPco3WlV5ntveqm9+Z0iQwgcgGA1UdIwSBwDCBvYAUs++X2JBKjwPYDr7bTZL8ph6fIuShgZmkgZYwgZMxCzAJBgNVBAYTAkZSMQwwCgYDVQQIEwNJREYxDjAMBgNVBAcTBVBhcmlzMQwwCgYDVQQKEwNYQ0cxDDAKBgNVBAsTA0RTSTELMAkGA1UEAxMCQ0ExDjAMBgNVBCkTBVhDR0NBMS0wKwYJKoZIhvcNAQkBFh5mbG9yZW50LmFpZGVAeGNnLWNvbnN1bHRpbmcuZnKCCQCSGwHzqKuCBjATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQEFBQADgYEAU7Whu+ZAtIVEtTFCKl/EEWBg7I2m40UqYg/AnU6bPnLkBRXdWdBcP+jwPDh9xjAN07FehWBFGJdaa9p2GBfzkdLF0lJoNda98SYRQKaam53SZ7MIu1newG6joOPJqcliFTAsODGnRwD1dm+p2i6jUI2yiDbXi9ACkKdWfsa88Io= + + + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + + + Example SAML 2.0 metadatas + +]]> + + + + zocial saml + Log in with Authentic + + + + diff --git a/auth_saml/data/ir_config_parameter.xml b/auth_saml/data/ir_config_parameter.xml new file mode 100644 index 0000000000..ce3c1c16a7 --- /dev/null +++ b/auth_saml/data/ir_config_parameter.xml @@ -0,0 +1,13 @@ + + + + + + + + auth_saml.allow_saml.uid_and_internal_password + 0 + + + + diff --git a/auth_saml/doc/Makefile b/auth_saml/doc/Makefile new file mode 100644 index 0000000000..47e030066a --- /dev/null +++ b/auth_saml/doc/Makefile @@ -0,0 +1,238 @@ +# Makefile for Sphinx documentation +# + +# You can set these variables from the command line. +SPHINXOPTS = +SPHINXBUILD = sphinx-build +PAPER = +BUILDDIR = _build + +# User-friendly check for sphinx-build +ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1) +$(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from http://sphinx-doc.org/) +endif + +project:=$(shell basename $(shell readlink -f ..)) +branch:=$(shell hg branch) + +# Internal variables. +PAPEROPT_a4 = -D latex_paper_size=a4 +PAPEROPT_letter = -D latex_paper_size=letter +ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . +# the i18n builder cannot share the environment and doctrees with the others +I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . + +.PHONY: help +help: + @echo "Please use \`make ' where is one of" + @echo " html to make standalone HTML files" + @echo " dirhtml to make HTML files named index.html in directories" + @echo " singlehtml to make a single large HTML file" + @echo " pickle to make pickle files" + @echo " json to make JSON files" + @echo " htmlhelp to make HTML files and a HTML help project" + @echo " qthelp to make HTML files and a qthelp project" + @echo " applehelp to make an Apple Help Book" + @echo " devhelp to make HTML files and a Devhelp project" + @echo " epub to make an epub" + @echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter" + @echo " latexpdf to make LaTeX files and run them through pdflatex" + @echo " latexpdfja to make LaTeX files and run them through platex/dvipdfmx" + @echo " text to make text files" + @echo " man to make manual pages" + @echo " texinfo to make Texinfo files" + @echo " info to make Texinfo files and run them through makeinfo" + @echo " gettext to make PO message catalogs" + @echo " changes to make an overview of all changed/added/deprecated items" + @echo " xml to make Docutils-native XML files" + @echo " pseudoxml to make pseudoxml-XML files for display purposes" + @echo " linkcheck to check all external links for integrity" + @echo " doctest to run all doctests embedded in the documentation (if enabled)" + @echo " coverage to run coverage check of the documentation (if enabled)" + @echo " publish to make html documentation and publish it on doc.xcg.global" + +.PHONY: clean +clean: + rm -rf $(BUILDDIR)/* + rm -f autotodo + +.PHONY: html +html: autotodo + $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html + @echo + @echo "Build finished. The HTML pages are in $(BUILDDIR)/html." + +.PHONY: dirhtml +dirhtml: + $(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml + @echo + @echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml." + +.PHONY: singlehtml +singlehtml: + $(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml + @echo + @echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml." + +.PHONY: pickle +pickle: + $(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle + @echo + @echo "Build finished; now you can process the pickle files." + +.PHONY: json +json: + $(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json + @echo + @echo "Build finished; now you can process the JSON files." + +.PHONY: htmlhelp +htmlhelp: + $(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp + @echo + @echo "Build finished; now you can run HTML Help Workshop with the" \ + ".hhp project file in $(BUILDDIR)/htmlhelp." + +.PHONY: qthelp +qthelp: + $(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp + @echo + @echo "Build finished; now you can run "qcollectiongenerator" with the" \ + ".qhcp project file in $(BUILDDIR)/qthelp, like this:" + @echo "# qcollectiongenerator $(BUILDDIR)/qthelp/EventGLEViva.qhcp" + @echo "To view the help file:" + @echo "# assistant -collectionFile $(BUILDDIR)/qthelp/EventGLEViva.qhc" + +.PHONY: applehelp +applehelp: + $(SPHINXBUILD) -b applehelp $(ALLSPHINXOPTS) $(BUILDDIR)/applehelp + @echo + @echo "Build finished. The help book is in $(BUILDDIR)/applehelp." + @echo "N.B. You won't be able to view it unless you put it in" \ + "~/Library/Documentation/Help or install it in your application" \ + "bundle." + +.PHONY: devhelp +devhelp: + $(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp + @echo + @echo "Build finished." + @echo "To view the help file:" + @echo "# mkdir -p $$HOME/.local/share/devhelp/EventGLEViva" + @echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/EventGLEViva" + @echo "# devhelp" + +.PHONY: epub +epub: + $(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub + @echo + @echo "Build finished. The epub file is in $(BUILDDIR)/epub." + +.PHONY: latex +latex: + $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex + @echo + @echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex." + @echo "Run \`make' in that directory to run these through (pdf)latex" \ + "(use \`make latexpdf' here to do that automatically)." + +.PHONY: latexpdf +latexpdf: + $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex + @echo "Running LaTeX files through pdflatex..." + $(MAKE) -C $(BUILDDIR)/latex all-pdf + @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." + +.PHONY: latexpdfja +latexpdfja: + $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex + @echo "Running LaTeX files through platex and dvipdfmx..." + $(MAKE) -C $(BUILDDIR)/latex all-pdf-ja + @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." + +.PHONY: text +text: + $(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text + @echo + @echo "Build finished. The text files are in $(BUILDDIR)/text." + +.PHONY: man +man: + $(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man + @echo + @echo "Build finished. The manual pages are in $(BUILDDIR)/man." + +.PHONY: texinfo +texinfo: + $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo + @echo + @echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo." + @echo "Run \`make' in that directory to run these through makeinfo" \ + "(use \`make info' here to do that automatically)." + +.PHONY: info +info: + $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo + @echo "Running Texinfo files through makeinfo..." + make -C $(BUILDDIR)/texinfo info + @echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo." + +.PHONY: gettext +gettext: + $(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale + @echo + @echo "Build finished. The message catalogs are in $(BUILDDIR)/locale." + +.PHONY: changes +changes: + $(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes + @echo + @echo "The overview file is in $(BUILDDIR)/changes." + +.PHONY: linkcheck +linkcheck: + $(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck + @echo + @echo "Link check complete; look for any errors in the above output " \ + "or in $(BUILDDIR)/linkcheck/output.txt." + +.PHONY: doctest +doctest: + $(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest + @echo "Testing of doctests in the sources finished, look at the " \ + "results in $(BUILDDIR)/doctest/output.txt." + +.PHONY: coverage +coverage: + $(SPHINXBUILD) -b coverage $(ALLSPHINXOPTS) $(BUILDDIR)/coverage + @echo "Testing of coverage in the sources finished, look at the " \ + "results in $(BUILDDIR)/coverage/python.txt." + +.PHONY: xml +xml: + $(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml + @echo + @echo "Build finished. The XML files are in $(BUILDDIR)/xml." + +.PHONY: pseudoxml +pseudoxml: + $(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml + @echo + @echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml." + +autotodo: + @python autotodo.py ../ .py TODO,FIXME,XXX + +LANGUAGES=en fr + +.PHONY: publish +publish: + @for LANGUAGE in $(LANGUAGES); do \ + make -e SPHINXOPTS=-Dlanguage=$${LANGUAGE} html; \ + ssh openerp-dev.xcg.global mkdir -p /var/www/doc/$(project)/$${LANGUAGE}/$(branch); \ + ssh openerp-dev.xcg.global chmod 775 /var/www/doc/$(project); \ + ssh openerp-dev.xcg.global chmod 775 /var/www/doc/$(project)/$${LANGUAGE}; \ + ssh openerp-dev.xcg.global chmod 775 /var/www/doc/$(project)/$${LANGUAGE}/$(branch); \ + rsync -r -a -v --chmod=ug=rwX --delete $(BUILDDIR)/html/ openerp-dev.xcg.global:/var/www/doc/$(project)/$${LANGUAGE}/$(branch); \ + done + diff --git a/auth_saml/doc/NEWS.rst b/auth_saml/doc/NEWS.rst new file mode 120000 index 0000000000..e0135754ab --- /dev/null +++ b/auth_saml/doc/NEWS.rst @@ -0,0 +1 @@ +../NEWS.rst \ No newline at end of file diff --git a/auth_saml/doc/TODO.rst b/auth_saml/doc/TODO.rst new file mode 100644 index 0000000000..f569d7f96c --- /dev/null +++ b/auth_saml/doc/TODO.rst @@ -0,0 +1,7 @@ +==== +TODO +==== + +.. todolist:: + +.. include:: autotodo diff --git a/auth_saml/doc/autotodo b/auth_saml/doc/autotodo new file mode 100644 index 0000000000..be51a92322 --- /dev/null +++ b/auth_saml/doc/autotodo @@ -0,0 +1,69 @@ +FIXME +===== + +XXX +=== + +TODO +==== + +:class:`main` +------------- + +Line 147 + .. literalinclude:: ../controllers/main.py + :language: python + :lines: 144-151 + :emphasize-lines: 147 + :lineno-start: 144 + +:class:`auth_saml` +------------------ + +Line 22 + .. literalinclude:: ../models/auth_saml.py + :language: python + :lines: 19-26 + :emphasize-lines: 22 + :lineno-start: 19 + +:class:`res_users` +------------------ + +Line 180 + .. literalinclude:: ../models/res_users.py + :language: python + :lines: 177-184 + :emphasize-lines: 180 + :lineno-start: 177 + +:class:`res_users` +------------------ + +Line 254 + .. literalinclude:: ../models/res_users.py + :language: python + :lines: 251-258 + :emphasize-lines: 254 + :lineno-start: 251 + +:class:`test_auth_saml` +----------------------- + +Line 20 + .. literalinclude:: ../tests/test_auth_saml.py + :language: python + :lines: 17-24 + :emphasize-lines: 20 + :lineno-start: 17 + +:class:`conf` +------------- + +Line 315 + .. literalinclude:: ../doc/conf.py + :language: python + :lines: 312-319 + :emphasize-lines: 315 + :lineno-start: 312 + diff --git a/auth_saml/doc/autotodo.py b/auth_saml/doc/autotodo.py new file mode 100644 index 0000000000..ca40437494 --- /dev/null +++ b/auth_saml/doc/autotodo.py @@ -0,0 +1,111 @@ +# -*- coding: utf-8 -*- +############################################################################## +# +# OpenERP, Open Source Management Solution +# Copyright (C) 2014 XCG Consulting +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . +# +############################################################################## + +import os +import os.path +import sys + + +def main(): + if len(sys.argv) != 4: + print("usage: autotodo.py ") + sys.exit(1) + + folder = sys.argv[1] + exts = sys.argv[2].split(',') + tags = sys.argv[3].split(',') + todolist = {tag: [] for tag in tags} + + os.path.walk(folder, scan_folder, (exts, tags, todolist)) + create_autotodo(folder, todolist) + + +def write_info(f, infos, folder): + # Check sphinx version for lineno-start support + + import sphinx + + if sphinx.version_info < (1, 3): + lineno_start = False + else: + lineno_start = True + + for i in infos: + path = i[0] + line = i[1] + lines = (line - 3, line + 4) + class_name = ( + ":class:`%s`" % + os.path.basename(os.path.splitext(path)[0]) + ) + f.write( + "%s\n" + "%s\n\n" + "Line %s\n" + "\t.. literalinclude:: %s\n" + "\t\t:language: python\n" + "\t\t:lines: %s-%s\n" + "\t\t:emphasize-lines: %s\n" + % + ( + class_name, + "-" * len(class_name), + line, + path, + lines[0], lines[1], + line, + ) + ) + if lineno_start: + f.write("\t\t:lineno-start: %s\n" % lines[0]) + f.write("\n") + + +def create_autotodo(folder, todolist): + with open('autotodo', 'w+') as f: + for tag, info in todolist.iteritems(): + f.write("%s\n%s\n\n" % (tag, '=' * len(tag))) + write_info(f, info, folder) + + +def scan_folder((exts, tags, res), dirname, names): + file_info = {} + for name in names: + (root, ext) = os.path.splitext(name) + if ext in exts: + file_info = scan_file(os.path.join(dirname, name), tags) + for tag, info in file_info.iteritems(): + if info: + res[tag].extend(info) + + +def scan_file(filename, tags): + res = {tag: [] for tag in tags} + with open(filename, 'r') as f: + for line_num, line in enumerate(f): + for tag in tags: + if tag in line: + res[tag].append((filename, line_num, line[:-1].strip())) + return res + + +if __name__ == "__main__": + main() diff --git a/auth_saml/doc/conf.py b/auth_saml/doc/conf.py new file mode 100644 index 0000000000..aacc89ed8a --- /dev/null +++ b/auth_saml/doc/conf.py @@ -0,0 +1,335 @@ +# -*- coding: utf-8 -*- + +# flake8: noqa + +# +# SAML2 authentication build configuration file, created by +# sphinx-quickstart on Mon Jun 13 17:24:26 2016. +# +# This file is execfile()d with the current directory set to its +# containing dir. +# +# Note that not all possible configuration values are present in this +# autogenerated file. +# +# All configuration values have a default; values that are commented out +# serve to show the default. + +import ast +import sys +import os + +import openerp + +# If extensions (or modules to document with autodoc) are in another directory, +# add these directories to sys.path here. If the directory is relative to the +# documentation root, use os.path.abspath to make it absolute, like shown here. +sys.path.insert(0, os.path.abspath('.')) + +# -- General configuration ------------------------------------------------ + +# If your documentation needs a minimal Sphinx version, state it here. +# needs_sphinx = '1.0' + +# Add any Sphinx extension module names here, as strings. They can be +# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom +# ones. +extensions = [ + 'sphinx.ext.autodoc', + 'sphinx.ext.doctest', + 'sphinx.ext.intersphinx', + 'sphinx.ext.todo', + 'sphinx.ext.coverage', + 'sphinxodoo.ext.autodoc', + 'sphinx.ext.graphviz', +] + +# Add any paths that contain templates here, relative to this directory. +templates_path = ['_templates'] + +# The suffix(es) of source filenames. +# You can specify multiple suffix as a list of string: +# source_suffix = ['.rst', '.md'] +source_suffix = '.rst' + +# The encoding of source files. +# source_encoding = 'utf-8-sig' + +# The master toctree document. +master_doc = 'index' + +# General information about the project. +project = u'SAML2 authentication' +copyright = u'2016, XCG Consulting' +author = u'XCG Consulting, Odoo Community Association (OCA)' + +# The version info for the project you're documenting, acts as replacement for +# |version| and |release|, also used in various other places throughout the +# built documents. +# +with open(os.path.join('..', '__openerp__.py'), 'r') as f: + read_data = f.read() +d = ast.literal_eval(read_data) +# The full version, including alpha/beta/rc tags. +release = d['version'] +# The short X.Y version. +version = '.'.join(release.split('.')[:4]) + +# The language for content autogenerated by Sphinx. Refer to documentation +# for a list of supported languages. +# +# This is also used if you do content translation via gettext catalogs. +# Usually you set "language" from the command line for these cases. +language = None + +# There are two options for replacing |today|: either, you set today to some +# non-false value, then it is used: +# today = '' +# Else, today_fmt is used as the format for a strftime call. +# today_fmt = '%B %d, %Y' + +# List of patterns, relative to source directory, that match files and +# directories to ignore when looking for source files. +exclude_patterns = ['_build'] + +# The reST default role (used for this markup: `text`) to use for all +# documents. +# default_role = None + +# If true, '()' will be appended to :func: etc. cross-reference text. +# add_function_parentheses = True + +# If true, the current module name will be prepended to all description +# unit titles (such as .. function::). +# add_module_names = True + +# If true, sectionauthor and moduleauthor directives will be shown in the +# output. They are ignored by default. +# show_authors = False + +# The name of the Pygments (syntax highlighting) style to use. +pygments_style = 'sphinx' + +# A list of ignored prefixes for module index sorting. +# modindex_common_prefix = [] + +# If true, keep warnings as "system message" paragraphs in the built documents. +# keep_warnings = False + +# If true, `todo` and `todoList` produce output, else they produce nothing. +todo_include_todos = True + + +# -- Options for HTML output ---------------------------------------------- + +# The theme to use for HTML and HTML Help pages. See the documentation for +# a list of builtin themes. +html_theme = 'default' + +# Theme options are theme-specific and customize the look and feel of a theme +# further. For a list of options available for each theme, see the +# documentation. +# html_theme_options = {} + +# Add any paths that contain custom themes here, relative to this directory. +# html_theme_path = [] + +# The name for this set of Sphinx documents. If None, it defaults to +# " v documentation". +# html_title = None + +# A shorter title for the navigation bar. Default is the same as html_title. +# html_short_title = None + +# The name of an image file (relative to this directory) to place at the top +# of the sidebar. +# html_logo = None + +# The name of an image file (relative to this directory) to use as a favicon of +# the docs. This file should be a Windows icon file (.ico) being 16x16 or +# 32x32 pixels large. +# html_favicon = None + +# Add any paths that contain custom static files (such as style sheets) here, +# relative to this directory. They are copied after the builtin static files, +# so a file named "default.css" will overwrite the builtin "default.css". +html_static_path = ['_static'] + +# Add any extra paths that contain custom files (such as robots.txt or +# .htaccess) here, relative to this directory. These files are copied +# directly to the root of the documentation. +# html_extra_path = [] + +# If not '', a 'Last updated on:' timestamp is inserted at every page bottom, +# using the given strftime format. +# html_last_updated_fmt = '%b %d, %Y' + +# If true, SmartyPants will be used to convert quotes and dashes to +# typographically correct entities. +# html_use_smartypants = True + +# Custom sidebar templates, maps document names to template names. +# html_sidebars = {} + +# Additional templates that should be rendered to pages, maps page names to +# template names. +# html_additional_pages = {} + +# If false, no module index is generated. +# html_domain_indices = True + +# If false, no index is generated. +# html_use_index = True + +# If true, the index is split into individual pages for each letter. +# html_split_index = False + +# If true, links to the reST sources are added to the pages. +# html_show_sourcelink = True + +# If true, "Created using Sphinx" is shown in the HTML footer. Default is True. +# html_show_sphinx = True + +# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. +# html_show_copyright = True + +# If true, an OpenSearch description file will be output, and all pages will +# contain a tag referring to it. The value of this option must be the +# base URL from which the finished HTML is served. +# html_use_opensearch = '' + +# This is the file name suffix for HTML files (e.g. ".xhtml"). +# html_file_suffix = None + +# Language to be used for generating the HTML full-text search index. +# Sphinx supports the following languages: +# 'da', 'de', 'en', 'es', 'fi', 'fr', 'hu', 'it', 'ja' +# 'nl', 'no', 'pt', 'ro', 'ru', 'sv', 'tr' +# html_search_language = 'en' + +# A dictionary with options for the search language support, empty by default. +# Now only 'ja' uses this config value +# html_search_options = {'type': 'default'} + +# The name of a javascript file (relative to the configuration directory) that +# implements a search results scorer. If empty, the default will be used. +# html_search_scorer = 'scorer.js' + +# Output file base name for HTML help builder. +htmlhelp_basename = 'SAML2AuthenticationDoc' + +# -- Options for LaTeX output --------------------------------------------- + +latex_elements = { + # The paper size ('letterpaper' or 'a4paper'). + # 'papersize': 'letterpaper', + + # The font size ('10pt', '11pt' or '12pt'). + # 'pointsize': '10pt', + + # Additional stuff for the LaTeX preamble. + # 'preamble': '', + + # Latex figure (float) alignment + # 'figure_align': 'htbp', +} + +# Grouping the document tree into LaTeX files. List of tuples +# (source start file, target name, title, +# author, documentclass [howto, manual, or own class]). +latex_documents = [ + (master_doc, 'SAML2Authentication.tex', + u'SAML2 authentication documentation', + u'XCG Consulting', 'manual'), +] + +# The name of an image file (relative to this directory) to place at the top of +# the title page. +# latex_logo = None + +# For "manual" documents, if this is true, then toplevel headings are parts, +# not chapters. +# latex_use_parts = False + +# If true, show page references after internal links. +# latex_show_pagerefs = False + +# If true, show URL addresses after external links. +# latex_show_urls = False + +# Documents to append as an appendix to all manuals. +# latex_appendices = [] + +# If false, no module index is generated. +# latex_domain_indices = True + + +# -- Options for manual page output --------------------------------------- + +# One entry per manual page. List of tuples +# (source start file, name, description, authors, manual section). +man_pages = [ + (master_doc, 'saml2authentication', u'SAML2 authentication documentation', + [author], 1) +] + +# If true, show URL addresses after external links. +# man_show_urls = False + + +# -- Options for Texinfo output ------------------------------------------- + +# Grouping the document tree into Texinfo files. List of tuples +# (source start file, target name, title, author, +# dir menu entry, description, category) +texinfo_documents = [ + (master_doc, 'SAML2Authentication', u'SAML2 authentication documentation', + author, 'SAML2Authentication', + 'Let users log into Odoo via an SAML2 provider.', 'Miscellaneous'), +] + +# Documents to append as an appendix to all manuals. +# texinfo_appendices = [] + +# If false, no module index is generated. +# texinfo_domain_indices = True + +# How to display URL addresses: 'footnote', 'no', or 'inline'. +# texinfo_show_urls = 'footnote' + +# If true, do not generate a @detailmenu in the "Top" node's menu. +# texinfo_no_detailmenu = False + +todo_include_todos = True + +# Example configuration for intersphinx: refer to the Python standard library. +intersphinx_mapping = {'https://docs.python.org/': None} + + +# +# odoo-sphinx-autodoc +# + +# sphinxodoo_addons : List of addons name to load (if empty, no addon will be loaded) +this_module = os.path.basename(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))) + +sphinxodoo_addons = [this_module] +# sphinxodoo_root_path : Path of the Odoo root directory +# sphinxodoo_root_path = os.path.dirname(os.path.dirname(os.path.abspath(openerp.__file__))) +# TODO Fix this. +sphinxodoo_root_path = '/home/habba/Dev/OpenERP/sources/odoo8' + +# sphinxodoo_addons_path : List of paths were Odoo addons to load are located +superproject_path = os.path.dirname(os.path.dirname(os.path.dirname(os.getenv('PWD')))) +with open(os.path.join(superproject_path, 'odoo_type')) as f: + odoo_type = f.read() +sphinxodoo_addons_path = [] +if odoo_type.strip() == 'bzr': + sphinxodoo_addons_path.append(os.path.join(os.getenv('HOME'), 'src', 'openobject-addons')) + sphinxodoo_addons_path.append(os.path.join(os.getenv('HOME'), 'src', 'openerp-web', 'addons')) +else: + sphinxodoo_addons_path.append(os.path.join(sphinxodoo_root_path, 'addons')) + +with open(os.path.join(superproject_path, 'addon_dirs')) as f: + for line in f.read().splitlines(): + sphinxodoo_addons_path.append(os.path.join(superproject_path, line)) diff --git a/auth_saml/doc/getting_started.rst b/auth_saml/doc/getting_started.rst new file mode 100644 index 0000000000..f34b759ef8 --- /dev/null +++ b/auth_saml/doc/getting_started.rst @@ -0,0 +1,88 @@ +Getting started with Authentic2 +=============================== + +This is quick howto to help setup a service provider that will be able +to use the IDP from Authentic2 + +We will mostly cover how to setup your rsa keys and certificates + + +Creating the certs +------------------ + +Use easy-rsa from the easy-rsa package (or from the openvpn project) + +Example script below with comment saying what you should do between each +command:: + + #clean your vars + + source ./vars + + ./build-dh + ./pkitool --initca + + #change your vars to math a new client cert + + source ./vars + + ./pkitool myclient + + +Congratulations, you now have a client certificate signed by a shiny new +CA under you own private control. + +Configuring authentic +--------------------- + +We will not describe how to compile requirements nor start an authentic server. + +Just log into your authentic admin panel:: + + https://myauthenticserver/admin + + +and create a new "liberty provider". + +You'll need to create a metadata xml file from a template (TODO) + +You'll need to make sure it is activated and that the default protocol rules +are applied (ie: the requests are signed and signatures are verified) + +Configuring OpenERP +------------------- + +After installing the auth_saml module you should have new configuration +options in the admin panel. + +You'll see a demonstration setup that points to a localhost:8000 +identity provider (IDP). + +DO NOT USE THIS PROVIDER!!! This is a demonstration only setup and contains +a private key that everyone can see in the source code of this module... + +Using a private key when it has been compromised (ie: shared with the world) +is a really bad idea for an authentication system. + +I'll say it again just to make sure you understand:: + + DO NOT USE THE DEMONSTRATION CONFIGURATION AND KEYS + IN ANY SERVER OTHER THAN A DEMO LOCALHOST MACHINE FOR + TESTING PURPOSES. + + DOING SO WILL SURELY LEAD TO YOUR IDENTIY BEING STOLEN, YOUR SERVERS + BEING ROOTED AND MORE SERIOUSLY TO THE END OF THE WORLD AND OTHER + SUCH CALAMITIES YOU DON'T WANT TO EXPERIENCE TOO EARLY... + +Seriously I hope you got the message loud and clear... Don't do that. +Follow the creating certs guide just above. + +Copy the metadata from your identity provider:: + + wget https://myauthenticserver/idp/saml2/metadata + +and make sure the URLs point where they should. Edit the file if necessary. + +Then save its content into the corresponding box in the openerp SAML2 Provider form. + +There are additional SAML-related settings in Configuration > General settings. diff --git a/auth_saml/doc/index.rst b/auth_saml/doc/index.rst new file mode 100644 index 0000000000..018a7090eb --- /dev/null +++ b/auth_saml/doc/index.rst @@ -0,0 +1,21 @@ +.. include:: ../README.rst + +Contents: + +.. toctree:: + :maxdepth: 2 + + getting_started + NEWS + models + tests + TODO + + +Indices and tables +================== + +* :ref:`genindex` +* :ref:`modindex` +* :ref:`search` + diff --git a/auth_saml/doc/models.gv b/auth_saml/doc/models.gv new file mode 100644 index 0000000000..722fb78c9c --- /dev/null +++ b/auth_saml/doc/models.gv @@ -0,0 +1,7 @@ +digraph model { + + node [ + shape = "record" + ] + +} diff --git a/auth_saml/doc/models.rst b/auth_saml/doc/models.rst new file mode 100644 index 0000000000..5293250d1d --- /dev/null +++ b/auth_saml/doc/models.rst @@ -0,0 +1,7 @@ +Models +====== + +.. graphviz:: models.gv + +TODO + diff --git a/auth_saml/doc/requirements b/auth_saml/doc/requirements new file mode 100644 index 0000000000..3c20f90c2d --- /dev/null +++ b/auth_saml/doc/requirements @@ -0,0 +1,2 @@ +sphinx +git+https://github.com/OCA/odoo-sphinx-autodoc#egg=odoo-sphinx-autodoc diff --git a/auth_saml/doc/tests.rst b/auth_saml/doc/tests.rst new file mode 100644 index 0000000000..5159671d8b --- /dev/null +++ b/auth_saml/doc/tests.rst @@ -0,0 +1,10 @@ +Tests +===== + +SAML2 authentication +-------------------- + +.. automodule:: openerp.addons.auth_saml.tests.test_auth_saml + :members: + :undoc-members: + diff --git a/auth_saml/i18n/fr.po b/auth_saml/i18n/fr.po new file mode 100644 index 0000000000..2942526a96 --- /dev/null +++ b/auth_saml/i18n/fr.po @@ -0,0 +1,201 @@ +# Translation of OpenERP Server. +# This file contains the translation of the following modules: +# * auth_saml +# Vincent Lhote-Hatakeyama , 2014. +msgid "" +msgstr "" +"Project-Id-Version: OpenERP Server 7.0\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2015-03-03 15:51+0000\n" +"PO-Revision-Date: 2015-03-03 16:56+0100\n" +"Last-Translator: Houzéfa Abbasbhay \n" +"Language-Team: XCG Consulting\n" +"Language: fr\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" +"X-Generator: Poedit 1.5.4\n" + +#. module: auth_saml +#: constraint:res.users:0 +msgid "" +"SAML2 authentication: An Odoo user cannot posess both an SAML user ID and an " +"Odoo password." +msgstr "" +"Authentification SAML2 : Un utilisateur Odoo ne peut pas posséder à la fois " +"un ID utilisateur SAML et un mot de passe Odoo." + +#. module: auth_saml +#: model:ir.model,name:auth_saml.model_base_config_settings +msgid "base.config.settings" +msgstr "base.config.settings" + +#. module: auth_saml +#: field:auth_saml.token,saml_access_token:0 +msgid "Current SAML token for this user" +msgstr "Jeton SAML courant de l’utilisateur" + +#. module: auth_saml +#. openerp-web +#: code:addons/auth_saml/static/src/js/auth_saml.js:14 +#, python-format +msgid "Sign up error" +msgstr "Erreur d’inscription" + +#. module: auth_saml +#: model:ir.model,name:auth_saml.model_auth_saml_token +msgid "auth_saml.token" +msgstr "auth_saml.token" + +#. module: auth_saml +#: field:auth_saml.token,saml_provider_id:0 +msgid "SAML Provider that issued the token" +msgstr "Fournisseur SAML qui a fourni le token" + +#. module: auth_saml +#: model:ir.ui.menu,name:auth_saml.menu_saml_providers +msgid "SAML Providers" +msgstr "Fournisseurs SAML" + +#. module: auth_saml +#: model:ir.model,name:auth_saml.model_res_users +msgid "Users" +msgstr "Utilisateurs" + +#. module: auth_saml +#. openerp-web +#: code:addons/auth_saml/static/src/js/auth_saml.js:16 +#: code:addons/auth_saml/static/src/js/auth_saml.js:18 +#, python-format +msgid "Authentication error" +msgstr "Erreur d’authentification" + +#. module: auth_saml +#: help:auth_saml.token,saml_access_token:0 +msgid "The current SAML token in use" +msgstr "Le jeton SAML courant en cours d’utilisation" + +#. module: auth_saml +#: field:auth_saml.token,user_id:0 +msgid "User" +msgstr "Utilisateur" + +#. module: auth_saml +#: model:ir.model,name:auth_saml.model_auth_saml_provider +msgid "SAML2 provider" +msgstr "Fournisseur SAML2" + +#. module: auth_saml +#. openerp-web +#: code:addons/auth_saml/static/src/js/auth_saml.js:16 +#, python-format +msgid "Access Denied" +msgstr "Accès refusé" + +#. module: auth_saml +#: model:ir.model,name:auth_saml.model_res_config +msgid "res.config" +msgstr "res.config" + +#. module: auth_saml +#: field:res.users,saml_provider_id:0 +msgid "SAML Provider" +msgstr "Fournisseur SAML" + +#. module: auth_saml +#: field:base.config.settings,allow_saml_uid_and_internal_password:0 +msgid "" +"Allow SAML users to posess an Odoo password (warning: decreases security)" +msgstr "" +"Autoriser les utilisateurs avec SAML à aussi avoir un mot de passe Odoo " +"(attention : abaisse la sécurité)" + +#. module: auth_saml +#: view:auth.saml.provider:0 +msgid "arch" +msgstr "arch" + +#. module: auth_saml +#: sql_constraint:res.users:0 +msgid "SAML UID must be unique per provider" +msgstr "L’identifiant SAML doit être unique par fournisseur" + +#. module: auth_saml +#: field:res.users,saml_uid:0 +msgid "SAML User ID" +msgstr "Identifiant utilisateur SAML" + +#. module: auth_saml +#: view:res.users:0 +msgid "SAML" +msgstr "SAML" + +#. module: auth_saml +#: help:res.users,saml_uid:0 +msgid "SAML Provider user_id" +msgstr "Fournisseur SAML user_id" + +#. module: auth_saml +#: model:ir.actions.act_window,name:auth_saml.action_saml_provider +msgid "Providers" +msgstr "Fournisseurs" + +#. module: auth_saml +#. openerp-web +#: code:addons/auth_saml/static/src/js/auth_saml.js:14 +#, python-format +msgid "Sign up is not allowed on this database." +msgstr "L’inscription n’est pas autorisée sur cette base de donnée." + +#. module: auth_saml +#. openerp-web +#: code:addons/auth_saml/static/src/js/auth_saml.js:18 +#, python-format +msgid "" +"You do not have access to this database or your invitation has expired. " +"Please ask for an invitation and be sure to follow the link in your " +"invitation email." +msgstr "" +"Vous n’avez pas accès à cette base de donnée ou votre invitation a expirée. " +"Demandez une invitation et assurez-vous de suivre le lien dans le courriel " +"d’invitation." + +#~ msgid "CSS class" +#~ msgstr "Classe CSS" + +#~ msgid "Body" +#~ msgstr "Corps" + +#~ msgid "unknown" +#~ msgstr "inconnu" + +#~ msgid "http://localhost:8000" +#~ msgstr "http://localhost :8000" + +#~ msgid "running on" +#~ msgstr "en fonctionnement sur" + +#~ msgid "You must have an" +#~ msgstr "Vous devez avoir un" + +#~ msgid "authentic2 server" +#~ msgstr "serveur authentic2" + +#~ msgid "Allow users to sign in with a Local Authentic" +#~ msgstr "Autoriser les utilisateurs à s’inscrire avec un Authentic local" + +#~ msgid "SP Configuration" +#~ msgstr "Configuration du FS" + +#~ msgid "Private key of our service provider (this openerpserver)" +#~ msgstr "Clef privée de notre fournisseur de service (ce serveur OpenERP)" + +#~ msgid "Provider name" +#~ msgstr "Nom du fournisseur" + +#~ msgid "IDP Configuration" +#~ msgstr "Configuration FI" + +#~ msgid "Allowed" +#~ msgstr "Autorisé" diff --git a/auth_saml/models/__init__.py b/auth_saml/models/__init__.py new file mode 100644 index 0000000000..8f75d153e3 --- /dev/null +++ b/auth_saml/models/__init__.py @@ -0,0 +1,6 @@ +# flake8: noqa + +from . import auth_saml +from . import base_settings +from . import res_users +from . import saml_token diff --git a/auth_saml/models/auth_saml.py b/auth_saml/models/auth_saml.py new file mode 100644 index 0000000000..071ce77fb5 --- /dev/null +++ b/auth_saml/models/auth_saml.py @@ -0,0 +1,81 @@ +# -*- coding: utf-8 -*- + +import lasso +import simplejson + +from openerp import api +from openerp import fields +from openerp import models + + +class AuthSamlProvider(models.Model): + """Class defining the configuration values of an Saml2 provider""" + + _name = 'auth.saml.provider' + _description = 'SAML2 provider' + _order = 'name' + + @api.multi + def _get_lasso_for_provider(self): + """internal helper to get a configured lasso.Login object for the + given provider id""" + + # TODO: we should cache those results somewhere because it is + # really costly to always recreate a login variable from buffers + server = lasso.Server.newFromBuffers( + self.sp_metadata, + self.sp_pkey + ) + server.addProviderFromBuffer( + lasso.PROVIDER_ROLE_IDP, + self.idp_metadata + ) + return lasso.Login(server) + + @api.multi + def _get_matching_attr_for_provider(self): + """internal helper to fetch the matching attribute for this SAML + provider. Returns a unicode object. + """ + + self.ensure_one() + + return self.matching_attribute + + @api.multi + def _get_auth_request(self, state): + """build an authentication request and give it back to our client + """ + + self.ensure_one() + + login = self._get_lasso_for_provider() + + # ! -- this is the part that MUST be performed on each call and + # cannot be cached + login.initAuthnRequest() + login.request.nameIdPolicy.format = None + login.request.nameIdPolicy.allowCreate = True + login.msgRelayState = simplejson.dumps(state) + login.buildAuthnRequestMsg() + + # msgUrl is a fully encoded url ready for redirect use + # obtained after the buildAuthnRequestMsg() call + return login.msgUrl + + # Name of the OAuth2 entity, authentic, xcg... + name = fields.Char('Provider name') + idp_metadata = fields.Text('IDP Configuration') + sp_metadata = fields.Text('SP Configuration') + sp_pkey = fields.Text( + 'Private key of our service provider (this openerpserver)' + ) + matching_attribute = fields.Text( + string='Matching Attribute', + default='subject.nameId', + required=True, + ) + enabled = fields.Boolean('Enabled', default=False) + sequence = fields.Integer('Sequence') + css_class = fields.Char('CSS Class') + body = fields.Char('Body') diff --git a/auth_saml/models/base_settings.py b/auth_saml/models/base_settings.py new file mode 100644 index 0000000000..392bedb5a8 --- /dev/null +++ b/auth_saml/models/base_settings.py @@ -0,0 +1,86 @@ +# -*- coding: utf-8 -*- + +from openerp import fields +from openerp import models +from openerp import api + + +_SAML_UID_AND_PASS_SETTING = 'auth_saml.allow_saml.uid_and_internal_password' + + +class BaseSettings(models.TransientModel): + """Inherit from base.config.settings to add a setting. This is only here + for easier access; the setting is not actually stored by this (transient) + collection. Instead, it is kept in sync with the + "auth_saml.allow_saml.uid_and_internal_password" global setting. See + comments in the definition of the "res.config.settings" collection for + details. + """ + + _inherit = 'base.config.settings' + + allow_saml_uid_and_internal_password = fields.Boolean( + ( + 'Allow SAML users to posess an Odoo password (warning: ' + 'decreases security)' + ), + ) + + # take care to name the function with another name to not clash with column + @api.model + def allow_saml_and_password(self): + """Read the allow_saml_uid_and_internal_password setting. + Use the admin account to bypass security restrictions. + """ + + config_obj = self.env['ir.config_parameter'] + config_objs = config_obj.sudo().search( + [('key', '=', _SAML_UID_AND_PASS_SETTING)], + limit=1, + ) + + # no configuration found reply with default value + if len(config_objs) == 0: + return False + + return (True if config_objs.value == '1' else False) + + @api.multi + def get_default_allow_saml_uid_and_internal_password(self, fields): + """Read the allow_saml_uid_and_internal_password setting. This function + is called when the form is shown. + """ + + ret = {} + + if 'allow_saml_uid_and_internal_password' in fields: + ret['allow_saml_uid_and_internal_password'] = ( + self.allow_saml_uid_and_internal_password() + ) + + return ret + + @api.multi + def set_allow_saml_uid_and_internal_password(self): + """Update the allow_saml_uid_and_internal_password setting. This + function is called when saving the form. + """ + + setting_value = ( + '1' if self.allow_saml_uid_and_internal_password else '0' + ) + + config_obj = self.env['ir.config_parameter'] + config_ids = config_obj.search( + [('key', '=', _SAML_UID_AND_PASS_SETTING)], + limit=1, + ) + + if config_ids: + config_ids.write({'value': setting_value}) + + else: + # The setting doesn't exist; create it. + config_obj.create( + {'key': _SAML_UID_AND_PASS_SETTING, 'value': setting_value}, + ) diff --git a/auth_saml/models/res_users.py b/auth_saml/models/res_users.py new file mode 100644 index 0000000000..afbfc06114 --- /dev/null +++ b/auth_saml/models/res_users.py @@ -0,0 +1,285 @@ +# -*- coding: utf-8 -*- + +import logging +# this is our very own dependency +import lasso +# this is an odoo8 dep so it should be present 'by default' +import passlib + +import openerp +from openerp import _ +from openerp import api +from openerp import models +from openerp import fields +from openerp import SUPERUSER_ID +from openerp.exceptions import ValidationError + +_logger = logging.getLogger(__name__) + + +class ResUser(models.Model): + """Add SAML login capabilities to Odoo users. + """ + + _inherit = 'res.users' + + saml_provider_id = fields.Many2one( + 'auth.saml.provider', + string='SAML Provider', + ) + saml_uid = fields.Char( + 'SAML User ID', + help="SAML Provider user_id", + ) + + @api.one + @api.constrains('password_crypt', 'password', 'saml_uid') + def check_no_password_with_saml(self): + """Ensure no Odoo user posesses both an SAML user ID and an Odoo + password. Except admin which is not constrained by this rule. + """ + if self._allow_saml_and_password(): + pass + + else: + # Super admin is the only user we allow to have a local password + # in the database + if ( + self.password_crypt and + self.saml_uid and + self.id is not SUPERUSER_ID + ): + raise ValidationError( + _("This database disallows users to have both passwords " + "and SAML IDs. Errors for login %s" % (self.login) + ) + ) + + _sql_constraints = [ + ( + 'uniq_users_saml_provider_saml_uid', + 'unique(saml_provider_id, saml_uid)', + 'SAML UID must be unique per provider' + ), + ] + + @api.multi + def _auth_saml_validate(self, provider_id, token): + """ return the validation data corresponding to the access token """ + + pobj = self.env['auth.saml.provider'] + p = pobj.browse(provider_id) + + # we are not yet logged in, so the userid cannot have access to the + # fields we need yet + login = p.sudo()._get_lasso_for_provider() + matching_attribute = p._get_matching_attr_for_provider() + + try: + login.processAuthnResponseMsg(token) + except (lasso.DsError, lasso.ProfileCannotVerifySignatureError): + raise Exception('Lasso Profile cannot verify signature') + except lasso.ProfileStatusNotSuccessError: + raise Exception('Profile Status Not Success Error') + except lasso.Error as e: + raise Exception(repr(e)) + + try: + login.acceptSso() + except lasso.Error as error: + raise Exception( + 'Invalid assertion : %s' % lasso.strError(error[0]) + ) + + attrs = {} + + for att_statement in login.assertion.attributeStatement: + for attribute in att_statement.attribute: + name = None + lformat = lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC + nickname = None + try: + name = attribute.name.decode('ascii') + except Exception as e: + _logger.warning('sso_after_response: error decoding name of \ + attribute %s' % attribute.dump()) + else: + try: + if attribute.nameFormat: + lformat = attribute.nameFormat.decode('ascii') + if attribute.friendlyName: + nickname = attribute.friendlyName + except Exception as e: + message = 'sso_after_response: name or format of an \ + attribute failed to decode as ascii: %s due to %s' + _logger.warning(message % (attribute.dump(), str(e))) + try: + if name: + if lformat: + if nickname: + key = (name, lformat, nickname) + else: + key = (name, lformat) + else: + key = name + attrs[key] = list() + for value in attribute.attributeValue: + content = [a.exportToXml() for a in value.any] + content = ''.join(content) + attrs[key].append(content.decode('utf8')) + except Exception as e: + message = 'sso_after_response: value of an \ + attribute failed to decode as ascii: %s due to %s' + _logger.warning(message % (attribute.dump(), str(e))) + + matching_value = None + for k in attrs: + if isinstance(k, tuple) and k[0] == matching_attribute: + matching_value = attrs[k][0] + break + + if not matching_value and matching_attribute == "subject.nameId": + matching_value = login.assertion.subject.nameId.content + + elif not matching_value and matching_attribute != "subject.nameId": + raise Exception( + "Matching attribute %s not found in user attrs: %s" % ( + matching_attribute, + attrs, + ) + ) + + validation = {'user_id': matching_value} + return validation + + @api.multi + def _auth_saml_signin(self, provider, validation, saml_response): + """ retrieve and sign into openerp the user corresponding to provider + and validated access token + + :param provider: saml provider id (int) + :param validation: result of validation of access token (dict) + :param saml_response: saml parameters response from the IDP + :return: user login (str) + :raise: openerp.exceptions.AccessDenied if signin failed + + This method can be overridden to add alternative signin methods. + """ + token_osv = self.env['auth_saml.token'] + saml_uid = validation['user_id'] + + user_ids = self.search( + [ + ("saml_uid", "=", saml_uid), + ('saml_provider_id', '=', provider), + ] + ) + + if not user_ids: + raise openerp.exceptions.AccessDenied() + + # TODO replace assert by proper raise... asserts do not execute in + # production code... + assert len(user_ids) == 1 + user = user_ids[0] + + # now find if a token for this user/provider already exists + token_ids = token_osv.search( + [ + ('saml_provider_id', '=', provider), + ('user_id', '=', user.id), + ] + ) + + if token_ids: + token_ids.write( + {'saml_access_token': saml_response}, + ) + else: + token_osv.create( + { + 'saml_access_token': saml_response, + 'saml_provider_id': provider, + 'user_id': user.id, + }, + ) + + return user.login + + @api.model + def auth_saml(self, provider, saml_response): + + validation = self._auth_saml_validate(provider, saml_response) + + # required check + if not validation.get('user_id'): + raise openerp.exceptions.AccessDenied() + + # retrieve and sign in user + login = self._auth_saml_signin(provider, validation, saml_response) + + if not login: + raise openerp.exceptions.AccessDenied() + + # return user credentials + return self.env.cr.dbname, login, saml_response + + @api.model + def check_credentials(self, token): + """Override to handle SAML auths. + + The token can be a password if the user has used the normal form... + but we are more interested in the case when they are tokens + and the interesting code is inside the "except" clause. + """ + + try: + # Attempt a regular login (via other auth addons) first. + super(ResUser, self).check_credentials(token) + + except ( + openerp.exceptions.AccessDenied, + passlib.exc.PasswordSizeError, + ): + # since normal auth did not succeed we now try to find if the user + # has an active token attached to his uid + res = self.env['auth_saml.token'].sudo().search( + [ + ('user_id', '=', self.env.user.id), + ('saml_access_token', '=', token), + ], + ) + + # if the user is not found we re-raise the AccessDenied + if not res: + # TODO: maybe raise a defined exception instead of the last + # exception that occurred in our execution frame + raise + + @api.multi + def write(self, vals): + """Override to clear out the user's password when setting an SAML user + ID (as they can't cohabit). + """ + + # Clear out the pass when: + # - An SAML ID is being set. + # - The user is not the Odoo admin. + # - The "allow both" setting is disabled. + if ( + vals and vals.get('saml_uid') and + self.id is not SUPERUSER_ID and + not self._allow_saml_and_password() + ): + vals.update({ + 'password': False, + 'password_crypt': False, + }) + + return super(ResUser, self).write(vals) + + @api.model + def _allow_saml_and_password(self): + + settings_obj = self.env['base.config.settings'] + return settings_obj.allow_saml_and_password() diff --git a/auth_saml/models/saml_token.py b/auth_saml/models/saml_token.py new file mode 100644 index 0000000000..d6bde1b49d --- /dev/null +++ b/auth_saml/models/saml_token.py @@ -0,0 +1,28 @@ +# -*- coding: utf-8 -*- + +import logging +from openerp import fields +from openerp import models + +_logger = logging.getLogger(__name__) + + +class SamlToken(models.Model): + _name = "auth_saml.token" + _rec_name = "user_id" + + saml_provider_id = fields.Many2one( + 'auth.saml.provider', + string='SAML Provider that issued the token', + ) + user_id = fields.Many2one( + 'res.users', + string="User", + # we want the token to be destroyed if the corresponding res.users + # is deleted + ondelete="cascade" + ) + saml_access_token = fields.Char( + 'Current SAML token for this user', + help="The current SAML token in use", + ) diff --git a/auth_saml/scripts/2.0-cleanup.sql b/auth_saml/scripts/2.0-cleanup.sql new file mode 100644 index 0000000000..564c887e79 --- /dev/null +++ b/auth_saml/scripts/2.0-cleanup.sql @@ -0,0 +1,2 @@ +--remove the old column from res.users +ALTER TABLE res_users DROP COLUMN IF EXISTS saml_access_token; diff --git a/auth_saml/scripts/clear_passwords.sql b/auth_saml/scripts/clear_passwords.sql new file mode 100644 index 0000000000..ea2ec8021e --- /dev/null +++ b/auth_saml/scripts/clear_passwords.sql @@ -0,0 +1,5 @@ +-- When migrating to a version of "auth_saml" > 2.0, a constraint (optional) has been added to +-- ensure no Odoo user posesses both an SAML user ID and an Odoo password. +-- Run this script to clear passwords of Odoo users that already have an SAML user ID. + +UPDATE res_users SET password = NULL WHERE password IS NOT NULL AND saml_uid IS NOT NULL; diff --git a/auth_saml/security/ir.model.access.csv b/auth_saml/security/ir.model.access.csv new file mode 100644 index 0000000000..5d1be90239 --- /dev/null +++ b/auth_saml/security/ir.model.access.csv @@ -0,0 +1,4 @@ +id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink +access_auth_saml_provider,auth_saml_provider,model_auth_saml_provider,base.group_system,1,1,1,1 +access_auth_saml_token,access_auth_saml_token,model_auth_saml_token,,0,0,0,0 +auth_saml_provider_erp_manager_access,auth_saml_provider_erp_manager_access,model_auth_saml_provider,base.group_erp_manager,1,0,0,0 diff --git a/auth_saml/static/description/index.html b/auth_saml/static/description/index.html new file mode 100755 index 0000000000..5f38fe3628 --- /dev/null +++ b/auth_saml/static/description/index.html @@ -0,0 +1,82 @@ +License: AGPL-3 +
+

SAML2 authentication

+

Let users log into Odoo via an SAML2 provider.

+

This module allows to deport the management of users and passwords in an +external authentication system to provide SSO functionality (Single Sign On) +between Odoo and other applications of your ecosystem.

+
+
WARNING: this module requires auth_crypt. This is because you still have the
+
option if not recommended to allow users to have a password stored in odoo +at the same time as having a SALM provider and id.
+
+
+

Benefits

+
    +
  • Reducing the time spent typing different passwords for different accounts.
    • +
  • Reducing the time spent in IT support for password oversights.
    • +
  • Centralizing authentication systems.
    • +
  • Securing all input levels / exit / access to multiple systems without +prompting users.
    • +
  • The centralization of access control information for compliance testing to +different standards.
    • +
+
+
+

Installation

+

Install as you would install any Odoo addon.

+
+

Dependencies

+

This addon requires lasso.

+
+
+
+

Configuration

+

There are SAML-related settings in Configuration > General settings.

+
+
+

Usage

+

To use this module, you need an authentic2 server, properly set up. +Read the doc at documentation/index.rst for more information.

+
+
+

Demo

+Try me on Runbot +
+
+

Known issues / Roadmap

+

None for now.

+
+
+

Bug Tracker

+

Bugs are tracked on GitHub Issues. +In case of trouble, please check there if your issue has already been reported. +If you spotted it first, help us smashing it by providing a detailed and welcomed feedback here.

+
+
+

Credits

+
+

Contributors

+

In order of appearance:

+
+ +
+
+
+

Maintainer

+Odoo Community Association +

This module is maintained by the OCA.

+

OCA, or the Odoo Community Association, is a nonprofit organization whose +mission is to support the collaborative development of Odoo features and +promote its widespread use.

+

To contribute to this module, please visit http://odoo-community.org.

+
+
+
+ diff --git a/auth_saml/tests/__init__.py b/auth_saml/tests/__init__.py new file mode 100644 index 0000000000..85305d3973 --- /dev/null +++ b/auth_saml/tests/__init__.py @@ -0,0 +1,3 @@ +# flake8: noqa + +from . import test_auth_saml diff --git a/auth_saml/tests/test_auth_saml.py b/auth_saml/tests/test_auth_saml.py new file mode 100644 index 0000000000..aff072ae5d --- /dev/null +++ b/auth_saml/tests/test_auth_saml.py @@ -0,0 +1,20 @@ +import openerp.tests + +from .util.odoo_tests import TestBase +from .util.singleton import Singleton + + +class TestMemory(object): + """Keep records in memory across tests.""" + __metaclass__ = Singleton + + +@openerp.tests.common.at_install(False) +@openerp.tests.common.post_install(True) +class Test(TestBase): + + def setUp(self): + super(Test, self).setUp() + self.memory = TestMemory() + + # TODO Tests. diff --git a/auth_saml/tests/util/__init__.py b/auth_saml/tests/util/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/auth_saml/tests/util/odoo_tests.py b/auth_saml/tests/util/odoo_tests.py new file mode 100644 index 0000000000..5bf665853c --- /dev/null +++ b/auth_saml/tests/util/odoo_tests.py @@ -0,0 +1,47 @@ +"""Utilities useful to Odoo tests. +""" + +import openerp.models +import openerp.tests + + +class TestBase(openerp.tests.SingleTransactionCase): + """Provide some test helpers. + """ + + def createAndTest(self, model, value_list): + """Create records of the specified Odoo model using the specified + values, and ensure afterwards that records have been succesfully + created and that their values are the same as expected. + + :return: The created records. + :rtype: List of openerp.models.BaseModel instances. + """ + + records = [] + + for values in value_list: + + # Maintain a local copy as Odoo calls might modify it... + local_values = values.copy() + + record = self.env[model].create(values) + records.append(record) + + self.assertIsInstance(record, openerp.models.BaseModel) + + for field, value in local_values.iteritems(): + + recorded_value = getattr(record, field) + + # Handle relational fields (Odoo record-sets). + if isinstance(recorded_value, openerp.models.BaseModel): + if isinstance(recorded_value, (tuple, list)): + self.assertEqual(recorded_value.ids, value) + else: + self.assertEqual(recorded_value.id, value) + + else: + self.assertEqual(recorded_value, value) + + return records diff --git a/auth_saml/tests/util/singleton.py b/auth_saml/tests/util/singleton.py new file mode 100644 index 0000000000..e7e1caaf4a --- /dev/null +++ b/auth_saml/tests/util/singleton.py @@ -0,0 +1,30 @@ +class Singleton(type): + """ + This is a neat singleton pattern. This was found in a comment on this page: + http://www.garyrobinson.net/2004/03/python_singleto.html + + to use this, example : + >>> class C(object): + ... __metaclass__ = Singleton + ... def __init__(self, foo): + ... self.foo = foo + + >>> C('bar').foo + 'bar' + + >>> C().foo + 'bar' + + and your class C is now a singleton, and it is safe to use + the __init__ method as you usually do... + """ + + def __init__(cls, name, bases, dic): + super(Singleton, cls).__init__(name, bases, dic) + cls.instance = None + + def __call__(mcs, *args, **kw): + if mcs.instance is None: + mcs.instance = super(Singleton, mcs).__call__(*args, **kw) + + return mcs.instance diff --git a/auth_saml/tests/util/uuidgen.py b/auth_saml/tests/util/uuidgen.py new file mode 100644 index 0000000000..b9804899fb --- /dev/null +++ b/auth_saml/tests/util/uuidgen.py @@ -0,0 +1,22 @@ +"""Utilities to handle unique ID generation. +""" + +import uuid + + +def genUuid(max_chars=None): + """Generate a unique ID and return its hex string representation. + + :param max_chars: Maximum amount of characters to return (might not be a + true UUID then...). + :type max_chars: Integer. + + :rtype: String. + """ + + ret = uuid.uuid4().hex + + if max_chars is not None: + ret = ret[:max_chars] + + return ret diff --git a/auth_saml/views/auth_saml.xml b/auth_saml/views/auth_saml.xml new file mode 100644 index 0000000000..fa4cc46842 --- /dev/null +++ b/auth_saml/views/auth_saml.xml @@ -0,0 +1,71 @@ + + + + + + + + + + + + + auth.saml.provider.list + auth.saml.provider + + + + + + + + + + auth.saml.provider.form + auth.saml.provider + +
+ + + + + + + + + + + + + +
+ + + + + + + Providers + auth.saml.provider + form + tree,form + + + + + diff --git a/auth_saml/views/base_settings.xml b/auth_saml/views/base_settings.xml new file mode 100644 index 0000000000..8bb25df4ed --- /dev/null +++ b/auth_saml/views/base_settings.xml @@ -0,0 +1,25 @@ + + + + + + + + auth_saml_base_settings_form + base.config.settings + + + + +
+ +
+ + + + + + + diff --git a/auth_saml/views/res_users.xml b/auth_saml/views/res_users.xml new file mode 100644 index 0000000000..1c677ff0a1 --- /dev/null +++ b/auth_saml/views/res_users.xml @@ -0,0 +1,26 @@ + + + + + + + + res.users.form + res.users + form + + + + + + + + + + + + + + + + From 092fea84f53a34ab1f7bdab4a033e8d41d2f1ca0 Mon Sep 17 00:00:00 2001 From: Maxime Chambreuil Date: Mon, 26 Mar 2018 14:21:11 -0600 Subject: [PATCH 02/60] [MIG] auth_saml: Migration to 11.0 --- auth_saml/LICENSE | 661 ++++++++++++++++++++++++ auth_saml/__init__.py | 2 +- auth_saml/__manifest__.py | 30 ++ auth_saml/__openerp__.py | 53 -- auth_saml/controllers/__init__.py | 2 +- auth_saml/controllers/main.py | 63 ++- auth_saml/data/auth_saml.xml | 130 +++-- auth_saml/data/ir_config_parameter.xml | 18 +- auth_saml/doc/autotodo.py | 26 +- auth_saml/doc/conf.py | 22 +- auth_saml/models/__init__.py | 2 +- auth_saml/models/auth_saml.py | 17 +- auth_saml/models/base_settings.py | 75 +-- auth_saml/models/res_users.py | 125 ++--- auth_saml/models/saml_token.py | 7 +- auth_saml/static/description/index.html | 7 +- auth_saml/tests/__init__.py | 2 +- auth_saml/tests/test_auth_saml.py | 11 +- auth_saml/tests/util/odoo_tests.py | 10 +- auth_saml/views/auth_saml.xml | 121 +++-- auth_saml/views/base_settings.xml | 41 +- auth_saml/views/res_users.xml | 43 +- 22 files changed, 1010 insertions(+), 458 deletions(-) create mode 100644 auth_saml/LICENSE create mode 100644 auth_saml/__manifest__.py delete mode 100644 auth_saml/__openerp__.py diff --git a/auth_saml/LICENSE b/auth_saml/LICENSE new file mode 100644 index 0000000000..dba13ed2dd --- /dev/null +++ b/auth_saml/LICENSE @@ -0,0 +1,661 @@ + GNU AFFERO GENERAL PUBLIC LICENSE + Version 3, 19 November 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU Affero General Public License is a free, copyleft license for +software and other kinds of works, specifically designed to ensure +cooperation with the community in the case of network server software. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +our General Public Licenses are intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + Developers that use our General Public Licenses protect your rights +with two steps: (1) assert copyright on the software, and (2) offer +you this License which gives you legal permission to copy, distribute +and/or modify the software. + + A secondary benefit of defending all users' freedom is that +improvements made in alternate versions of the program, if they +receive widespread use, become available for other developers to +incorporate. Many developers of free software are heartened and +encouraged by the resulting cooperation. However, in the case of +software used on network servers, this result may fail to come about. +The GNU General Public License permits making a modified version and +letting the public access it on a server without ever releasing its +source code to the public. + + The GNU Affero General Public License is designed specifically to +ensure that, in such cases, the modified source code becomes available +to the community. It requires the operator of a network server to +provide the source code of the modified version running there to the +users of that server. Therefore, public use of a modified version, on +a publicly accessible server, gives the public access to the source +code of the modified version. + + An older license, called the Affero General Public License and +published by Affero, was designed to accomplish similar goals. This is +a different license, not a version of the Affero GPL, but Affero has +released a new version of the Affero GPL which permits relicensing under +this license. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU Affero General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Remote Network Interaction; Use with the GNU General Public License. + + Notwithstanding any other provision of this License, if you modify the +Program, your modified version must prominently offer all users +interacting with it remotely through a computer network (if your version +supports such interaction) an opportunity to receive the Corresponding +Source of your version by providing access to the Corresponding Source +from a network server at no charge, through some standard or customary +means of facilitating copying of software. This Corresponding Source +shall include the Corresponding Source for any work covered by version 3 +of the GNU General Public License that is incorporated pursuant to the +following paragraph. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the work with which it is combined will remain governed by version +3 of the GNU General Public License. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU Affero General Public License from time to time. Such new versions +will be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU Affero General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU Affero General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU Affero General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If your software can interact with users remotely through a computer +network, you should also make sure that it provides a way for users to +get its source. For example, if your program is a web application, its +interface could display a "Source" link that leads users to an archive +of the code. There are many ways you could offer source, and different +solutions will be better for different programs; see section 13 for the +specific requirements. + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU AGPL, see +. diff --git a/auth_saml/__init__.py b/auth_saml/__init__.py index 66ecd5d658..c55325ead5 100644 --- a/auth_saml/__init__.py +++ b/auth_saml/__init__.py @@ -1,4 +1,4 @@ -# flake8: noqa +# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). from . import controllers from . import models diff --git a/auth_saml/__manifest__.py b/auth_saml/__manifest__.py new file mode 100644 index 0000000000..06adb687bd --- /dev/null +++ b/auth_saml/__manifest__.py @@ -0,0 +1,30 @@ +# Copyright (C) 2010-2016 XCG Consulting +# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). + +{ + 'name': 'Saml2 Authentication', + 'version': '11.0.1.0.0', + 'category': 'Tools', + 'author': 'XCG Consulting, Odoo Community Association (OCA)', + 'maintainer': 'XCG Consulting', + 'website': 'http://odoo.consulting', + 'license': 'AGPL-3', + 'depends': [ + 'base_setup', + 'web', + 'auth_crypt', + ], + 'data': [ + 'data/auth_saml.xml', + 'data/ir_config_parameter.xml', + 'security/ir.model.access.csv', + 'views/auth_saml.xml', + 'views/base_settings.xml', + 'views/res_users.xml', + ], + 'installable': True, + 'auto_install': False, + 'external_dependencies': { + 'python': ['lasso'], + }, +} diff --git a/auth_saml/__openerp__.py b/auth_saml/__openerp__.py deleted file mode 100644 index 7300fee2d4..0000000000 --- a/auth_saml/__openerp__.py +++ /dev/null @@ -1,53 +0,0 @@ -# -*- coding: utf-8 -*- -############################################################################## -# -# Saml2 Authentication for Odoo -# Copyright (C) 2010-2016 XCG Consulting -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as -# published by the Free Software Foundation, either version 3 of the -# License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see . -# -############################################################################## - - -{ - 'name': 'Saml2 Authentication', - 'version': '3.0', - 'category': 'Tools', - 'author': 'XCG Consulting, Odoo Community Association (OCA)', - 'maintainer': 'XCG Consulting', - 'website': 'http://odoo.consulting', - 'license': 'AGPL-3', - 'depends': [ - 'base', - 'base_setup', - 'web', - 'auth_crypt', - ], - - 'data': [ - 'data/auth_saml.xml', - 'data/ir_config_parameter.xml', - - 'security/ir.model.access.csv', - - 'views/auth_saml.xml', - 'views/base_settings.xml', - 'views/res_users.xml', - ], - 'installable': True, - 'auto_install': False, - 'external_dependencies': { - 'python': ['lasso'], - }, -} diff --git a/auth_saml/controllers/__init__.py b/auth_saml/controllers/__init__.py index 6663c573bf..2a3e5d5654 100644 --- a/auth_saml/controllers/__init__.py +++ b/auth_saml/controllers/__init__.py @@ -1,3 +1,3 @@ -# flake8: noqa +# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). from . import main diff --git a/auth_saml/controllers/main.py b/auth_saml/controllers/main.py index 37a82c90d6..c2251ab444 100644 --- a/auth_saml/controllers/main.py +++ b/auth_saml/controllers/main.py @@ -1,20 +1,21 @@ -# -*- coding: utf-8 -*- +# Copyright (C) 2010-2016 XCG Consulting +# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). import functools import logging -import simplejson +import json as simplejson import werkzeug.utils -import openerp -from openerp import _ -from openerp import http -from openerp.http import request -from openerp import SUPERUSER_ID -# import openerp.addons.web.http as oeweb -from openerp.addons.web.controllers.main import set_cookie_and_redirect -from openerp.addons.web.controllers.main import ensure_db -from openerp.addons.web.controllers.main import login_and_redirect +import odoo +from odoo import api, _, http, SUPERUSER_ID +from odoo.http import request +from odoo import registry as registry_get +from odoo.addons.web.controllers.main import set_cookie_and_redirect +from odoo.addons.web.controllers.main import ensure_db +from odoo.addons.web.controllers.main import login_and_redirect +from odoo.addons.web.controllers.main import Home + _logger = logging.getLogger(__name__) @@ -47,15 +48,13 @@ def wrapper(self, req, **kw): # ---------------------------------------------------------- -class SAMLLogin(openerp.addons.web.controllers.main.Home): +class SAMLLogin(Home): def list_providers(self): try: - provider_obj = request.registry.get('auth.saml.provider') - providers = provider_obj.search_read( - request.cr, SUPERUSER_ID, [('enabled', '=', True)] - ) - except Exception, e: + providers = request.env['auth.saml.provider'].sudo().search_read( + [('enabled', '=', True)]) + except Exception as e: _logger.exception("SAML2: %s" % str(e)) providers = [] @@ -129,7 +128,6 @@ def get_auth_request(self, pid): """ provider_id = int(pid) - provider_osv = request.registry.get('auth.saml.provider') auth_request = None @@ -138,11 +136,11 @@ def get_auth_request(self, pid): state = self.get_state(provider_id) try: - auth_request = provider_osv._get_auth_request( - request.cr, SUPERUSER_ID, provider_id, state - ) + auth_request = request.env[ + 'auth.saml.provider'].sudo()._get_auth_request(provider_id, + state) - except Exception, e: + except Exception as e: _logger.exception("SAML2: %s" % str(e)) # TODO: handle case when auth_request comes back as None @@ -172,12 +170,14 @@ def signin(self, req, **kw): state = simplejson.loads(kw['RelayState']) provider = state['p'] - - with request.registry.cursor() as cr: + dbname = state['d'] + context = state.get('c', {}) + registry = registry_get(dbname) + with registry.cursor() as cr: try: - u = request.registry.get('res.users') - credentials = u.auth_saml( - cr, SUPERUSER_ID, provider, saml_response + env = api.Environment(cr, SUPERUSER_ID, context) + credentials = env['res.users'].sudo().auth_saml( + provider, saml_response ) cr.commit() action = state.get('a') @@ -187,16 +187,15 @@ def signin(self, req, **kw): url = '/#action=%s' % action elif menu: url = '/#menu_id=%s' % menu - return login_and_redirect(*credentials, redirect_url=url) - except AttributeError, e: + except AttributeError as e: # auth_signup is not installed _logger.error("auth_signup not installed on database " "saml sign up cancelled.") url = "/#action=login&saml_error=1" - except openerp.exceptions.AccessDenied: + except odoo.exceptions.AccessDenied: # saml credentials not valid, # user could be on a temporary session _logger.info('SAML2: access denied, redirect to main page ' @@ -208,11 +207,9 @@ def signin(self, req, **kw): redirect.autocorrect_location_header = False return redirect - except Exception, e: + except Exception as e: # signup error _logger.exception("SAML2: %s" % str(e)) url = "/#action=login&saml_error=2" return set_cookie_and_redirect(url) - -# vim:expandtab:tabstop=4:softtabstop=4:shiftwidth=4: diff --git a/auth_saml/data/auth_saml.xml b/auth_saml/data/auth_saml.xml index a4af56921e..fb3756d416 100644 --- a/auth_saml/data/auth_saml.xml +++ b/auth_saml/data/auth_saml.xml @@ -1,65 +1,64 @@ - - - - Local Authentic server - - - - - - - MIIDIzCCAgugAwIBAgIJANUBoick1pDpMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV - BAoTCkVudHJvdXZlcnQwHhcNMTAxMjE0MTUzMzAyWhcNMTEwMTEzMTUzMzAyWjAV - MRMwEQYDVQQKEwpFbnRyb3V2ZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB - CgKCAQEAvxFkfPdndlGgQPDZgFGXbrNAc/79PULZBuNdWFHDD9P5hNhZn9Kqm4Cp - 06Pe/A6u+g5wLnYvbZQcFCgfQAEzziJtb3J55OOlB7iMEI/T2AX2WzrUH8QT8NGh - ABONKU2Gg4XiyeXNhH5R7zdHlUwcWq3ZwNbtbY0TVc+n665EbrfV/59xihSqsoFr - kmBLH0CoepUXtAzA7WDYn8AzusIuMx3n8844pJwgxhTB7Gjuboptlz9Hri8JRdXi - VT9OS9Wt69ubcNoM6zuKASmtm48UuGnhj8v6XwvbjKZrL9kA+xf8ziazZfvvw/VG - Tm+IVFYB7d1x457jY5zjjXJvNysoowIDAQABo3YwdDAdBgNVHQ4EFgQUeF8ePnu0 - fcAK50iBQDgAhHkOu8kwRQYDVR0jBD4wPIAUeF8ePnu0fcAK50iBQDgAhHkOu8mh - GaQXMBUxEzARBgNVBAoTCkVudHJvdXZlcnSCCQDVAaInJNaQ6TAMBgNVHRMEBTAD - AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAy8l3GhUtpPHx0FxzbRHVaaUSgMwYKGPhE - IdGhqekKUJIx8et4xpEMFBl5XQjBNq/mp5vO3SPb2h2PVSks7xWnG3cvEkqJSOeo - fEEhkqnM45b2MH1S5uxp4i8UilPG6kmQiXU2rEUBdRk9xnRWos7epVivTSIv1Ncp - lG6l41SXp6YgIb2ToT+rOKdIGIQuGDlzeR88fDxWEU0vEujZv/v1PE1YOV0xKjTT - JumlBc6IViKhJeo1wiBBrVRIIkKKevHKQzteK8pWm9CYWculxT26TZ4VWzGbo06j - o2zbumirrLLqnt1gmBDvDvlOwC/zAAyL4chbz66eQHTiIYZZvYgy - - - - - - - - - - - - ]]> - - + + + Local Authentic server + + + + + + + MIIDIzCCAgugAwIBAgIJANUBoick1pDpMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV + BAoTCkVudHJvdXZlcnQwHhcNMTAxMjE0MTUzMzAyWhcNMTEwMTEzMTUzMzAyWjAV + MRMwEQYDVQQKEwpFbnRyb3V2ZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB + CgKCAQEAvxFkfPdndlGgQPDZgFGXbrNAc/79PULZBuNdWFHDD9P5hNhZn9Kqm4Cp + 06Pe/A6u+g5wLnYvbZQcFCgfQAEzziJtb3J55OOlB7iMEI/T2AX2WzrUH8QT8NGh + ABONKU2Gg4XiyeXNhH5R7zdHlUwcWq3ZwNbtbY0TVc+n665EbrfV/59xihSqsoFr + kmBLH0CoepUXtAzA7WDYn8AzusIuMx3n8844pJwgxhTB7Gjuboptlz9Hri8JRdXi + VT9OS9Wt69ubcNoM6zuKASmtm48UuGnhj8v6XwvbjKZrL9kA+xf8ziazZfvvw/VG + Tm+IVFYB7d1x457jY5zjjXJvNysoowIDAQABo3YwdDAdBgNVHQ4EFgQUeF8ePnu0 + fcAK50iBQDgAhHkOu8kwRQYDVR0jBD4wPIAUeF8ePnu0fcAK50iBQDgAhHkOu8mh + GaQXMBUxEzARBgNVBAoTCkVudHJvdXZlcnSCCQDVAaInJNaQ6TAMBgNVHRMEBTAD + AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAy8l3GhUtpPHx0FxzbRHVaaUSgMwYKGPhE + IdGhqekKUJIx8et4xpEMFBl5XQjBNq/mp5vO3SPb2h2PVSks7xWnG3cvEkqJSOeo + fEEhkqnM45b2MH1S5uxp4i8UilPG6kmQiXU2rEUBdRk9xnRWos7epVivTSIv1Ncp + lG6l41SXp6YgIb2ToT+rOKdIGIQuGDlzeR88fDxWEU0vEujZv/v1PE1YOV0xKjTT + JumlBc6IViKhJeo1wiBBrVRIIkKKevHKQzteK8pWm9CYWculxT26TZ4VWzGbo06j + o2zbumirrLLqnt1gmBDvDvlOwC/zAAyL4chbz66eQHTiIYZZvYgy + + + + + + + + + + + + ]]> + + - - MIID7jCCA1egAwIBAgIBATANBgkqhkiG9w0BAQUFADCBkzELMAkGA1UEBhMCRlIxDDAKBgNVBAgTA0lERjEOMAwGA1UEBxMFUGFyaXMxDDAKBgNVBAoTA1hDRzEMMAoGA1UECxMDRFNJMQswCQYDVQQDEwJDQTEOMAwGA1UEKRMFWENHQ0ExLTArBgkqhkiG9w0BCQEWHmZsb3JlbnQuYWlkZUB4Y2ctY29uc3VsdGluZy5mcjAgFw0xMzEyMTcxMjExNTJaGA8yMjg3MTAwMTEyMTE1MlowgZUxCzAJBgNVBAYTAkZSMQwwCgYDVQQIEwNJREYxDjAMBgNVBAcTBVBhcmlzMQwwCgYDVQQKEwNYQ0cxDDAKBgNVBAsTA0RTSTEMMAoGA1UEAxMDc3AxMQ8wDQYDVQQpEwZYQ0dTUDExLTArBgkqhkiG9w0BCQEWHmZsb3JlbnQuYWlkZUB4Y2ctY29uc3VsdGluZy5mcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzmzLtPlT6yJOomYstLom6XstTD8E5FQKfPP7UxTcRMXuJynFBSSl6SRVPpUKZQ8maNxOygdeZ5J6vBk2mZEnvk25ZTsXjJDnNZffswi8g/Naxadvh+5kkEx5hjILPTA5jMf7sS/7Am3Kd46vlEIov3OTd2Wh8SII1WgbFLOpy/0CAwEAAaOCAUowggFGMAkGA1UdEwQCMAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUPfwm8rjPco3WlV5ntveqm9+Z0iQwgcgGA1UdIwSBwDCBvYAUs++X2JBKjwPYDr7bTZL8ph6fIuShgZmkgZYwgZMxCzAJBgNVBAYTAkZSMQwwCgYDVQQIEwNJREYxDjAMBgNVBAcTBVBhcmlzMQwwCgYDVQQKEwNYQ0cxDDAKBgNVBAsTA0RTSTELMAkGA1UEAxMCQ0ExDjAMBgNVBCkTBVhDR0NBMS0wKwYJKoZIhvcNAQkBFh5mbG9yZW50LmFpZGVAeGNnLWNvbnN1bHRpbmcuZnKCCQCSGwHzqKuCBjATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQEFBQADgYEAU7Whu+ZAtIVEtTFCKl/EEWBg7I2m40UqYg/AnU6bPnLkBRXdWdBcP+jwPDh9xjAN07FehWBFGJdaa9p2GBfzkdLF0lJoNda98SYRQKaam53SZ7MIu1newG6joOPJqcliFTAsODGnRwD1dm+p2i6jUI2yiDbXi9ACkKdWfsa88Io= + xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" + xmlns:ds="http://www.w3.org/2000/09/xmldsig#" + entityID="http://localhost:8069/metadata"> + + MIID7jCCA1egAwIBAgIBATANBgkqhkiG9w0BAQUFADCBkzELMAkGA1UEBhMCRlIxDDAKBgNVBAgTA0lERjEOMAwGA1UEBxMFUGFyaXMxDDAKBgNVBAoTA1hDRzEMMAoGA1UECxMDRFNJMQswCQYDVQQDEwJDQTEOMAwGA1UEKRMFWENHQ0ExLTArBgkqhkiG9w0BCQEWHmZsb3JlbnQuYWlkZUB4Y2ctY29uc3VsdGluZy5mcjAgFw0xMzEyMTcxMjExNTJaGA8yMjg3MTAwMTEyMTE1MlowgZUxCzAJBgNVBAYTAkZSMQwwCgYDVQQIEwNJREYxDjAMBgNVBAcTBVBhcmlzMQwwCgYDVQQKEwNYQ0cxDDAKBgNVBAsTA0RTSTEMMAoGA1UEAxMDc3AxMQ8wDQYDVQQpEwZYQ0dTUDExLTArBgkqhkiG9w0BCQEWHmZsb3JlbnQuYWlkZUB4Y2ctY29uc3VsdGluZy5mcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzmzLtPlT6yJOomYstLom6XstTD8E5FQKfPP7UxTcRMXuJynFBSSl6SRVPpUKZQ8maNxOygdeZ5J6vBk2mZEnvk25ZTsXjJDnNZffswi8g/Naxadvh+5kkEx5hjILPTA5jMf7sS/7Am3Kd46vlEIov3OTd2Wh8SII1WgbFLOpy/0CAwEAAaOCAUowggFGMAkGA1UdEwQCMAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUPfwm8rjPco3WlV5ntveqm9+Z0iQwgcgGA1UdIwSBwDCBvYAUs++X2JBKjwPYDr7bTZL8ph6fIuShgZmkgZYwgZMxCzAJBgNVBAYTAkZSMQwwCgYDVQQIEwNJREYxDjAMBgNVBAcTBVBhcmlzMQwwCgYDVQQKEwNYQ0cxDDAKBgNVBAsTA0RTSTELMAkGA1UEAxMCQ0ExDjAMBgNVBCkTBVhDR0NBMS0wKwYJKoZIhvcNAQkBFh5mbG9yZW50LmFpZGVAeGNnLWNvbnN1bHRpbmcuZnKCCQCSGwHzqKuCBjATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQEFBQADgYEAU7Whu+ZAtIVEtTFCKl/EEWBg7I2m40UqYg/AnU6bPnLkBRXdWdBcP+jwPDh9xjAN07FehWBFGJdaa9p2GBfzkdLF0lJoNda98SYRQKaam53SZ7MIu1newG6joOPJqcliFTAsODGnRwD1dm+p2i6jUI2yiDbXi9ACkKdWfsa88Io= - - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress - - - Example SAML 2.0 metadatas - + +urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + + + Example SAML 2.0 metadatas + ]]> - - + - - zocial saml - Log in with Authentic - - - - + ]]> + + zocial saml + Log in with Authentic + + + diff --git a/auth_saml/data/ir_config_parameter.xml b/auth_saml/data/ir_config_parameter.xml index ce3c1c16a7..ce2d358f2f 100644 --- a/auth_saml/data/ir_config_parameter.xml +++ b/auth_saml/data/ir_config_parameter.xml @@ -1,13 +1,11 @@ - - - + + - + - - auth_saml.allow_saml.uid_and_internal_password - 0 - + + auth_saml.allow_saml.uid_and_internal_password + 0 + - - + diff --git a/auth_saml/doc/autotodo.py b/auth_saml/doc/autotodo.py index ca40437494..6a8cc72db0 100644 --- a/auth_saml/doc/autotodo.py +++ b/auth_saml/doc/autotodo.py @@ -1,23 +1,5 @@ -# -*- coding: utf-8 -*- -############################################################################## -# -# OpenERP, Open Source Management Solution -# Copyright (C) 2014 XCG Consulting -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as -# published by the Free Software Foundation, either version 3 of the -# License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see . -# -############################################################################## +# Copyright (C) 2010-2016 XCG Consulting +# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). import os import os.path @@ -34,7 +16,7 @@ def main(): tags = sys.argv[3].split(',') todolist = {tag: [] for tag in tags} - os.path.walk(folder, scan_folder, (exts, tags, todolist)) + os.path.walk(folder, scan_folder, exts, tags, todolist) create_autotodo(folder, todolist) @@ -86,7 +68,7 @@ def create_autotodo(folder, todolist): write_info(f, info, folder) -def scan_folder((exts, tags, res), dirname, names): +def scan_folder(exts, tags, res, dirname, names): file_info = {} for name in names: (root, ext) = os.path.splitext(name) diff --git a/auth_saml/doc/conf.py b/auth_saml/doc/conf.py index aacc89ed8a..b09f5992e8 100644 --- a/auth_saml/doc/conf.py +++ b/auth_saml/doc/conf.py @@ -1,6 +1,5 @@ -# -*- coding: utf-8 -*- - -# flake8: noqa +# Copyright (C) 2010-2016 XCG Consulting +# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). # # SAML2 authentication build configuration file, created by @@ -19,7 +18,6 @@ import sys import os -import openerp # If extensions (or modules to document with autodoc) are in another directory, # add these directories to sys.path here. If the directory is relative to the @@ -310,23 +308,27 @@ # odoo-sphinx-autodoc # -# sphinxodoo_addons : List of addons name to load (if empty, no addon will be loaded) -this_module = os.path.basename(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))) +# sphinxodoo_addons : List of addons name to load (if empty, no addon will be loaded) # noqa +this_module = os.path.basename( + os.path.dirname(os.path.dirname(os.path.abspath(__file__)))) sphinxodoo_addons = [this_module] # sphinxodoo_root_path : Path of the Odoo root directory -# sphinxodoo_root_path = os.path.dirname(os.path.dirname(os.path.abspath(openerp.__file__))) +# sphinxodoo_root_path = os.path.dirname(os.path.dirname(os.path.abspath(openerp.__file__))) # noqa # TODO Fix this. sphinxodoo_root_path = '/home/habba/Dev/OpenERP/sources/odoo8' # sphinxodoo_addons_path : List of paths were Odoo addons to load are located -superproject_path = os.path.dirname(os.path.dirname(os.path.dirname(os.getenv('PWD')))) +superproject_path = os.path.dirname( + os.path.dirname(os.path.dirname(os.getenv('PWD')))) with open(os.path.join(superproject_path, 'odoo_type')) as f: odoo_type = f.read() sphinxodoo_addons_path = [] if odoo_type.strip() == 'bzr': - sphinxodoo_addons_path.append(os.path.join(os.getenv('HOME'), 'src', 'openobject-addons')) - sphinxodoo_addons_path.append(os.path.join(os.getenv('HOME'), 'src', 'openerp-web', 'addons')) + sphinxodoo_addons_path.append( + os.path.join(os.getenv('HOME'), 'src', 'openobject-addons')) + sphinxodoo_addons_path.append( + os.path.join(os.getenv('HOME'), 'src', 'openerp-web', 'addons')) else: sphinxodoo_addons_path.append(os.path.join(sphinxodoo_root_path, 'addons')) diff --git a/auth_saml/models/__init__.py b/auth_saml/models/__init__.py index 8f75d153e3..106f0db8c3 100644 --- a/auth_saml/models/__init__.py +++ b/auth_saml/models/__init__.py @@ -1,4 +1,4 @@ -# flake8: noqa +# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). from . import auth_saml from . import base_settings diff --git a/auth_saml/models/auth_saml.py b/auth_saml/models/auth_saml.py index 071ce77fb5..6d93890309 100644 --- a/auth_saml/models/auth_saml.py +++ b/auth_saml/models/auth_saml.py @@ -1,11 +1,16 @@ -# -*- coding: utf-8 -*- +# Copyright (C) 2010-2016 XCG Consulting +# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). -import lasso -import simplejson +import logging +import json as simplejson -from openerp import api -from openerp import fields -from openerp import models +from odoo import api, fields, models + +_logger = logging.getLogger(__name__) +try: + import lasso +except ImportError: + _logger.debug('Cannot `import lasso`.') class AuthSamlProvider(models.Model): diff --git a/auth_saml/models/base_settings.py b/auth_saml/models/base_settings.py index 392bedb5a8..d5cc802cc0 100644 --- a/auth_saml/models/base_settings.py +++ b/auth_saml/models/base_settings.py @@ -1,15 +1,14 @@ -# -*- coding: utf-8 -*- +# Copyright (C) 2010-2016 XCG Consulting +# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). -from openerp import fields -from openerp import models -from openerp import api +from odoo import api, fields, models _SAML_UID_AND_PASS_SETTING = 'auth_saml.allow_saml.uid_and_internal_password' -class BaseSettings(models.TransientModel): - """Inherit from base.config.settings to add a setting. This is only here +class ResConfigSettings(models.TransientModel): + """Inherit from res.config.settings to add a setting. This is only here for easier access; the setting is not actually stored by this (transient) collection. Instead, it is kept in sync with the "auth_saml.allow_saml.uid_and_internal_password" global setting. See @@ -17,13 +16,11 @@ class BaseSettings(models.TransientModel): details. """ - _inherit = 'base.config.settings' + _inherit = 'res.config.settings' allow_saml_uid_and_internal_password = fields.Boolean( - ( - 'Allow SAML users to posess an Odoo password (warning: ' - 'decreases security)' - ), + string='Allow SAML users to posess an Odoo password ' + '(warning: decreases security)' ) # take care to name the function with another name to not clash with column @@ -35,9 +32,7 @@ def allow_saml_and_password(self): config_obj = self.env['ir.config_parameter'] config_objs = config_obj.sudo().search( - [('key', '=', _SAML_UID_AND_PASS_SETTING)], - limit=1, - ) + [('key', '=', _SAML_UID_AND_PASS_SETTING)], limit=1) # no configuration found reply with default value if len(config_objs) == 0: @@ -45,42 +40,20 @@ def allow_saml_and_password(self): return (True if config_objs.value == '1' else False) - @api.multi - def get_default_allow_saml_uid_and_internal_password(self, fields): - """Read the allow_saml_uid_and_internal_password setting. This function - is called when the form is shown. - """ - - ret = {} - - if 'allow_saml_uid_and_internal_password' in fields: - ret['allow_saml_uid_and_internal_password'] = ( - self.allow_saml_uid_and_internal_password() - ) - - return ret + @api.model + def get_values(self): + res = super(ResConfigSettings, self).get_values() + get_param = self.env['ir.config_parameter'].sudo().get_param + res.update(allow_saml_uid_and_internal_password=get_param( + 'auth_saml.allow_saml_uid_and_internal_password')) + return res @api.multi - def set_allow_saml_uid_and_internal_password(self): - """Update the allow_saml_uid_and_internal_password setting. This - function is called when saving the form. - """ - - setting_value = ( - '1' if self.allow_saml_uid_and_internal_password else '0' - ) - - config_obj = self.env['ir.config_parameter'] - config_ids = config_obj.search( - [('key', '=', _SAML_UID_AND_PASS_SETTING)], - limit=1, - ) - - if config_ids: - config_ids.write({'value': setting_value}) - - else: - # The setting doesn't exist; create it. - config_obj.create( - {'key': _SAML_UID_AND_PASS_SETTING, 'value': setting_value}, - ) + def set_values(self): + super(ResConfigSettings, self).set_values() + set_param = self.env['ir.config_parameter'].sudo().set_param + if self.allow_saml_uid_and_internal_password: + self.allow_saml_uid_and_internal_password = \ + self.allow_saml_and_password() + set_param('auth_saml.allow_saml_uid_and_internal_password', + repr(self.allow_saml_uid_and_internal_password)) diff --git a/auth_saml/models/res_users.py b/auth_saml/models/res_users.py index afbfc06114..d0b7e7fcdd 100644 --- a/auth_saml/models/res_users.py +++ b/auth_saml/models/res_users.py @@ -1,21 +1,19 @@ -# -*- coding: utf-8 -*- +# Copyright (C) 2010-2016 XCG Consulting +# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). import logging -# this is our very own dependency -import lasso -# this is an odoo8 dep so it should be present 'by default' import passlib -import openerp -from openerp import _ -from openerp import api -from openerp import models -from openerp import fields -from openerp import SUPERUSER_ID -from openerp.exceptions import ValidationError +from odoo import api, fields, models, _, SUPERUSER_ID +from odoo.exceptions import ValidationError, AccessDenied _logger = logging.getLogger(__name__) +try: + import lasso +except ImportError: + _logger.debug('Cannot `import lasso`.') + class ResUser(models.Model): """Add SAML login capabilities to Odoo users. @@ -32,7 +30,6 @@ class ResUser(models.Model): help="SAML Provider user_id", ) - @api.one @api.constrains('password_crypt', 'password', 'saml_uid') def check_no_password_with_saml(self): """Ensure no Odoo user posesses both an SAML user ID and an Odoo @@ -44,31 +41,21 @@ def check_no_password_with_saml(self): else: # Super admin is the only user we allow to have a local password # in the database - if ( - self.password_crypt and - self.saml_uid and - self.id is not SUPERUSER_ID - ): - raise ValidationError( - _("This database disallows users to have both passwords " - "and SAML IDs. Errors for login %s" % (self.login) - ) - ) - - _sql_constraints = [ - ( - 'uniq_users_saml_provider_saml_uid', - 'unique(saml_provider_id, saml_uid)', - 'SAML UID must be unique per provider' - ), - ] + if (self.password_crypt and self.saml_uid and + self.id is not SUPERUSER_ID): + raise ValidationError(_("This database disallows users to " + "have both passwords and SAML IDs. " + "Errors for login %s" % (self.login))) + + _sql_constraints = [('uniq_users_saml_provider_saml_uid', + 'unique(saml_provider_id, saml_uid)', + 'SAML UID must be unique per provider')] @api.multi def _auth_saml_validate(self, provider_id, token): """ return the validation data corresponding to the access token """ - pobj = self.env['auth.saml.provider'] - p = pobj.browse(provider_id) + p = self.env['auth.saml.provider'].browse(provider_id) # we are not yet logged in, so the userid cannot have access to the # fields we need yet @@ -88,8 +75,7 @@ def _auth_saml_validate(self, provider_id, token): login.acceptSso() except lasso.Error as error: raise Exception( - 'Invalid assertion : %s' % lasso.strError(error[0]) - ) + 'Invalid assertion : %s' % lasso.strError(error[0])) attrs = {} @@ -101,8 +87,8 @@ def _auth_saml_validate(self, provider_id, token): try: name = attribute.name.decode('ascii') except Exception as e: - _logger.warning('sso_after_response: error decoding name of \ - attribute %s' % attribute.dump()) + _logger.warning('sso_after_response: error decoding name \ + of attribute %s' % attribute.dump()) else: try: if attribute.nameFormat: @@ -144,10 +130,7 @@ def _auth_saml_validate(self, provider_id, token): elif not matching_value and matching_attribute != "subject.nameId": raise Exception( "Matching attribute %s not found in user attrs: %s" % ( - matching_attribute, - attrs, - ) - ) + matching_attribute, attrs)) validation = {'user_id': matching_value} return validation @@ -169,14 +152,10 @@ def _auth_saml_signin(self, provider, validation, saml_response): saml_uid = validation['user_id'] user_ids = self.search( - [ - ("saml_uid", "=", saml_uid), - ('saml_provider_id', '=', provider), - ] - ) + [('saml_uid', '=', saml_uid), ('saml_provider_id', '=', provider)]) if not user_ids: - raise openerp.exceptions.AccessDenied() + raise AccessDenied() # TODO replace assert by proper raise... asserts do not execute in # production code... @@ -185,24 +164,14 @@ def _auth_saml_signin(self, provider, validation, saml_response): # now find if a token for this user/provider already exists token_ids = token_osv.search( - [ - ('saml_provider_id', '=', provider), - ('user_id', '=', user.id), - ] - ) + [('saml_provider_id', '=', provider), ('user_id', '=', user.id)]) if token_ids: - token_ids.write( - {'saml_access_token': saml_response}, - ) + token_ids.write({'saml_access_token': saml_response}) else: - token_osv.create( - { - 'saml_access_token': saml_response, - 'saml_provider_id': provider, - 'user_id': user.id, - }, - ) + token_osv.create({'saml_access_token': saml_response, + 'saml_provider_id': provider, + 'user_id': user.id}) return user.login @@ -213,13 +182,13 @@ def auth_saml(self, provider, saml_response): # required check if not validation.get('user_id'): - raise openerp.exceptions.AccessDenied() + raise AccessDenied() # retrieve and sign in user login = self._auth_saml_signin(provider, validation, saml_response) if not login: - raise openerp.exceptions.AccessDenied() + raise AccessDenied() # return user credentials return self.env.cr.dbname, login, saml_response @@ -237,18 +206,12 @@ def check_credentials(self, token): # Attempt a regular login (via other auth addons) first. super(ResUser, self).check_credentials(token) - except ( - openerp.exceptions.AccessDenied, - passlib.exc.PasswordSizeError, - ): + except (AccessDenied, passlib.exc.PasswordSizeError): # since normal auth did not succeed we now try to find if the user # has an active token attached to his uid res = self.env['auth_saml.token'].sudo().search( - [ - ('user_id', '=', self.env.user.id), - ('saml_access_token', '=', token), - ], - ) + [('user_id', '=', self.env.user.id), + ('saml_access_token', '=', token)]) # if the user is not found we re-raise the AccessDenied if not res: @@ -266,20 +229,16 @@ def write(self, vals): # - An SAML ID is being set. # - The user is not the Odoo admin. # - The "allow both" setting is disabled. - if ( - vals and vals.get('saml_uid') and - self.id is not SUPERUSER_ID and - not self._allow_saml_and_password() - ): - vals.update({ - 'password': False, - 'password_crypt': False, - }) + if (vals and vals.get('saml_uid') and self.id is not SUPERUSER_ID and + not self._allow_saml_and_password()): + vals.update({ + 'password': False, + 'password_crypt': False, + }) return super(ResUser, self).write(vals) @api.model def _allow_saml_and_password(self): - settings_obj = self.env['base.config.settings'] - return settings_obj.allow_saml_and_password() + return self.env['res.config.settings'].allow_saml_and_password() diff --git a/auth_saml/models/saml_token.py b/auth_saml/models/saml_token.py index d6bde1b49d..bed2d8c8c2 100644 --- a/auth_saml/models/saml_token.py +++ b/auth_saml/models/saml_token.py @@ -1,8 +1,9 @@ -# -*- coding: utf-8 -*- +# Copyright (C) 2010-2016 XCG Consulting +# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). import logging -from openerp import fields -from openerp import models + +from odoo import fields, models _logger = logging.getLogger(__name__) diff --git a/auth_saml/static/description/index.html b/auth_saml/static/description/index.html index 5f38fe3628..577103d86d 100755 --- a/auth_saml/static/description/index.html +++ b/auth_saml/static/description/index.html @@ -41,7 +41,7 @@

Usage

Demo

-Try me on Runbot +Try me on Runbot

Known issues / Roadmap

@@ -49,9 +49,9 @@

Known issues / Roadmap

Bug Tracker

-

Bugs are tracked on GitHub Issues. +

Bugs are tracked on GitHub Issues. In case of trouble, please check there if your issue has already been reported. -If you spotted it first, help us smashing it by providing a detailed and welcomed feedback here.

+If you spotted it first, help us smashing it by providing a detailed and welcomed feedback here.

Credits

@@ -65,6 +65,7 @@

Contributors

  • Alexandre Brun, <alexandre.brun@xcg-consulting.fr>
  • Jeremy Co Kim Len, <jeremy.cokimlen@vinci-concessions.com>
  • Houzéfa Abbasbhay <houzefa.abba@xcg-consulting.fr>
    • +
  • Bhavesh Odedra <bodedra@opensourceintegrators.com>
    • diff --git a/auth_saml/tests/__init__.py b/auth_saml/tests/__init__.py index 85305d3973..8b5bd5cc55 100644 --- a/auth_saml/tests/__init__.py +++ b/auth_saml/tests/__init__.py @@ -1,3 +1,3 @@ -# flake8: noqa +# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). from . import test_auth_saml diff --git a/auth_saml/tests/test_auth_saml.py b/auth_saml/tests/test_auth_saml.py index aff072ae5d..9502bd374e 100644 --- a/auth_saml/tests/test_auth_saml.py +++ b/auth_saml/tests/test_auth_saml.py @@ -1,7 +1,10 @@ -import openerp.tests +# Copyright (C) 2010-2016 XCG Consulting +# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). -from .util.odoo_tests import TestBase from .util.singleton import Singleton +from .util.odoo_tests import TestBase + +from odoo.tests import common class TestMemory(object): @@ -9,8 +12,8 @@ class TestMemory(object): __metaclass__ = Singleton -@openerp.tests.common.at_install(False) -@openerp.tests.common.post_install(True) +@common.at_install(False) +@common.post_install(True) class Test(TestBase): def setUp(self): diff --git a/auth_saml/tests/util/odoo_tests.py b/auth_saml/tests/util/odoo_tests.py index 5bf665853c..795ea45ab3 100644 --- a/auth_saml/tests/util/odoo_tests.py +++ b/auth_saml/tests/util/odoo_tests.py @@ -1,11 +1,11 @@ """Utilities useful to Odoo tests. """ -import openerp.models -import openerp.tests +from odoo import models +from odoo.tests import common -class TestBase(openerp.tests.SingleTransactionCase): +class TestBase(common.SingleTransactionCase): """Provide some test helpers. """ @@ -28,14 +28,14 @@ def createAndTest(self, model, value_list): record = self.env[model].create(values) records.append(record) - self.assertIsInstance(record, openerp.models.BaseModel) + self.assertIsInstance(record, models.BaseModel) for field, value in local_values.iteritems(): recorded_value = getattr(record, field) # Handle relational fields (Odoo record-sets). - if isinstance(recorded_value, openerp.models.BaseModel): + if isinstance(recorded_value, models.BaseModel): if isinstance(recorded_value, (tuple, list)): self.assertEqual(recorded_value.ids, value) else: diff --git a/auth_saml/views/auth_saml.xml b/auth_saml/views/auth_saml.xml index fa4cc46842..fee2612b70 100644 --- a/auth_saml/views/auth_saml.xml +++ b/auth_saml/views/auth_saml.xml @@ -1,71 +1,70 @@ - - + - - - + - + + auth.saml.provider.list + auth.saml.provider + + + + + + + - - auth.saml.provider.list - auth.saml.provider - - - - - - - + + auth.saml.provider.form + auth.saml.provider + +
    + + + + + + + + + + + + + +
    +     +     - - auth.saml.provider.form - auth.saml.provider - -
    - - - - - - - - - - - - - -
    -     -     + - + + Providers + auth.saml.provider + form + tree,form + - - Providers - auth.saml.provider - form - tree,form - - + -     -     + diff --git a/auth_saml/views/base_settings.xml b/auth_saml/views/base_settings.xml index 8bb25df4ed..a413cf8ba4 100644 --- a/auth_saml/views/base_settings.xml +++ b/auth_saml/views/base_settings.xml @@ -1,25 +1,24 @@ - - - + + - + - - auth_saml_base_settings_form - base.config.settings - - - - -
    - -