flectra/addons/auth_crypt/models/res_users.py

102 lines
3.8 KiB
Python

# -*- coding: utf-8 -*-
import logging
from passlib.context import CryptContext
import flectra
from flectra import api, fields, models
from flectra.addons.base.res import res_users
res_users.USER_PRIVATE_FIELDS.append('password_crypt')
_logger = logging.getLogger(__name__)
default_crypt_context = CryptContext(
# kdf which can be verified by the context. The default encryption kdf is
# the first of the list
['pbkdf2_sha512', 'md5_crypt'],
# deprecated algorithms are still verified as usual, but ``needs_update``
# will indicate that the stored hash should be replaced by a more recent
# algorithm. Passlib 1.6 supports an `auto` value which deprecates any
# algorithm but the default, but Ubuntu LTS only provides 1.5 so far.
deprecated=['md5_crypt'],
)
class ResUsers(models.Model):
_inherit = "res.users"
def init(self):
_logger.info("Hashing passwords, may be slow for databases with many users...")
self.env.cr.execute("SELECT id, password FROM res_users"
" WHERE password IS NOT NULL"
" AND password != ''")
for uid, pwd in self.env.cr.fetchall():
self.sudo().browse(uid)._set_password(pwd)
password = fields.Char(compute='_compute_password', inverse='_inverse_password', invisible=True, store=True)
password_crypt = fields.Char(string='Encrypted Password', invisible=True, copy=False)
def _compute_password(self):
self.env.cr.execute('SELECT id, password FROM res_users WHERE id IN %s', [tuple(self.ids)])
password_dict = dict(self.env.cr.fetchall())
for user in self:
user.password = password_dict[user.id]
def _inverse_password(self):
for user in self:
user._set_password(user.password)
self.invalidate_cache()
@api.model
def check_credentials(self, password):
# convert to base_crypt if needed
self.env.cr.execute('SELECT password, password_crypt FROM res_users WHERE id=%s AND active', (self.env.uid,))
encrypted = None
user = self.env.user
if self.env.cr.rowcount:
stored, encrypted = self.env.cr.fetchone()
if stored and not encrypted:
user._set_password(stored)
self.invalidate_cache()
try:
return super(ResUsers, self).check_credentials(password)
except flectra.exceptions.AccessDenied:
if encrypted:
valid_pass, replacement = user._crypt_context()\
.verify_and_update(password, encrypted)
if replacement is not None:
user._set_encrypted_password(replacement)
if valid_pass:
return
raise
def _set_password(self, password):
self.ensure_one()
""" Encrypts then stores the provided plaintext password for the user
``self``
"""
encrypted = self._crypt_context().encrypt(password)
self._set_encrypted_password(encrypted)
def _set_encrypted_password(self, encrypted):
""" Store the provided encrypted password to the database, and clears
any plaintext password
"""
self.env.cr.execute(
"UPDATE res_users SET password='', password_crypt=%s WHERE id=%s",
(encrypted, self.id))
def _crypt_context(self):
""" Passlib CryptContext instance used to encrypt and verify
passwords. Can be overridden if technical, legal or political matters
require different kdfs than the provided default.
Requires a CryptContext as deprecation and upgrade notices are used
internally
"""
return default_crypt_context
def _get_session_token_fields(self):
return super(ResUsers, self)._get_session_token_fields() | {'password_crypt'}