oca-ocb-security/odoo-bringout-oca-ocb-auth_totp_mail/auth_totp_mail/tests/test_totp.py
Ernad Husremovic c0efcc53f5 19.0 vanilla
2026-03-09 09:32:28 +01:00

64 lines
2.6 KiB
Python

# Part of Odoo. See LICENSE file for full copyright and licensing details.
import logging
from datetime import datetime, timedelta
from xmlrpc.client import Fault
from odoo.tests import get_db_name, tagged, HttpCase
from odoo.tools import mute_logger
from odoo.addons.auth_totp.tests.test_totp import TestTOTPMixin
_logger = logging.getLogger(__name__)
@tagged('post_install', '-at_install')
class TestTOTPMail(TestTOTPMixin, HttpCase):
def test_totp_rpc_api_keys_only(self):
db = get_db_name()
login, password = self.user_test.login, self.user_test.login
uid = self.xmlrpc_common.authenticate(db, password, login, {})
# Without TOTP by mail, xmlrpc using password is expected
[result] = self.xmlrpc_object.execute_kw(db, uid, password, 'res.users', 'read', [uid, ['login']])
self.assertEqual(result['login'], login)
# Enable enforcing TOTP by mail
self.env['res.config.settings'].create({
'auth_totp_enforce': True,
'auth_totp_policy': 'all_required'
}).execute()
# With TOTP by mail, xmlrpc using password is not expected
with (
self.assertRaisesRegex(Fault, r'Access Denied'),
self.assertLogs(logger='odoo.addons.base.models.res_users') as log_catcher,
mute_logger("odoo.http")
):
self.xmlrpc_object.execute_kw(db, uid, password, 'res.users', 'read', [uid, ['login']])
self.assertIn("Invalid API key or password-based authentication", log_catcher.output[0])
# Create an API key for the user
api_key = self.env['res.users.apikeys'].with_user(self.user_test)._generate(
None, 'Foo', datetime.now() + timedelta(days=1)
)
# With TOTP by mail, xmlrpc using an API key is expected
[result] = self.xmlrpc_object.execute_kw(db, uid, api_key, 'res.users', 'read', [uid, ['login']])
self.assertEqual(result['login'], login)
@tagged('post_install', '-at_install')
class TestTOTPInvite(TestTOTPMixin, HttpCase):
def test_totp_administration(self):
# If not enabled (like in demo data), landing on res.config will try
# to disable module_sale_quotation_builder and raise an issue
group_order_template = self.env.ref('sale_management.group_sale_order_template', raise_if_not_found=False)
if group_order_template:
self.env.ref('base.group_user').write({"implied_ids": [(4, group_order_template.id)]})
self.install_totphook()
self.start_tour('/odoo', 'totp_admin_invite', login='admin')
self.start_tour('/odoo', 'totp_admin_self_invite', login='admin')