[16.0][ADD] auth_totp_bypass_ip_range

auth_totp_bypass_ip_range/README.rst

@@ -0,0 +1,119 @@
+===================
+IP based MFA bypass
+===================
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:293829077d34925720abfd9ded62f8faa4f395c144d03ecd0e5c7d8091d5bf55
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Alpha-red.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Alpha
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-auth/tree/16.0/auth_totp_bypass_ip_range
+    :alt: OCA/server-auth
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_totp_bypass_ip_range
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=16.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+This module allows to define some IP networks as not needing multi
+factor authentication.
+
+.. IMPORTANT::
+   This is an alpha version, the data model and design can change at any time without warning.
+   Only for development or testing purpose, do not use in production.
+   `More details on development status <https://odoo-community.org/page/development-status>`_
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Configuration
+=============
+
+To configure this module, you need to:
+
+1. Enable debug mode
+2. Go to Settings / Technical / System parameters
+3. Create or edit parameter ``auth_totp_bypass_ip_range.networks``
+
+The parameter can contain a whitespace separated list of networks in
+`CIDR
+notation <https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation>`__.
+A specific IP address would be ie 42.42.42.42/32
+
+Usage
+=====
+
+To use this module, you need to:
+
+1. Enable 2FA for some user
+2. Connect from an IP that was configured to bypass 2FA
+3. Observe that no 2FA challenge is raised
+
+Known issues / Roadmap
+======================
+
+-  support IPv6
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_totp_bypass_ip_range%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+-------
+
+* Hunki Enterprises BV
+
+Contributors
+------------
+
+-  Holger Brunn <[email protected]>
+   (https://hunki-enterprises.com)
+
+Maintainers
+-----------
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+.. |maintainer-hbrunn| image:: https://github.com/hbrunn.png?size=40px
+    :target: https://github.com/hbrunn
+    :alt: hbrunn
+
+Current `maintainer <https://odoo-community.org/page/maintainer-role>`__:
+
+|maintainer-hbrunn| 
+
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/16.0/auth_totp_bypass_ip_range>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

auth_totp_bypass_ip_range/__init__.py

@@ -0,0 +1 @@
+from . import models

auth_totp_bypass_ip_range/__manifest__.py

@@ -0,0 +1,17 @@
+# Copyright 2025 Hunki Enterprises BV
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl-3.0)
+
+{
+    "name": "IP based MFA bypass",
+    "summary": "Define IP ranges consideres safe without MFA",
+    "version": "16.0.1.0.0",
+    "development_status": "Alpha",
+    "category": "Extra Tools",
+    "website": "https://github.com/OCA/server-auth",
+    "author": "Hunki Enterprises BV, Odoo Community Association (OCA)",
+    "maintainers": ["hbrunn"],
+    "license": "AGPL-3",
+    "depends": ["auth_totp"],
+    "data": [],
+    "demo": [],
+}

auth_totp_bypass_ip_range/models/__init__.py

@@ -0,0 +1 @@
+from . import res_users

auth_totp_bypass_ip_range/models/res_users.py

@@ -0,0 +1,51 @@
+# Copyright 2025 Hunki Enterprises BV
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl-3.0)
+
+import logging
+from ipaddress import AddressValueError, IPv4Address, IPv4Network
+
+from odoo import models
+from odoo.http import request
+
+_logger = logging.getLogger("auth_totp_bypass_ip_range")
+
+
+class ResUsers(models.Model):
+    _inherit = "res.users"
+
+    def _auth_totp_bypass_ip_range(self):
+        """
+        Determine if the current request comes from an IP that bypasses MFA
+        """
+        networks = (
+            self.env["ir.config_parameter"]
+            .sudo()
+            .get_param("auth_totp_bypass_ip_range.networks", "")
+            .split()
+        )
+        ip = IPv4Address(request.httprequest.environ["REMOTE_ADDR"])
+        for network in networks:
+            try:
+                parsed_network = IPv4Network(network, strict=False)
+            except AddressValueError:
+                _logger.error("%s is not a valid network", network)
+                continue
+            if ip in parsed_network:
+                return True
+        return False
+
+    def _mfa_type(self):
+        """
+        Don't do MFA if the request comes from an IP that is configured to bypass it
+        """
+        if self._auth_totp_bypass_ip_range():
+            return None
+        return super()._mfa_type()
+
+    def _mfa_url(self):
+        """
+        Don't do MFA if the request comes from an IP that is configured to bypass it
+        """
+        if self._auth_totp_bypass_ip_range():
+            return None
+        return super()._mfa_url()

auth_totp_bypass_ip_range/readme/CONFIGURE.md

@@ -0,0 +1,7 @@
+To configure this module, you need to:
+
+1. Enable debug mode
+2. Go to Settings / Technical / System parameters
+3. Create or edit parameter ``auth_totp_bypass_ip_range.networks``
+
+The parameter can contain a whitespace separated list of networks in [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation). A specific IP address would be ie 42.42.42.42/32

auth_totp_bypass_ip_range/readme/CONTRIBUTORS.md

@@ -0,0 +1 @@
+- Holger Brunn \<[email protected]> (https://hunki-enterprises.com)

auth_totp_bypass_ip_range/readme/DESCRIPTION.md

@@ -0,0 +1 @@
+This module allows to define some IP networks as not needing multi factor authentication.

auth_totp_bypass_ip_range/readme/ROADMAP.md

@@ -0,0 +1 @@
+- support IPv6

auth_totp_bypass_ip_range/readme/USAGE.md

@@ -0,0 +1,5 @@
+To use this module, you need to:
+
+1. Enable 2FA for some user
+2. Connect from an IP that was configured to bypass 2FA
+3. Observe that no 2FA challenge is raised