-
-
Notifications
You must be signed in to change notification settings - Fork 433
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
18 changed files
with
771 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,119 @@ | ||
=================== | ||
IP based MFA bypass | ||
=================== | ||
|
||
.. | ||
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! | ||
!! This file is generated by oca-gen-addon-readme !! | ||
!! changes will be overwritten. !! | ||
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! | ||
!! source digest: sha256:293829077d34925720abfd9ded62f8faa4f395c144d03ecd0e5c7d8091d5bf55 | ||
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! | ||
.. |badge1| image:: https://img.shields.io/badge/maturity-Alpha-red.png | ||
:target: https://odoo-community.org/page/development-status | ||
:alt: Alpha | ||
.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png | ||
:target: http://www.gnu.org/licenses/agpl-3.0-standalone.html | ||
:alt: License: AGPL-3 | ||
.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github | ||
:target: https://github.com/OCA/server-auth/tree/16.0/auth_totp_bypass_ip_range | ||
:alt: OCA/server-auth | ||
.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png | ||
:target: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_totp_bypass_ip_range | ||
:alt: Translate me on Weblate | ||
.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png | ||
:target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=16.0 | ||
:alt: Try me on Runboat | ||
|
||
|badge1| |badge2| |badge3| |badge4| |badge5| | ||
|
||
This module allows to define some IP networks as not needing multi | ||
factor authentication. | ||
|
||
.. IMPORTANT:: | ||
This is an alpha version, the data model and design can change at any time without warning. | ||
Only for development or testing purpose, do not use in production. | ||
`More details on development status <https://odoo-community.org/page/development-status>`_ | ||
|
||
**Table of contents** | ||
|
||
.. contents:: | ||
:local: | ||
|
||
Configuration | ||
============= | ||
|
||
To configure this module, you need to: | ||
|
||
1. Enable debug mode | ||
2. Go to Settings / Technical / System parameters | ||
3. Create or edit parameter ``auth_totp_bypass_ip_range.networks`` | ||
|
||
The parameter can contain a whitespace separated list of networks in | ||
`CIDR | ||
notation <https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation>`__. | ||
A specific IP address would be ie 42.42.42.42/32 | ||
|
||
Usage | ||
===== | ||
|
||
To use this module, you need to: | ||
|
||
1. Enable 2FA for some user | ||
2. Connect from an IP that was configured to bypass 2FA | ||
3. Observe that no 2FA challenge is raised | ||
|
||
Known issues / Roadmap | ||
====================== | ||
|
||
- support IPv6 | ||
|
||
Bug Tracker | ||
=========== | ||
|
||
Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_. | ||
In case of trouble, please check there if your issue has already been reported. | ||
If you spotted it first, help us to smash it by providing a detailed and welcomed | ||
`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_totp_bypass_ip_range%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_. | ||
|
||
Do not contact contributors directly about support or help with technical issues. | ||
|
||
Credits | ||
======= | ||
|
||
Authors | ||
------- | ||
|
||
* Hunki Enterprises BV | ||
|
||
Contributors | ||
------------ | ||
|
||
- Holger Brunn <[email protected]> | ||
(https://hunki-enterprises.com) | ||
|
||
Maintainers | ||
----------- | ||
|
||
This module is maintained by the OCA. | ||
|
||
.. image:: https://odoo-community.org/logo.png | ||
:alt: Odoo Community Association | ||
:target: https://odoo-community.org | ||
|
||
OCA, or the Odoo Community Association, is a nonprofit organization whose | ||
mission is to support the collaborative development of Odoo features and | ||
promote its widespread use. | ||
|
||
.. |maintainer-hbrunn| image:: https://github.com/hbrunn.png?size=40px | ||
:target: https://github.com/hbrunn | ||
:alt: hbrunn | ||
|
||
Current `maintainer <https://odoo-community.org/page/maintainer-role>`__: | ||
|
||
|maintainer-hbrunn| | ||
|
||
This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/16.0/auth_totp_bypass_ip_range>`_ project on GitHub. | ||
|
||
You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
from . import models |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
# Copyright 2025 Hunki Enterprises BV | ||
# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl-3.0) | ||
|
||
{ | ||
"name": "IP based MFA bypass", | ||
"summary": "Define IP ranges consideres safe without MFA", | ||
"version": "16.0.1.0.0", | ||
"development_status": "Alpha", | ||
"category": "Extra Tools", | ||
"website": "https://github.com/OCA/server-auth", | ||
"author": "Hunki Enterprises BV, Odoo Community Association (OCA)", | ||
"maintainers": ["hbrunn"], | ||
"license": "AGPL-3", | ||
"depends": ["auth_totp"], | ||
"data": [], | ||
"demo": [], | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
from . import res_users |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
# Copyright 2025 Hunki Enterprises BV | ||
# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl-3.0) | ||
|
||
from ipaddress import IPv4Address, IPv4Network | ||
|
||
from odoo import models | ||
from odoo.http import request | ||
|
||
|
||
class ResUsers(models.Model): | ||
_inherit = "res.users" | ||
|
||
def _auth_totp_bypass_ip_range(self): | ||
""" | ||
Determine if the current request comes from an IP that bypasses MFA | ||
""" | ||
networks = ( | ||
self.env["ir.config_parameter"] | ||
.sudo() | ||
.get_param("auth_totp_bypass_ip_range.networks", "") | ||
.split() | ||
) | ||
ip = IPv4Address(request.httprequest.environ["REMOTE_ADDR"]) | ||
for network in networks: | ||
if ip in IPv4Network(network, strict=False): | ||
return True | ||
return False | ||
|
||
def _mfa_type(self): | ||
""" | ||
Don't do MFA if the request comes from an IP that is configures to bypass it | ||
""" | ||
if self._auth_totp_bypass_ip_range(): | ||
return None | ||
return super()._mfa_type() | ||
|
||
def _mfa_url(self): | ||
""" | ||
Don't do MFA if the request comes from an IP that is configures to bypass it | ||
""" | ||
if self._auth_totp_bypass_ip_range(): | ||
return None | ||
return super()._mfa_url() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
To configure this module, you need to: | ||
|
||
1. Enable debug mode | ||
2. Go to Settings / Technical / System parameters | ||
3. Create or edit parameter ``auth_totp_bypass_ip_range.networks`` | ||
|
||
The parameter can contain a whitespace separated list of networks in [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation). A specific IP address would be ie 42.42.42.42/32 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
- Holger Brunn \<[email protected]> (https://hunki-enterprises.com) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
This module allows to define some IP networks as not needing multi factor authentication. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
- support IPv6 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
To use this module, you need to: | ||
|
||
1. Enable 2FA for some user | ||
2. Connect from an IP that was configured to bypass 2FA | ||
3. Observe that no 2FA challenge is raised |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Oops, something went wrong.