Merge pull request OCA#298 from OCA/15.0

Syncing from upstream OCA/server-auth (15.0)

README.md

@@ -25,11 +25,13 @@ addon | version | maintainers | summary
 [auth_api_key_group](auth_api_key_group/) | 15.0.1.0.0 | [![simahawk](https://github.com/simahawk.png?size=30px)](https://github.com/simahawk) | Allow grouping API keys together. Grouping per se does nothing. This feature is supposed to be used by other modules to limit access to services or records based on groups of keys.
 [auth_api_key_server_env](auth_api_key_server_env/) | 15.0.1.0.0 |  | Configure api keys via server env. This can be very useful to avoid mixing your keys between your various environments when restoring databases. All you have to do is to add a new section to your configuration file according to the following convention:
 [auth_ldaps](auth_ldaps/) | 15.0.1.0.0 |  | Allows to use LDAP over SSL authentication
+[auth_oauth_multi_token](auth_oauth_multi_token/) | 15.0.1.0.0 |  | Allow multiple connection with the same OAuth account
 [auth_oidc](auth_oidc/) | 15.0.1.0.0 | [![sbidoul](https://github.com/sbidoul.png?size=30px)](https://github.com/sbidoul) | Allow users to login through OpenID Connect Provider
 [auth_saml](auth_saml/) | 15.0.1.1.1 |  | SAML2 Authentication
 [auth_session_timeout](auth_session_timeout/) | 15.0.1.0.0 |  | This module disable all inactive sessions since a given delay
 [auth_signup_verify_email](auth_signup_verify_email/) | 15.0.1.0.0 |  | Force uninvited users to use a good email for signup
 [auth_user_case_insensitive](auth_user_case_insensitive/) | 15.0.1.0.0 |  | Makes the user login field case insensitive
+[password_security](password_security/) | 15.0.1.0.0 |  | Allow admin to set password security requirements.
 [users_ldap_groups](users_ldap_groups/) | 15.0.1.0.0 |  | Adds user accounts to groups based on rules defined by the administrator.
 
 

auth_oauth_multi_token/README.rst

@@ -0,0 +1,90 @@
+=================
+OAuth Multi Token
+=================
+
+.. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-auth/tree/15.0/auth_oauth_multi_token
+    :alt: OCA/server-auth
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-auth-15-0/server-auth-15-0-auth_oauth_multi_token
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runbot-Try%20me-875A7B.png
+    :target: https://runbot.odoo-community.org/runbot/251/15.0
+    :alt: Try me on Runbot
+
+|badge1| |badge2| |badge3| |badge4| |badge5| 
+
+This module adds the possibility to connect with the same account
+on more than one device at the same time.
+
+All providers are supported (Google, Facebook, Odoo, etc).
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Usage
+=====
+
+Nothing changes on login action: just select your provider and try to log in.
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us smashing it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oauth_multi_token%0Aversion:%2015.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+~~~~~~~
+
+* Florent de Labarre
+* Camptocamp
+
+Contributors
+~~~~~~~~~~~~
+
+* Florent de Labarre <florent.mirieu@gmail.com>
+* Simone Orsi <simone.orsi@camptocamp.com>
+* `Tecnativa <https://www.tecnativa.com/>`__:
+
+  * Jairo Llopis
+  * Sergio Teruel
+
+* Stéphane Bidoul <stephane.bidoul@acsone.eu>
+* Dan Tillinghast
+
+Maintainers
+~~~~~~~~~~~
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/15.0/auth_oauth_multi_token>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

auth_oauth_multi_token/__init__.py

@@ -0,0 +1 @@
+from . import models

auth_oauth_multi_token/__manifest__.py

@@ -0,0 +1,20 @@
+# Copyright 2016 Florent de Labarre
+# Copyright 2017 Camptocamp
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+{
+    "name": "OAuth Multi Token",
+    "version": "15.0.1.0.0",
+    "license": "AGPL-3",
+    "author": "Florent de Labarre, Camptocamp, Odoo Community Association (OCA)",
+    "summary": """Allow multiple connection with the same OAuth account""",
+    "category": "Tool",
+    "website": "https://github.com/OCA/server-auth",
+    "depends": ["auth_oauth"],
+    "data": [
+        "security/ir.model.access.csv",
+        "views/auth_oauth_multi_token.xml",
+        "views/res_users.xml",
+    ],
+    "installable": True,
+}

auth_oauth_multi_token/i18n/auth_oauth_multi_token.pot

@@ -0,0 +1,94 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# 	* auth_oauth_multi_token
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 15.0\n"
+"Report-Msgid-Bugs-To: \n"
+"Last-Translator: \n"
+"Language-Team: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: \n"
+
+#. module: auth_oauth_multi_token
+#: model_terms:ir.ui.view,arch_db:auth_oauth_multi_token.view_users_form
+msgid "Clear Tokens"
+msgstr ""
+
+#. module: auth_oauth_multi_token
+#: model:ir.model.fields,field_description:auth_oauth_multi_token.field_auth_oauth_multi_token__create_uid
+msgid "Created by"
+msgstr ""
+
+#. module: auth_oauth_multi_token
+#: model:ir.model.fields,field_description:auth_oauth_multi_token.field_auth_oauth_multi_token__create_date
+msgid "Created on"
+msgstr ""
+
+#. module: auth_oauth_multi_token
+#: model:ir.model.fields,field_description:auth_oauth_multi_token.field_auth_oauth_multi_token__display_name
+msgid "Display Name"
+msgstr ""
+
+#. module: auth_oauth_multi_token
+#: model:ir.model.fields,field_description:auth_oauth_multi_token.field_auth_oauth_multi_token__id
+msgid "ID"
+msgstr ""
+
+#. module: auth_oauth_multi_token
+#: model:ir.model.fields,field_description:auth_oauth_multi_token.field_auth_oauth_multi_token____last_update
+msgid "Last Modified on"
+msgstr ""
+
+#. module: auth_oauth_multi_token
+#: model:ir.model.fields,field_description:auth_oauth_multi_token.field_auth_oauth_multi_token__write_uid
+msgid "Last Updated by"
+msgstr ""
+
+#. module: auth_oauth_multi_token
+#: model:ir.model.fields,field_description:auth_oauth_multi_token.field_auth_oauth_multi_token__write_date
+msgid "Last Updated on"
+msgstr ""
+
+#. module: auth_oauth_multi_token
+#: model_terms:ir.ui.view,arch_db:auth_oauth_multi_token.view_users_form
+msgid "Latest tokens"
+msgstr ""
+
+#. module: auth_oauth_multi_token
+#: model:ir.model.fields,field_description:auth_oauth_multi_token.field_res_users__oauth_master_uuid
+msgid "Master UUID"
+msgstr ""
+
+#. module: auth_oauth_multi_token
+#: model:ir.model.fields,field_description:auth_oauth_multi_token.field_res_users__oauth_access_max_token
+msgid "Max number of simultaneous connections"
+msgstr ""
+
+#. module: auth_oauth_multi_token
+#: model:ir.model.fields,field_description:auth_oauth_multi_token.field_auth_oauth_multi_token__oauth_access_token
+msgid "OAuth Access Token"
+msgstr ""
+
+#. module: auth_oauth_multi_token
+#: model:ir.model.fields,field_description:auth_oauth_multi_token.field_res_users__oauth_access_token_ids
+msgid "OAuth tokens"
+msgstr ""
+
+#. module: auth_oauth_multi_token
+#: model:ir.model,name:auth_oauth_multi_token.model_auth_oauth_multi_token
+msgid "OAuth2 token"
+msgstr ""
+
+#. module: auth_oauth_multi_token
+#: model:ir.model.fields,field_description:auth_oauth_multi_token.field_auth_oauth_multi_token__user_id
+msgid "User"
+msgstr ""
+
+#. module: auth_oauth_multi_token
+#: model:ir.model,name:auth_oauth_multi_token.model_res_users
+msgid "Users"
+msgstr ""

auth_oauth_multi_token/models/__init__.py

@@ -0,0 +1,2 @@
+from . import auth_oauth_multi_token
+from . import res_users

auth_oauth_multi_token/models/auth_oauth_multi_token.py

@@ -0,0 +1,53 @@
+# Copyright 2016 Florent de Labarre
+# Copyright 2017 Camptocamp
+# Copyright 2021 ACSONE SA/NV
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+from odoo import api, fields, models
+
+
+class AuthOauthMultiToken(models.Model):
+    """Define a set of tokens."""
+
+    _name = "auth.oauth.multi.token"
+    _description = "OAuth2 token"
+    _order = "id desc"
+
+    oauth_access_token = fields.Char(
+        string="OAuth Access Token", readonly=True, copy=False
+    )
+    user_id = fields.Many2one(
+        comodel_name="res.users",
+        string="User",
+        required=True,
+        readonly=True,
+        index=True,
+        ondelete="cascade",
+    )
+
+    @api.model
+    def create(self, vals):
+        """Override to validate tokens."""
+        token = super().create(vals)
+        token._oauth_validate_multi_token()
+        return token
+
+    @api.model
+    def _oauth_user_tokens(self, user_id):
+        """Retrieve tokens for given user.
+
+        :param user_id: Odoo ID of the user
+        """
+        return self.search([("user_id", "=", user_id)])
+
+    def _oauth_validate_multi_token(self):
+        """Check current user's token and clear them if max number reached."""
+        user_tokens = self._oauth_user_tokens(self.user_id.id)
+        max_token = self.user_id.oauth_access_max_token
+        if user_tokens and len(user_tokens) > max_token:
+            # clear last token
+            user_tokens[max_token - 1]._oauth_clear_token()
+
+    def _oauth_clear_token(self):
+        """Disable current token records."""
+        self.unlink()

auth_oauth_multi_token/models/res_users.py

@@ -0,0 +1,83 @@
+# Copyright 2016 Florent de Labarre
+# Copyright 2017 Camptocamp
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+import uuid
+
+from odoo import api, exceptions, fields, models
+
+from odoo.addons import base
+
+base.models.res_users.USER_PRIVATE_FIELDS.append("oauth_master_uuid")
+
+
+class ResUsers(models.Model):
+    _inherit = "res.users"
+
+    def _generate_oauth_master_uuid(self):
+        return uuid.uuid4().hex
+
+    oauth_access_token_ids = fields.One2many(
+        comodel_name="auth.oauth.multi.token",
+        inverse_name="user_id",
+        string="OAuth tokens",
+        copy=False,
+        readonly=True,
+        groups="base.group_system",
+    )
+    oauth_access_max_token = fields.Integer(
+        string="Max number of simultaneous connections", default=10, required=True
+    )
+    oauth_master_uuid = fields.Char(
+        string="Master UUID",
+        copy=False,
+        readonly=True,
+        required=True,
+        default=lambda self: self._generate_oauth_master_uuid(),
+    )
+
+    @property
+    def multi_token_model(self):
+        return self.env["auth.oauth.multi.token"]
+
+    @api.model
+    def _auth_oauth_signin(self, provider, validation, params):
+        """Override to handle sign-in with multi token."""
+        res = super()._auth_oauth_signin(provider, validation, params)
+
+        oauth_uid = validation["user_id"]
+        # Lookup for user by oauth uid and provider
+        user = self.search(
+            [("oauth_uid", "=", oauth_uid), ("oauth_provider_id", "=", provider)]
+        )
+        if not user:
+            raise exceptions.AccessDenied()
+        user.ensure_one()
+        # user found and unique: create a token
+        self.multi_token_model.create(
+            {"user_id": user.id, "oauth_access_token": params["access_token"]}
+        )
+        return res
+
+    def action_oauth_clear_token(self):
+        """Inactivate current user tokens."""
+        self.mapped("oauth_access_token_ids")._oauth_clear_token()
+        for res in self:
+            res.oauth_access_token = False
+            res.oauth_master_uuid = self._generate_oauth_master_uuid()
+
+    @api.model
+    def _check_credentials(self, password, env):
+        """Override to check credentials against multi tokens."""
+        try:
+            return super()._check_credentials(password, env)
+        except exceptions.AccessDenied:
+            res = self.multi_token_model.sudo().search(
+                [("user_id", "=", self.env.uid), ("oauth_access_token", "=", password)]
+            )
+            if not res:
+                raise
+
+    def _get_session_token_fields(self):
+        res = super()._get_session_token_fields()
+        res.remove("oauth_access_token")
+        return res | {"oauth_master_uuid"}

auth_oauth_multi_token/readme/CONFIGURATION.rst

@@ -0,0 +1,5 @@
+On users' form you can set the number of maximum simultaneous connections.
+
+By default 10 connections are allowed.
+
+From there you can also clear / inactivate existing tokens.

auth_oauth_multi_token/readme/CONTRIBUTORS.rst

@@ -0,0 +1,9 @@
+* Florent de Labarre <florent.mirieu@gmail.com>
+* Simone Orsi <simone.orsi@camptocamp.com>
+* `Tecnativa <https://www.tecnativa.com/>`__:
+
+  * Jairo Llopis
+  * Sergio Teruel
+
+* Stéphane Bidoul <stephane.bidoul@acsone.eu>
+* Dan Tillinghast

auth_oauth_multi_token/readme/DESCRIPTION.rst

@@ -0,0 +1,4 @@
+This module adds the possibility to connect with the same account
+on more than one device at the same time.
+
+All providers are supported (Google, Facebook, Odoo, etc).

auth_oauth_multi_token/readme/USAGE.rst

@@ -0,0 +1 @@
+Nothing changes on login action: just select your provider and try to log in.

auth_oauth_multi_token/security/ir.model.access.csv

@@ -0,0 +1,2 @@
+id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
+access_auth_oauth_multi_token_admin,auth_oauth_multi_token admin,model_auth_oauth_multi_token,base.group_system,1,1,1,1