[IMP] base: add expiration date on API keys

From a security point of view, API keys must have an expiration date
(only administrators can create persistent keys).

The expiration date of an API key is determined when it is created
and cannot be changed afterwards.

The maximum duration (a number of days) of an API key depends
on the privileges of the user creating the key.
This duration is determined according to the the groups
to which the user belongs.
Each group contains a maximum duration for api keys
(administrator can change this).

An API key whose expiration date has passed will be unusable
and will be deleted during the next garbage collector.

task-4143574

closes odoo#178558

Signed-off-by: Denis Ledoux (dle) <[email protected]>

Author: thle-odoo

addons/auth_totp/controllers/home.py

@@ -1,6 +1,8 @@
 # -*- coding: utf-8 -*-
 import re
 
+from datetime import datetime, timedelta
+
 from odoo import http, _
 from odoo.exceptions import AccessDenied
 from odoo.http import request
@@ -58,7 +60,11 @@ def web_totp(self, redirect=None, **kwargs):
                     if request.geoip.city.name:
                         name += f" ({request.geoip.city.name}, {request.geoip.country_name})"
 
-                    key = request.env['auth_totp.device']._generate("browser", name)
+                    key = request.env['auth_totp.device'].sudo()._generate(
+                        "browser",
+                        name,
+                        datetime.now() + timedelta(seconds=TRUSTED_DEVICE_AGE)
+                    )
                     response.set_cookie(
                         key=TRUSTED_DEVICE_COOKIE,
                         value=key,

addons/auth_totp/models/auth_totp.py

@@ -1,6 +1,5 @@
 # -*- coding: utf-8 -*-
-from odoo import api, models
-from odoo.addons.auth_totp.controllers.home import TRUSTED_DEVICE_AGE
+from odoo import models
 
 import logging
 _logger = logging.getLogger(__name__)
@@ -21,11 +20,3 @@ def _check_credentials_for_uid(self, *, scope, key, uid):
         """Return True if device key matches given `scope` for user ID `uid`"""
         assert uid, "uid is required"
         return self._check_credentials(scope=scope, key=key) == uid
-
-    @api.autovacuum
-    def _gc_device(self):
-        self._cr.execute("""
-            DELETE FROM auth_totp_device
-            WHERE create_date < (NOW() AT TIME ZONE 'UTC' - INTERVAL '%s SECONDS')
-        """, [TRUSTED_DEVICE_AGE])
-        _logger.info("GC'd %d totp devices entries", self._cr.rowcount)

addons/auth_totp_mail/models/auth_totp_device.py

@@ -22,12 +22,12 @@ def unlink(self):
 
         return super().unlink()
 
-    def _generate(self, scope, name):
+    def _generate(self, scope, name, expiration_date):
         """ Notify users when trusted devices are added onto their account.
         We override this method instead of 'create' as those records are inserted directly into the
         database using raw SQL. """
 
-        res = super()._generate(scope, name)
+        res = super()._generate(scope, name, expiration_date)
 
         self.env.user._notify_security_setting_update(
             _("Security Update: Device Added"),

addons/auth_totp_mail/tests/test_notify_security_update_totp.py

@@ -1,6 +1,9 @@
 # -*- coding: utf-8 -*-
 # Part of Odoo. See LICENSE file for full copyright and licensing details.
 
+from datetime import datetime, timedelta
+
+from odoo.addons.auth_totp.controllers.home import TRUSTED_DEVICE_AGE
 from odoo.addons.mail.tests.test_res_users import TestNotifySecurityUpdate
 from odoo.tests import users
 
@@ -28,15 +31,23 @@ def test_security_update_trusted_device_added_removed(self):
         """ Make sure we notify the user when TOTP trusted devices are added/removed on his account. """
         recipients = [self.env.user.email_formatted]
         with self.mock_mail_gateway():
-            self.env['auth_totp.device']._generate('trusted_device_chrome', 'Chrome on Windows')
+            self.env['auth_totp.device'].sudo()._generate(
+                'trusted_device_chrome',
+                'Chrome on Windows',
+                datetime.now() + timedelta(seconds=TRUSTED_DEVICE_AGE)
+            )
 
         self.assertMailMailWEmails(recipients, 'outgoing', fields_values={
             'subject': 'Security Update: Device Added',
         })
 
         # generating a key outside of the 'auth_totp.device' model should however not notify
         with self.mock_mail_gateway():
-            self.env['res.users.apikeys']._generate('new_api_key', 'New Key')
+            self.env['res.users.apikeys']._generate(
+                'new_api_key',
+                'New Key',
+                datetime.now() + timedelta(days=1)
+            )
         self.assertNotSentEmail(recipients)
 
         # now remove the key using the user's relationship

addons/mail_plugin/controllers/authenticate.py

@@ -73,7 +73,11 @@ def auth_access_token(self, auth_code='', **kw):
             return {"error": "Invalid code"}
         request.update_env(user=auth_message['uid'])
         scope = 'odoo.plugin.' + auth_message.get('scope', '')
-        api_key = request.env['res.users.apikeys']._generate(scope, auth_message['name'])
+        api_key = request.env['res.users.apikeys']._generate(
+            scope,
+            auth_message['name'],
+            datetime.datetime.now() + datetime.timedelta(days=1)
+        )
         return {'access_token': api_key}
 
     def _get_auth_code_data(self, auth_code):

addons/portal/tests/test_portal.py

@@ -1,3 +1,5 @@
+from datetime import datetime, timedelta
+
 from odoo import Command
 from odoo.http import Request
 from odoo.tests.common import HttpCase, tagged
@@ -15,7 +17,11 @@ def test_deactivate_portal_user(self):
             'password': login,
             'groups_id': [Command.set([self.env.ref('base.group_portal').id])],
         })
-        self.env['res.users.apikeys'].with_user(portal_user)._generate(None, 'Portal API Key')
+        self.env['res.users.apikeys'].with_user(portal_user)._generate(
+            None,
+            'Portal API Key',
+            datetime.now() + timedelta(days=1)
+        )
         self.assertTrue(portal_user.api_key_ids)
 
         # Request the deactivation of the portal account as portal through the route meant for this purpose

odoo/addons/base/models/res_users.py

@@ -191,9 +191,12 @@ class Groups(models.Model):
     color = fields.Integer(string='Color Index')
     full_name = fields.Char(compute='_compute_full_name', string='Group Name', search='_search_full_name')
     share = fields.Boolean(string='Share Group', help="Group created to set access rights for sharing data with some users.")
+    api_key_duration = fields.Float(string='API Keys maximum duration days',
+        help="Determines the maximum duration of an api key created by a user belonging to this group.")
 
     _sql_constraints = [
-        ('name_uniq', 'unique (category_id, name)', 'The name of the group must be unique within an application!')
+        ('name_uniq', 'unique (category_id, name)', 'The name of the group must be unique within an application!'),
+        ('check_api_key_duration', 'CHECK(api_key_duration >= 0)', 'The api key duration cannot be a negative value.'),
     ]
 
     @api.constrains('users')
@@ -2288,6 +2291,7 @@ class APIKeys(models.Model):
     user_id = fields.Many2one('res.users', index=True, required=True, readonly=True, ondelete="cascade")
     scope = fields.Char("Scope", readonly=True)
     create_date = fields.Datetime("Creation Date", readonly=True)
+    expiration_date = fields.Datetime("Expiration Date", readonly=True)
 
     def init(self):
         table = SQL.identifier(self._table)
@@ -2297,6 +2301,7 @@ def init(self):
             name varchar not null,
             user_id integer not null REFERENCES res_users(id) ON DELETE CASCADE,
             scope varchar,
+            expiration_date timestamp without time zone,
             index varchar(%(index_size)s) not null CHECK (char_length(index) = %(index_size)s),
             key varchar not null,
             create_date timestamp without time zone DEFAULT (now() at time zone 'utc')
@@ -2336,48 +2341,129 @@ def _check_credentials(self, *, scope, key):
         self.env.cr.execute('''
             SELECT user_id, key
             FROM {} INNER JOIN res_users u ON (u.id = user_id)
-            WHERE u.active and index = %s AND (scope IS NULL OR scope = %s)
+            WHERE
+                u.active and index = %s
+                AND (scope IS NULL OR scope = %s)
+                AND (
+                    expiration_date IS NULL OR
+                    expiration_date >= now() at time zone 'utc'
+                )
         '''.format(self._table),
         [index, scope])
         for user_id, current_key in self.env.cr.fetchall():
             if KEY_CRYPT_CONTEXT.verify(key, current_key):
                 return user_id
 
-    def _generate(self, scope, name):
+    def _check_expiration_date(self, date):
+        # To be in a sudoed environment or to be an administrator
+        # to create a persistent key (no expiration date) or
+        # to exceed the maximum duration determined by the user's privileges.
+        if self.env.is_system():
+            return
+        if not date:
+            raise UserError(_("The API key must have an expiration date"))
+        max_duration = max(group.api_key_duration for group in self.env.user.groups_id) or 1.0
+        if date > datetime.datetime.now() + datetime.timedelta(days=max_duration):
+            raise UserError(_("You cannot exceed %(duration)s days.", duration=max_duration))
+
+    def _generate(self, scope, name, expiration_date):
         """Generates an api key.
         :param str scope: the scope of the key. If None, the key will give access to any rpc.
         :param str name: the name of the key, mainly intended to be displayed in the UI.
+        :param date expiration_date: the expiration date of the key.
         :return: str: the key.
 
+        Note:
+        This method must be called in sudo to use a duration
+        greater than that allowed by the user's privileges.
+        For a persistent key (infinite duration), no value for expiration date.
         """
+        self._check_expiration_date(expiration_date)
         # no need to clear the LRU when *adding* a key, only when removing
         k = binascii.hexlify(os.urandom(API_KEY_SIZE)).decode()
         self.env.cr.execute("""
-        INSERT INTO {table} (name, user_id, scope, key, index)
-        VALUES (%s, %s, %s, %s, %s)
+        INSERT INTO {table} (name, user_id, scope, expiration_date, key, index)
+        VALUES (%s, %s, %s, %s, %s, %s)
         RETURNING id
         """.format(table=self._table),
-        [name, self.env.user.id, scope, KEY_CRYPT_CONTEXT.hash(k), k[:INDEX_SIZE]])
+        [name, self.env.user.id, scope, expiration_date or None, KEY_CRYPT_CONTEXT.hash(k), k[:INDEX_SIZE]])
 
         ip = request.httprequest.environ['REMOTE_ADDR'] if request else 'n/a'
         _logger.info("%s generated: scope: <%s> for '%s' (#%s) from %s",
             self._description, scope, self.env.user.login, self.env.uid, ip)
 
         return k
 
+    @api.autovacuum
+    def _gc_user_apikeys(self):
+        self.env.cr.execute(SQL("""
+            DELETE FROM %s
+            WHERE
+                expiration_date IS NOT NULL AND
+                expiration_date < now() at time zone 'utc'
+        """, SQL.identifier(self._table)))
+        _logger.info("GC %r delete %d entries", self._name, self.env.cr.rowcount)
+
 class APIKeyDescription(models.TransientModel):
     _name = 'res.users.apikeys.description'
     _description = 'API Key Description'
 
+    def _selection_duration(self):
+        # duration value is a string representing the number of days.
+        durations = [
+            ('1', '1 Day'),
+            ('7', '1 Week'),
+            ('30', '1 Month'),
+            ('90', '3 Months'),
+            ('180', '6 Months'),
+            ('365', '1 Year'),
+        ]
+        persistent_duration = ('0', 'Persistent Key')  # Magic value to detect an infinite duration
+        custom_duration = ('-1', 'Custom Date')  # Will force the user to enter a date manually
+        if self.env.is_system():
+            return durations + [persistent_duration, custom_duration]
+        max_duration = max(group.api_key_duration for group in self.env.user.groups_id) or 1.0
+        return list(filter(
+            lambda duration: int(duration[0]) <= max_duration, durations
+        )) + [custom_duration]
+
     name = fields.Char("Description", required=True)
+    duration = fields.Selection(
+        selection='_selection_duration', string='Duration', required=True,
+        default=lambda self: self._selection_duration()[0][0]
+    )
+    expiration_date = fields.Datetime('Expiration Date', compute='_compute_expiration_date', store=True, readonly=False)
+
+    @api.depends('duration')
+    def _compute_expiration_date(self):
+        for record in self:
+            duration = int(record.duration)
+            if duration >= 0:
+                record.expiration_date = (
+                    fields.Date.today() + datetime.timedelta(days=duration)
+                    if int(record.duration)
+                    else None
+                )
+
+    @api.onchange('expiration_date')
+    def _onchange_expiration_date(self):
+        try:
+            self.env['res.users.apikeys']._check_expiration_date(self.expiration_date)
+        except UserError as error:
+            warning = {
+                'type': 'notification',
+                'title': _('The API key duration is not correct.'),
+                'message': error.args[0]
+            }
+            return {'warning': warning}
 
     @check_identity
     def make_key(self):
         # only create keys for users who can delete their keys
         self.check_access_make_key()
 
         description = self.sudo()
-        k = self.env['res.users.apikeys']._generate(None, self.sudo().name)
+        k = self.env['res.users.apikeys']._generate(None, description.name, self.expiration_date)
         description.unlink()
 
         return {

odoo/addons/base/security/base_groups.xml

@@ -24,6 +24,7 @@
 
         <record model="res.groups" id="group_user">
             <field name="name">Internal User</field>
+            <field name="api_key_duration">90.0</field>
         </record>
 
         <record id="default_user" model="res.users">

odoo/addons/base/views/res_users_views.xml

@@ -75,6 +75,7 @@
                         <field name="category_id"/>
                         <field name="name"/>
                         <field name="share"/>
+                        <field name="api_key_duration" groups="base.group_no_one"/>
                     </group>
                     <notebook>
                         <page string="Users" name="users">
@@ -371,6 +372,14 @@
                         and complete, <strong>it will be the only way to
                         identify the key once created</strong>.
                     </p>
+                    <h3 class="fw-bold">
+                        Give a duration for the key's validity
+                    </h3>
+                    <field name="duration"/>
+                    <field name="expiration_date" invisible="duration != '-1'"/>
+                    <p>
+                        The key will be deleted once this period has elapsed.
+                    </p>
                     <footer>
                         <button name="make_key" type="object" string="Generate key" class="btn-primary" data-hotkey="q"/>
                         <button special="cancel" data-hotkey="x" string="Cancel" class="btn-secondary"/>
@@ -471,6 +480,7 @@
                                             <field name="name"/>
                                             <field name="scope"/>
                                             <field name="create_date"/>
+                                            <field name="expiration_date"/>
                                             <button type="object" name="remove"
                                                     string="Delete API key." icon="fa-trash"/>
                                         </list>