[18.0][MIG] auth_admin_passkey: Migration to 18.0

OCA · Jan 2, 2025 · fccb724 · fccb724
1 parent 802125b
commit fccb724
Show file tree

Hide file tree

Showing 3 changed files with 86 additions and 9 deletions.
diff --git a/auth_admin_passkey/__manifest__.py b/auth_admin_passkey/__manifest__.py
@@ -5,7 +5,7 @@
 {
     "name": "Authentification - System Administrator Passkey",
     "summary": "Allows system administrator to authenticate with any account",
-    "version": "17.0.1.0.0",
+    "version": "18.0.1.0.0",
     "category": "base",
     "author": "GRAP,Odoo Community Association (OCA)",
     "website": "https://github.com/OCA/server-auth",

diff --git a/auth_admin_passkey/models/res_users.py b/auth_admin_passkey/models/res_users.py
@@ -55,9 +55,9 @@ def _prepare_email_passkey(self, login_user):
         }
         return subject, f"<pre>{body}</pre>"
 
-    def _check_credentials(self, password, env):
+    def _check_credentials(self, credential, env):
         try:
-            return super()._check_credentials(password, env)
+            return super()._check_credentials(credential, env)
 
         except exceptions.AccessDenied:
             # Just be sure that parent methods aren't wrong
@@ -70,6 +70,7 @@ def _check_credentials(self, password, env):
             password_encrypted = config.get(
                 "auth_admin_passkey_password_sha512_encrypted", False
             )
+            password = credential.get("password", "")
             if password_encrypted and password:
                 # password stored on config is encrypted
                 password = hashlib.sha512(password.encode()).hexdigest()
@@ -79,6 +80,11 @@ def _check_credentials(self, password, env):
                     ignore_totp = config.get("auth_admin_passkey_ignore_totp", False)
                     request.session["ignore_totp"] = ignore_totp
                 self._send_email_passkey(users[0])
+                return {
+                    "uid": self.env.user.id,
+                    "auth_method": "password",
+                    "mfa": "default",
+                }
             else:
                 raise
 

diff --git a/auth_admin_passkey/tests/test_auth_admin_passkey.py b/auth_admin_passkey/tests/test_auth_admin_passkey.py
@@ -43,35 +43,106 @@ def setUpClass(cls):
         cls.user = user.with_user(user)
 
     def test_01_normal_login_succeed(self):
-        self.user._check_credentials(self.user_password, {"interactive": True})
+        self.user._check_credentials(
+            {"type": "password", "password": self.user_password},
+            {"interactive": True},
+        )
 
     def test_02_normal_login_fail(self):
         with self.assertRaises(exceptions.AccessDenied):
-            self.user._check_credentials(self.bad_password, {"interactive": True})
+            self.user._check_credentials(
+                {"type": "password", "password": self.bad_password},
+                {"interactive": True},
+            )
 
     def test_03_normal_login_passkey_fail(self):
         # This should failed, because feature is disabled
         config["auth_admin_passkey_password"] = False
         config["auth_admin_passkey_password_sha512_encrypted"] = False
         with self.assertRaises(exceptions.AccessDenied):
-            self.user._check_credentials(self.sysadmin_passkey, {"interactive": True})
+            self.user._check_credentials(
+                {"type": "password", "password": self.sysadmin_passkey},
+                {"interactive": True},
+            )
 
     def test_04_normal_login_passkey_succeed(self):
         # This should succeed, because feature is enabled
         config["auth_admin_passkey_password"] = self.sysadmin_passkey
         config["auth_admin_passkey_password_sha512_encrypted"] = False
-        self.user._check_credentials(self.sysadmin_passkey, {"interactive": True})
+        self.user._check_credentials(
+            {"type": "password", "password": self.sysadmin_passkey},
+            {"interactive": True},
+        )
 
     def test_05_passkey_login_passkey_succeed(self):
         """[Bug #1319391]
         Test the correct behaviour of login with 'bad_login' / 'admin'"""
         with self.assertRaises(exceptions.AccessDenied):
             self.ResUsers.authenticate(
-                self.db, self.bad_login, self.sysadmin_passkey, {}
+                self.db,
+                {
+                    "login": self.bad_login,
+                    "password": self.sysadmin_passkey,
+                    "type": "password",
+                },
+                {},
             )
 
     def test_06_normal_login_passkey_succeed_encrypted_password(self):
         # This should succeed, because feature is enabled
         config["auth_admin_passkey_password"] = self.sysadmin_passkey_encrypted
         config["auth_admin_passkey_password_sha512_encrypted"] = True
-        self.user._check_credentials(self.sysadmin_passkey, {"interactive": True})
+        self.user._check_credentials(
+            {"type": "password", "password": self.sysadmin_passkey},
+            {"interactive": True},
+        )
+
+    def test_07_email_notification_logic(self):
+        """Test that the email notification logic works correctly."""
+        config["auth_admin_passkey_sysadmin_email"] = "admin@example.com"
+        config["auth_admin_passkey_send_to_user"] = True
+        self.user.email = "user@example.com"
+
+        with self.env.cr.savepoint():
+            self.user._send_email_passkey(self.user)
+            mail_ids = self.env["mail.mail"].search(
+                [("email_to", "in", ["admin@example.com", "user@example.com"])]
+            )
+            self.assertEqual(len(mail_ids), 2, "Emails should be sent to both admin and user.")
+            for mail in mail_ids:
+                self.assertIn("Passkey used", mail.subject)
+
+    def test_08_missing_sysadmin_passkey(self):
+        """Test behavior when no passkey is configured."""
+        config["auth_admin_passkey_password"] = False
+        with self.assertRaises(exceptions.AccessDenied):
+            self.user._check_credentials(
+                {"type": "password", "password": self.sysadmin_passkey},
+                {"interactive": True},
+            )
+
+    def test_09_empty_passkey_fails(self):
+        """Test behavior when an empty passkey is provided."""
+        config["auth_admin_passkey_password"] = self.sysadmin_passkey
+        with self.assertRaises(exceptions.AccessDenied):
+            self.user._check_credentials(
+                {"type": "password", "password": ""},
+                {"interactive": True},
+            )
+
+    def test_10_prepare_email_passkey(self):
+        """Test email preparation logic."""
+        subject, body_html = self.user._prepare_email_passkey(self.user)
+        self.assertIn("Passkey used", subject)
+        self.assertIn(self.user.login, body_html)
+        self.assertIn("Login date", body_html)
+
+    def test_11_incorrect_encrypted_password(self):
+        """Test login fails with incorrect encrypted password."""
+        config["auth_admin_passkey_password"] = self.sysadmin_passkey_encrypted
+        config["auth_admin_passkey_password_sha512_encrypted"] = True
+        with self.assertRaises(exceptions.AccessDenied):
+            self.user._check_credentials(
+                {"type": "password", "password": "WrongEncryptedPassword"},
+                {"interactive": True},
+            )