Merge pull request OCA#239 from OCA/15.0

Syncing from upstream OCA/server-auth (15.0)

.copier-answers.yml

@@ -1,14 +1,17 @@
 # Do NOT update manually; changes here will be overwritten by Copier
-_commit: v1.3.6
+_commit: v1.5.2
 _src_path: gh:oca/oca-addons-repo-template
 ci: GitHub
 dependency_installation_mode: PIP
 generate_requirements_txt: true
 include_wkhtmltopdf: false
 odoo_version: 15.0
+org_name: Odoo Community Association (OCA)
+org_slug: OCA
 rebel_module_groups: []
-repo_description: 'TODO: add repo description.'
-repo_name: server-auth
+repo_description: Modules for handling various authentication schemes
+repo_name: Server Authentication
 repo_slug: server-auth
+repo_website: https://github.com/OCA/server-auth
 travis_apt_packages: []
 travis_apt_sources: []

.eslintrc.yml

@@ -4,7 +4,7 @@ env:
 
 # See https://github.com/OCA/odoo-community.org/issues/37#issuecomment-470686449
 parserOptions:
-  ecmaVersion: 2017
+  ecmaVersion: 2019
 
 overrides:
   - files:

.github/workflows/pre-commit.yml

@@ -2,19 +2,34 @@ name: pre-commit
 
 on:
   pull_request:
+    branches:
+      - "15.0*"
   push:
+    branches:
+      - "15.0"
+      - "15.0-ocabot-*"
 
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-python@v2
+      - name: Get python version
+        run: echo "PY=$(python -VV | sha256sum | cut -d' ' -f1)" >> $GITHUB_ENV
+      - uses: actions/cache@v1
         with:
-          # The pylint-odoo version we use here does not support python 3.10
-          # https://github.com/OCA/oca-addons-repo-template/issues/80
-          # We also need to pin to an older version of python for older odoo versions
-          # where we are not using black > 21. Older black versions won't work with
-          # Python 3.9.8+, and we can't bump black without reformatting.
-          python-version: "3.10"
-      - uses: pre-commit/action@v2.0.0
+          path: ~/.cache/pre-commit
+          key: pre-commit|${{ env.PY }}|${{ hashFiles('.pre-commit-config.yaml') }}
+      - name: Install pre-commit
+        run: pip install pre-commit
+      - name: Run pre-commit
+        run: pre-commit run --all-files --show-diff-on-failure --color=always
+      - name: Check that all files generated by pre-commit are in git
+        run: |
+          newfiles="$(git ls-files --others --exclude-from=.gitignore)"
+          if [ "$newfiles" != "" ] ; then
+              echo "Please check-in the following files:"
+              echo "$newfiles"
+              exit 1
+          fi

.github/workflows/test.yml

@@ -1,24 +1,45 @@
-name: test Odoo addons
+name: tests
 
 on:
   pull_request:
     branches:
       - "15.0*"
   push:
     branches:
-      - "15.0*"
+      - "15.0"
+      - "15.0-ocabot-*"
 
 jobs:
+  unreleased-deps:
+    runs-on: ubuntu-latest
+    name: Detect unreleased dependencies
+    steps:
+      - uses: actions/checkout@v2
+      - run: |
+          for reqfile in requirements.txt test-requirements.txt ; do
+              if [ -f ${reqfile} ] ; then
+                  result=0
+                  # reject non-comment lines that contain a / (i.e. URLs, relative paths)
+                  grep "^[^#].*/" ${reqfile} || result=$?
+                  if [ $result -eq 0 ] ; then
+                      echo "Unreleased dependencies found in ${reqfile}."
+                      exit 1
+                  fi
+              fi
+          done
   test:
     runs-on: ubuntu-latest
     container: ${{ matrix.container }}
+    name: ${{ matrix.name }}
     strategy:
       fail-fast: false
       matrix:
         include:
           - container: ghcr.io/oca/oca-ci/py3.8-odoo15.0:latest
             makepot: "true"
+            name: test with Odoo
           - container: ghcr.io/oca/oca-ci/py3.8-ocb15.0:latest
+            name: test with OCB
     services:
       postgres:
         image: postgres:9.6

.pre-commit-config.yaml

@@ -48,7 +48,7 @@ repos:
           - --remove-duplicate-keys
           - --remove-unused-variables
   - repo: https://github.com/psf/black
-    rev: 21.9b0
+    rev: 22.3.0
     hooks:
       - id: black
   - repo: https://github.com/pre-commit/mirrors-prettier
@@ -131,7 +131,7 @@ repos:
           - --exit-zero
         verbose: true
         additional_dependencies: &pylint_deps
-          - pylint-odoo==5.0.4
+          - pylint-odoo==5.0.5
       - id: pylint
         name: pylint with mandatory checks
         args:

README.md

@@ -1,13 +1,15 @@
-[![Runbot Status](https://runbot.odoo-community.org/runbot/badge/flat/251/15.0.svg)](https://runbot.odoo-community.org/runbot/repo/github-com-oca-server-auth-251)
-[![Build Status](https://travis-ci.com/OCA/server-auth.svg?branch=15.0)](https://travis-ci.com/OCA/server-auth)
+
+[![Runboat](https://img.shields.io/badge/runboat-Try%20me-875A7B.png)](https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=15.0)
+[![Pre-commit Status](https://github.com/OCA/server-auth/actions/workflows/pre-commit.yml/badge.svg?branch=15.0)](https://github.com/OCA/server-auth/actions/workflows/pre-commit.yml?query=branch%3A15.0)
+[![Build Status](https://github.com/OCA/server-auth/actions/workflows/test.yml/badge.svg?branch=15.0)](https://github.com/OCA/server-auth/actions/workflows/test.yml?query=branch%3A15.0)
 [![codecov](https://codecov.io/gh/OCA/server-auth/branch/15.0/graph/badge.svg)](https://codecov.io/gh/OCA/server-auth)
 [![Translation Status](https://translation.odoo-community.org/widgets/server-auth-15-0/-/svg-badge.svg)](https://translation.odoo-community.org/engage/server-auth-15-0/?utm_source=widget)
 
 <!-- /!\ do not modify above this line -->
 
-# server-auth
+# Server Authentication
 
-TODO: add repo description.
+Modules for handling various authentication schemes
 
 <!-- /!\ do not modify below this line -->
 
@@ -22,7 +24,7 @@ addon | version | maintainers | summary
 [auth_api_key](auth_api_key/) | 15.0.1.0.0 |  | Authenticate http requests from an API key
 [auth_api_key_group](auth_api_key_group/) | 15.0.1.0.0 | [![simahawk](https://github.com/simahawk.png?size=30px)](https://github.com/simahawk) | Allow grouping API keys together. Grouping per se does nothing. This feature is supposed to be used by other modules to limit access to services or records based on groups of keys.
 [auth_api_key_server_env](auth_api_key_server_env/) | 15.0.1.0.0 |  | Configure api keys via server env. This can be very useful to avoid mixing your keys between your various environments when restoring databases. All you have to do is to add a new section to your configuration file according to the following convention:
-[auth_saml](auth_saml/) | 15.0.1.0.0 |  | Saml2 Authentication
+[auth_saml](auth_saml/) | 15.0.1.1.0 |  | SAML2 Authentication
 [auth_session_timeout](auth_session_timeout/) | 15.0.1.0.0 |  | This module disable all inactive sessions since a given delay
 
 
@@ -41,12 +43,11 @@ addon | version | maintainers | summary
 
 This repository is licensed under [AGPL-3.0](LICENSE).
 
-However, each module can have a totally different license, as long as they adhere to OCA
+However, each module can have a totally different license, as long as they adhere to Odoo Community Association (OCA)
 policy. Consult each module's `__manifest__.py` file, which contains a `license` key
 that explains its license.
 
 ----
-
 OCA, or the [Odoo Community Association](http://odoo-community.org/), is a nonprofit
 organization whose mission is to support the collaborative development of Odoo features
 and promote its widespread use.

auth_saml/README.rst

@@ -1,5 +1,5 @@
 ====================
-Saml2 Authentication
+SAML2 Authentication
 ====================
 
 .. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
@@ -14,18 +14,18 @@ Saml2 Authentication
     :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
     :alt: License: AGPL-3
 .. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
-    :target: https://github.com/OCA/server-auth/tree/12.0/auth_saml
+    :target: https://github.com/OCA/server-auth/tree/15.0/auth_saml
     :alt: OCA/server-auth
 .. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
-    :target: https://translation.odoo-community.org/projects/server-auth-12-0/server-auth-12-0-auth_saml
+    :target: https://translation.odoo-community.org/projects/server-auth-15-0/server-auth-15-0-auth_saml
     :alt: Translate me on Weblate
 .. |badge5| image:: https://img.shields.io/badge/runbot-Try%20me-875A7B.png
-    :target: https://runbot.odoo-community.org/runbot/251/12.0
+    :target: https://runbot.odoo-community.org/runbot/251/15.0
     :alt: Try me on Runbot
 
-|badge1| |badge2| |badge3| |badge4| |badge5|
+|badge1| |badge2| |badge3| |badge4| |badge5| 
 
-Let users log into Odoo via an SAML2 provider.
+Let users log into Odoo via an SAML2 identity provider.
 
 This module allows to deport the management of users and passwords in an
 external authentication system to provide SSO functionality (Single Sign On)
@@ -53,42 +53,81 @@ between Odoo and other applications of your ecosystem.
 Installation
 ============
 
-This addon requires `pysaml2`.
+This addon requires the python module ``pysaml2``.
 
-Usage
-=====
+``pysaml2`` requires the binary ``xmlsec1`` (on Debian or Ubuntu you can install it with ``apt-get install xmlsec1``)
+
+Configuration
+=============
 
-#. Configure it according to your IDP's instructions
+To use this module, you need an IDP server, properly set up.
+
+#. Configure the module according to your IdP’s instructions
    (Settings > Users & Companies > SAML Providers).
 #. Pre-create your users and set the SAML information against the user.
-#. Just login with your SAML-provided password.
+
+By default, the module let users have both a password and SAML ids.
+To increase security, disable passwords by using the option in Settings.
+Note that the admin account can still have a password, even if the option is activated.
+Setting the option immediately remove all password from users with a configured SAML ids.
+
+If all the users have a SAML id in a single provider, you can set automatic redirection
+in the provider settings. The autoredirection will only be done on the active provider
+with the highest priority. It is still possible to access the login without redirection
+by using the query parameter ``disable_autoredirect``, as in
+``https://example.com/web/login?disable_autoredirect=`` The login is also displayed if
+there is an error with SAML login, in order to display any error message.
+
+Usage
+=====
+
+Users can login with the configured SAML IdP with buttons added in the login screen.
 
 Known issues / Roadmap
 ======================
 
-* Checks to ensure no Odoo user with SAML also has an Odoo password.
-* Setting to disable that rule.
+* clean up ``auth_saml.request``
 
 Changelog
 =========
 
-3.0
-~~~
+15.0.1.1.0
+~~~~~~~~~~
+
+Fix the module by adding a transaction to commit the token.
 
-* Migrate from lasso to pysaml2
+Fix the disallow password for users with SAML ids.
+Added tests to ensure the feature works correctly.
+Admin user is also an exception from not having a password. In Odoo 15.0, this is the standard user to connect for administrative task, not the super user.
 
-2.0
-~~~
+Improve provider form and list views.
 
-* SAML tokens are not stored in res_users anymore to avoid locks on that table
+Add auto redirect on providers. Use disable_autoredirect as a parameter query to disable automatic redirection (for example ``https://example.com/web/login?disable_autoredirect=``)
+
+Add certificate file name fields to improve the UI.
+
+Add required on several fields of the SAML provider; without them the server will crash and there is not enough information to make SAML work.
+
+Split signing to have finer control and be compatible with more IDP.
+
+Integrate token into res.users.saml, removing auth_saml.token. No need for a separate table, and no more need to create lines in the table.
+
+Avoid server errors when user try metadata page without necessary parameters.
+
+Replace method call from ``odoo.http.redirect_with_hash`` to ``request.redirect`` as the former does not exists in Odoo 15.0 anymore.
+
+Improved the module documentation.
+
+15.0.1.0.0
+~~~~~~~~~~
 
 Bug Tracker
 ===========
 
 Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us smashing it by providing a detailed and welcomed
-`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_saml%0Aversion:%2012.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_saml%0Aversion:%2015.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
 
 Do not contact contributors directly about support or help with technical issues.
 
@@ -111,9 +150,14 @@ Contributors
 * Jeffery Chen Fan <jeffery9@gmail.com>
 * Bhavesh Odedra <bodedra@opensourceintegrators.com>
 * `Tecnativa <https://www.tecnativa.com/>`__:
+
   * Jairo Llopis
 * `GlodoUK <https://www.glodo.uk/>`__:
+
   * Karl Southern
+* `TAKOBI <https://takobi.online/>`__:
+
+  * Lorenzo Battistini
 
 Maintainers
 ~~~~~~~~~~~
@@ -128,6 +172,6 @@ OCA, or the Odoo Community Association, is a nonprofit organization whose
 mission is to support the collaborative development of Odoo features and
 promote its widespread use.
 
-This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/12.0/auth_saml>`_ project on GitHub.
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/15.0/auth_saml>`_ project on GitHub.
 
 You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

auth_saml/__init__.py

@@ -1,2 +1 @@
-from . import controllers
-from . import models
+from . import controllers, models