diff --git a/auth_api_key/README.rst b/auth_api_key/README.rst new file mode 100644 index 0000000000..4984336c75 --- /dev/null +++ b/auth_api_key/README.rst @@ -0,0 +1,110 @@ +============ +Auth Api Key +============ + +.. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + !! This file is generated by oca-gen-addon-readme !! + !! changes will be overwritten. !! + !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + +.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png + :target: https://odoo-community.org/page/development-status + :alt: Beta +.. |badge2| image:: https://img.shields.io/badge/licence-LGPL--3-blue.png + :target: http://www.gnu.org/licenses/lgpl-3.0-standalone.html + :alt: License: LGPL-3 +.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github + :target: https://github.com/OCA/server-auth/tree/14.0/auth_api_key + :alt: OCA/server-auth +.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png + :target: https://translation.odoo-community.org/projects/server-auth-14-0/server-auth-14-0-auth_api_key + :alt: Translate me on Weblate +.. |badge5| image:: https://img.shields.io/badge/runbot-Try%20me-875A7B.png + :target: https://runbot.odoo-community.org/runbot/251/14.0 + :alt: Try me on Runbot + +|badge1| |badge2| |badge3| |badge4| |badge5| + +Authenticate http requests from an API key. + +API keys are codes passed in (in the http header API-KEY) by programs calling an API in order to identify -in this case- the calling program's user. + +Take care while using this kind of mechanism since information into http headers are visible in clear. Thus, use it only to authenticate requests from known sources. For unknown sources, it is a good practice to filter out this header at proxy level. + +**Table of contents** + +.. contents:: + :local: + +Configuration +============= + +The api key menu is available into Settings > Technical in debug mode. +By default, when you create an API key, the key is saved into the database. +It is also possible to provide the value of this key via the configuration +file. This can be very useful to avoid mixing your keys between your various +environments when restoring databases. All you have to do is to add a new +section to your configuration file according to the following convention: + +.. code-block:: ini + + [api_key_] + key=my_api_key + +Usage +===== + +To apply this authentication system to your http request you must set 'api_key' +as value for the 'auth' parameter of your route definition into your controller. + +.. code-block:: python + + class MyController(Controller): + + @route('/my_service', auth='api_key', ...) + def my_service(self, *args, **kwargs): + pass + +Bug Tracker +=========== + +Bugs are tracked on `GitHub Issues `_. +In case of trouble, please check there if your issue has already been reported. +If you spotted it first, help us smashing it by providing a detailed and welcomed +`feedback `_. + +Do not contact contributors directly about support or help with technical issues. + +Credits +======= + +Authors +~~~~~~~ + +* ACSONE SA/NV + +Contributors +~~~~~~~~~~~~ + +* Denis Robinet +* Laurent Mignon +* Quentin Groulard +* Sébastien Beau +* Chafique Delli + +Maintainers +~~~~~~~~~~~ + +This module is maintained by the OCA. + +.. image:: https://odoo-community.org/logo.png + :alt: Odoo Community Association + :target: https://odoo-community.org + +OCA, or the Odoo Community Association, is a nonprofit organization whose +mission is to support the collaborative development of Odoo features and +promote its widespread use. + +This module is part of the `OCA/server-auth `_ project on GitHub. + +You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute. diff --git a/auth_api_key/__init__.py b/auth_api_key/__init__.py new file mode 100644 index 0000000000..0650744f6b --- /dev/null +++ b/auth_api_key/__init__.py @@ -0,0 +1 @@ +from . import models diff --git a/auth_api_key/__manifest__.py b/auth_api_key/__manifest__.py new file mode 100644 index 0000000000..83f5a9ba29 --- /dev/null +++ b/auth_api_key/__manifest__.py @@ -0,0 +1,16 @@ +# Copyright 2018 ACSONE SA/NV +# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl). + +{ + "name": "Auth Api Key", + "summary": """ + Authenticate http requests from an API key""", + "version": "14.0.1.0.0", + "license": "LGPL-3", + "author": "ACSONE SA/NV,Odoo Community Association (OCA)", + "website": "https://github.com/OCA/server-auth", + "development_status": "Beta", + "depends": ["server_environment"], + "data": ["security/ir.model.access.csv", "views/auth_api_key.xml"], + "demo": [], +} diff --git a/auth_api_key/i18n/auth_api_key.pot b/auth_api_key/i18n/auth_api_key.pot new file mode 100644 index 0000000000..6c571bb97e --- /dev/null +++ b/auth_api_key/i18n/auth_api_key.pot @@ -0,0 +1,126 @@ +# Translation of Odoo Server. +# This file contains the translation of the following modules: +# * auth_api_key +# +msgid "" +msgstr "" +"Project-Id-Version: Odoo Server 13.0\n" +"Report-Msgid-Bugs-To: \n" +"Last-Translator: \n" +"Language-Team: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: \n" +"Plural-Forms: \n" + +#. module: auth_api_key +#: model:ir.model,name:auth_api_key.model_auth_api_key +msgid "API Key" +msgstr "" + +#. module: auth_api_key +#: model:ir.model.constraint,message:auth_api_key.constraint_auth_api_key_name_uniq +msgid "Api Key name must be unique." +msgstr "" + +#. module: auth_api_key +#: model:ir.actions.act_window,name:auth_api_key.auth_api_key_act_window +#: model:ir.ui.menu,name:auth_api_key.auth_api_key_menu +msgid "Auth Api Key" +msgstr "" + +#. module: auth_api_key +#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__create_uid +msgid "Created by" +msgstr "" + +#. module: auth_api_key +#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__create_date +msgid "Created on" +msgstr "" + +#. module: auth_api_key +#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__display_name +msgid "Display Name" +msgstr "" + +#. module: auth_api_key +#: model:ir.model,name:auth_api_key.model_ir_http +msgid "HTTP Routing" +msgstr "" + +#. module: auth_api_key +#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__id +msgid "ID" +msgstr "" + +#. module: auth_api_key +#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__key +msgid "Key" +msgstr "" + +#. module: auth_api_key +#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__key_env_default +msgid "Key Env Default" +msgstr "" + +#. module: auth_api_key +#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__key_env_is_editable +msgid "Key Env Is Editable" +msgstr "" + +#. module: auth_api_key +#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key____last_update +msgid "Last Modified on" +msgstr "" + +#. module: auth_api_key +#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__write_uid +msgid "Last Updated by" +msgstr "" + +#. module: auth_api_key +#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__write_date +msgid "Last Updated on" +msgstr "" + +#. module: auth_api_key +#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__name +msgid "Name" +msgstr "" + +#. module: auth_api_key +#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__server_env_defaults +msgid "Server Env Defaults" +msgstr "" + +#. module: auth_api_key +#: model:ir.model.fields,help:auth_api_key.field_auth_api_key__key +msgid "" +"The API key. Enter a dummy value in this field if it is\n" +" obtained from the server environment configuration." +msgstr "" + +#. module: auth_api_key +#: code:addons/auth_api_key/models/auth_api_key.py:0 +#, python-format +msgid "The key %s is not allowed" +msgstr "" + +#. module: auth_api_key +#: model:ir.model.fields,help:auth_api_key.field_auth_api_key__user_id +msgid "" +"The user used to process the requests authenticated by\n" +" the api key" +msgstr "" + +#. module: auth_api_key +#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__user_id +msgid "User" +msgstr "" + +#. module: auth_api_key +#: code:addons/auth_api_key/models/auth_api_key.py:0 +#, python-format +msgid "User is not allowed" +msgstr "" diff --git a/auth_api_key/migrations/12.0.2.0.0/post-migrate.py b/auth_api_key/migrations/12.0.2.0.0/post-migrate.py new file mode 100644 index 0000000000..06be6c96ae --- /dev/null +++ b/auth_api_key/migrations/12.0.2.0.0/post-migrate.py @@ -0,0 +1,28 @@ +# Copyright 2019 ACSONE SA/NV +# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). + +import logging + +import odoo + +from odoo.addons.server_environment import serv_config + +_logger = logging.Logger(__name__) + + +def migrate(cr, version): + _logger.info("Create auth_api.key records from odoo config") + with odoo.api.Environment.manage(): + env = odoo.api.Environment(cr, odoo.SUPERUSER_ID, {}) + for section in serv_config.sections(): + if section.startswith("api_key_") and serv_config.has_option( + section, "key" + ): + login_name = serv_config.get(section, "user") + name = section.replace("api_key_", "") + key = "" + user = env["res.users"].search([("login", "=", login_name)]) + env["auth.api.key"].create( + {"name": name, "key": key, "user_id": user.id} + ) + _logger.info("API Key record created for %s", section) diff --git a/auth_api_key/models/__init__.py b/auth_api_key/models/__init__.py new file mode 100644 index 0000000000..dee3379fea --- /dev/null +++ b/auth_api_key/models/__init__.py @@ -0,0 +1,2 @@ +from . import ir_http +from . import auth_api_key diff --git a/auth_api_key/models/auth_api_key.py b/auth_api_key/models/auth_api_key.py new file mode 100644 index 0000000000..6b24e9053c --- /dev/null +++ b/auth_api_key/models/auth_api_key.py @@ -0,0 +1,84 @@ +# Copyright 2018 ACSONE SA/NV +# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl). + +from odoo import _, api, fields, models, tools +from odoo.exceptions import AccessError, ValidationError +from odoo.tools import consteq + + +class AuthApiKey(models.Model): + _name = "auth.api.key" + _inherit = "server.env.mixin" + _description = "API Key" + + name = fields.Char(required=True) + key = fields.Char( + required=True, + help="""The API key. Enter a dummy value in this field if it is + obtained from the server environment configuration.""", + ) + user_id = fields.Many2one( + comodel_name="res.users", + string="User", + required=True, + help="""The user used to process the requests authenticated by + the api key""", + ) + + _sql_constraints = [("name_uniq", "unique(name)", "Api Key name must be unique.")] + + def _server_env_section_name(self): + """Name of the section in the configuration files + + We override the default implementation to keep the compatibility + with the previous implementation of auth_api_key. The section name + into the configuration file must be formatted as + + 'api_key_{name}' + + """ + self.ensure_one() + return "api_key_{}".format(self.name) + + @property + def _server_env_fields(self): + base_fields = super()._server_env_fields + api_key_fields = {"key": {}} + api_key_fields.update(base_fields) + return api_key_fields + + @api.model + def _retrieve_api_key(self, key): + return self.browse(self._retrieve_api_key_id(key)) + + @api.model + @tools.ormcache("key") + def _retrieve_api_key_id(self, key): + if not self.env.user.has_group("base.group_system"): + raise AccessError(_("User is not allowed")) + for api_key in self.search([]): + if consteq(key, api_key.key): + return api_key.id + raise ValidationError(_("The key %s is not allowed") % key) + + @api.model + @tools.ormcache("key") + def _retrieve_uid_from_api_key(self, key): + return self._retrieve_api_key(key).user_id.id + + def _clear_key_cache(self): + self._retrieve_api_key_id.clear_cache(self.env[self._name]) + self._retrieve_uid_from_api_key.clear_cache(self.env[self._name]) + + @api.model + def create(self, vals): + record = super(AuthApiKey, self).create(vals) + if "key" in vals or "user_id" in vals: + self._clear_key_cache() + return record + + def write(self, vals): + super(AuthApiKey, self).write(vals) + if "key" in vals or "user_id" in vals: + self._clear_key_cache() + return True diff --git a/auth_api_key/models/ir_http.py b/auth_api_key/models/ir_http.py new file mode 100644 index 0000000000..13673663b2 --- /dev/null +++ b/auth_api_key/models/ir_http.py @@ -0,0 +1,36 @@ +# Copyright 2018 ACSONE SA/NV +# Copyright 2017 Akretion (http://www.akretion.com). +# @author Sébastien BEAU +# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl). + +import logging + +from odoo import models +from odoo.exceptions import AccessDenied +from odoo.http import request + +_logger = logging.getLogger(__name__) + + +class IrHttp(models.AbstractModel): + _inherit = "ir.http" + + @classmethod + def _auth_method_api_key(cls): + headers = request.httprequest.environ + api_key = headers.get("HTTP_API_KEY") + if api_key: + request.uid = 1 + auth_api_key = request.env["auth.api.key"]._retrieve_api_key(api_key) + if auth_api_key: + # reset _env on the request since we change the uid... + # the next call to env will instantiate an new + # odoo.api.Environment with the user defined on the + # auth.api_key + request._env = None + request.uid = auth_api_key.user_id.id + request.auth_api_key = api_key + request.auth_api_key_id = auth_api_key.id + return True + _logger.error("Wrong HTTP_API_KEY, access denied") + raise AccessDenied() diff --git a/auth_api_key/readme/CONFIGURE.rst b/auth_api_key/readme/CONFIGURE.rst new file mode 100644 index 0000000000..c3c0612baf --- /dev/null +++ b/auth_api_key/readme/CONFIGURE.rst @@ -0,0 +1,11 @@ +The api key menu is available into Settings > Technical in debug mode. +By default, when you create an API key, the key is saved into the database. +It is also possible to provide the value of this key via the configuration +file. This can be very useful to avoid mixing your keys between your various +environments when restoring databases. All you have to do is to add a new +section to your configuration file according to the following convention: + +.. code-block:: ini + + [api_key_] + key=my_api_key diff --git a/auth_api_key/readme/CONTRIBUTORS.rst b/auth_api_key/readme/CONTRIBUTORS.rst new file mode 100644 index 0000000000..a0cd887895 --- /dev/null +++ b/auth_api_key/readme/CONTRIBUTORS.rst @@ -0,0 +1,5 @@ +* Denis Robinet +* Laurent Mignon +* Quentin Groulard +* Sébastien Beau +* Chafique Delli diff --git a/auth_api_key/readme/DESCRIPTION.rst b/auth_api_key/readme/DESCRIPTION.rst new file mode 100644 index 0000000000..32b1e9c324 --- /dev/null +++ b/auth_api_key/readme/DESCRIPTION.rst @@ -0,0 +1,5 @@ +Authenticate http requests from an API key. + +API keys are codes passed in (in the http header API-KEY) by programs calling an API in order to identify -in this case- the calling program's user. + +Take care while using this kind of mechanism since information into http headers are visible in clear. Thus, use it only to authenticate requests from known sources. For unknown sources, it is a good practice to filter out this header at proxy level. diff --git a/auth_api_key/readme/USAGE.rst b/auth_api_key/readme/USAGE.rst new file mode 100644 index 0000000000..d8ff4460eb --- /dev/null +++ b/auth_api_key/readme/USAGE.rst @@ -0,0 +1,10 @@ +To apply this authentication system to your http request you must set 'api_key' +as value for the 'auth' parameter of your route definition into your controller. + +.. code-block:: python + + class MyController(Controller): + + @route('/my_service', auth='api_key', ...) + def my_service(self, *args, **kwargs): + pass diff --git a/auth_api_key/security/ir.model.access.csv b/auth_api_key/security/ir.model.access.csv new file mode 100644 index 0000000000..b964d8c1de --- /dev/null +++ b/auth_api_key/security/ir.model.access.csv @@ -0,0 +1,2 @@ +id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink +access_auth_api_key,access_auth_api_key,model_auth_api_key,base.group_system,1,1,1,1 diff --git a/auth_api_key/static/description/icon.png b/auth_api_key/static/description/icon.png new file mode 100644 index 0000000000..3a0328b516 Binary files /dev/null and b/auth_api_key/static/description/icon.png differ diff --git a/auth_api_key/static/description/index.html b/auth_api_key/static/description/index.html new file mode 100644 index 0000000000..a0fbdbb940 --- /dev/null +++ b/auth_api_key/static/description/index.html @@ -0,0 +1,451 @@ + + + + + + +Auth Api Key + + + +
+

Auth Api Key

+ + +

Beta License: LGPL-3 OCA/server-auth Translate me on Weblate Try me on Runbot

+

Authenticate http requests from an API key.

+

API keys are codes passed in (in the http header API-KEY) by programs calling an API in order to identify -in this case- the calling program’s user.

+

Take care while using this kind of mechanism since information into http headers are visible in clear. Thus, use it only to authenticate requests from known sources. For unknown sources, it is a good practice to filter out this header at proxy level.

+

Table of contents

+ +
+

Configuration

+

The api key menu is available into Settings > Technical in debug mode. +By default, when you create an API key, the key is saved into the database. +It is also possible to provide the value of this key via the configuration +file. This can be very useful to avoid mixing your keys between your various +environments when restoring databases. All you have to do is to add a new +section to your configuration file according to the following convention:

+
+[api_key_<Record Name>]
+key=my_api_key
+
+
+
+

Usage

+

To apply this authentication system to your http request you must set ‘api_key’ +as value for the ‘auth’ parameter of your route definition into your controller.

+
+class MyController(Controller):
+
+    @route('/my_service', auth='api_key', ...)
+    def my_service(self, *args, **kwargs):
+        pass
+
+
+
+

Bug Tracker

+

Bugs are tracked on GitHub Issues. +In case of trouble, please check there if your issue has already been reported. +If you spotted it first, help us smashing it by providing a detailed and welcomed +feedback.

+

Do not contact contributors directly about support or help with technical issues.

+
+
+

Credits

+
+

Authors

+
    +
  • ACSONE SA/NV
  • +
+
+
+

Contributors

+ +
+
+

Maintainers

+

This module is maintained by the OCA.

+Odoo Community Association +

OCA, or the Odoo Community Association, is a nonprofit organization whose +mission is to support the collaborative development of Odoo features and +promote its widespread use.

+

This module is part of the OCA/server-auth project on GitHub.

+

You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

+
+
+
+ + diff --git a/auth_api_key/tests/__init__.py b/auth_api_key/tests/__init__.py new file mode 100644 index 0000000000..56e3e32a3a --- /dev/null +++ b/auth_api_key/tests/__init__.py @@ -0,0 +1 @@ +from . import test_auth_api_key diff --git a/auth_api_key/tests/test_auth_api_key.py b/auth_api_key/tests/test_auth_api_key.py new file mode 100644 index 0000000000..da5c524817 --- /dev/null +++ b/auth_api_key/tests/test_auth_api_key.py @@ -0,0 +1,63 @@ +# Copyright 2018 ACSONE SA/NV +# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl). +from odoo.exceptions import AccessError, ValidationError +from odoo.tests.common import SavepointCase + +from odoo.addons.server_environment import serv_config + + +class TestAuthApiKey(SavepointCase): + @classmethod + def setUpClass(cls, *args, **kwargs): + super().setUpClass(*args, **kwargs) + cls.AuthApiKey = cls.env["auth.api.key"] + cls.demo_user = cls.env.ref("base.user_demo") + cls.api_key_good = cls.AuthApiKey.create( + {"name": "good", "user_id": cls.demo_user.id, "key": "api_key"} + ) + cls.api_key_from_env = cls.AuthApiKey.create( + {"name": "from_env", "key": "dummy", "user_id": cls.demo_user.id} + ) + cls.api_key_from_env.refresh() + serv_config.add_section("api_key_from_env") + serv_config.set("api_key_from_env", "key", "api_key_from_env") + + def test_lookup_key_from_db(self): + demo_user = self.env.ref("base.user_demo") + self.assertEqual( + self.env["auth.api.key"]._retrieve_uid_from_api_key("api_key"), demo_user.id + ) + + def test_lookup_key_from_env(self): + self.assertEqual( + self.env["auth.api.key"]._retrieve_uid_from_api_key("api_key_from_env"), + self.demo_user.id, + ) + with self.assertRaises(ValidationError): + # dummy key must be replace with the one from env and + # therefore should be unusable + self.env["auth.api.key"]._retrieve_uid_from_api_key("dummy") + + def test_wrong_key(self): + with self.assertRaises(ValidationError), self.env.cr.savepoint(): + self.env["auth.api.key"]._retrieve_uid_from_api_key("api_wrong_key") + + def test_user_not_allowed(self): + # only system users can check for key + with self.assertRaises(AccessError), self.env.cr.savepoint(): + self.env["auth.api.key"].with_user( + user=self.demo_user + )._retrieve_uid_from_api_key("api_wrong_key") + + def test_cache_invalidation(self): + self.assertEqual( + self.env["auth.api.key"]._retrieve_uid_from_api_key("api_key"), + self.demo_user.id, + ) + self.api_key_good.write({"key": "updated_key"}) + self.assertEqual( + self.env["auth.api.key"]._retrieve_uid_from_api_key("updated_key"), + self.demo_user.id, + ) + with self.assertRaises(ValidationError): + self.env["auth.api.key"]._retrieve_uid_from_api_key("api_key") diff --git a/auth_api_key/views/auth_api_key.xml b/auth_api_key/views/auth_api_key.xml new file mode 100644 index 0000000000..c2305274ae --- /dev/null +++ b/auth_api_key/views/auth_api_key.xml @@ -0,0 +1,46 @@ + + + + + auth.api.key.form (in auth_api_key) + auth.api.key + +
+ + +
+
+
+ + auth.api.key.tree (in auth_api_key) + auth.api.key + + + + + + + + + Auth Api Key + auth.api.key + tree,form + [] + {} + + + Auth Api Key + + + + +
diff --git a/oca_dependencies.txt b/oca_dependencies.txt index ca3c726ba2..ae177d88c8 100644 --- a/oca_dependencies.txt +++ b/oca_dependencies.txt @@ -1 +1,2 @@ # See https://github.com/OCA/odoo-community.org/blob/master/website/Contribution/CONTRIBUTING.rst#oca_dependencies-txt +server-env diff --git a/setup/auth_api_key/odoo/addons/auth_api_key b/setup/auth_api_key/odoo/addons/auth_api_key new file mode 120000 index 0000000000..8cc2273270 --- /dev/null +++ b/setup/auth_api_key/odoo/addons/auth_api_key @@ -0,0 +1 @@ +../../../../auth_api_key \ No newline at end of file diff --git a/setup/auth_api_key/setup.py b/setup/auth_api_key/setup.py new file mode 100644 index 0000000000..28c57bb640 --- /dev/null +++ b/setup/auth_api_key/setup.py @@ -0,0 +1,6 @@ +import setuptools + +setuptools.setup( + setup_requires=['setuptools-odoo'], + odoo_addon=True, +)