admin/Odoo-Modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(fusion_login_audit): failure-burst alert email + cooldown

Browse Source 
Mail template + helpers (_fc_alert_*, _fc_recent_failure_count,
_fc_send_failure_alert) wired into _check_credentials so that crossing
the consecutive-failure threshold within the window queues exactly one
mail.mail per attempted login per 60-minute cooldown. Master switch
x_fc_login_audit_alert_enabled honoured. Recipients are members of
base.group_system with a non-empty email and share=False; the
__system__ superuser is excluded by Odoo''s default user filter.

Tests (3 new, 22 total green):
  test_failure_burst_queues_one_email
  test_cooldown_suppresses_second_alert
  test_alert_disabled_master_switch

setUp ensures base.user_admin has an email (fusion-dev''s admin user
ships without one; the only user with an email is __system__, which
is filtered out of standard res.users searches).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
gsinghpal
2026-05-26 21:43:18 -04:00
parent 6f6aa6e90a
commit a2d13cf83b
4 changed files with 274 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

120
fusion_login_audit/models/res_users.py
View File

@@ -151,19 +151,137 @@ class ResUsers(models.Model):
self._fc_record_login_event(result='success')
return result
def _fc_alert_threshold(self):
ICP = self.env['ir.config_parameter'].sudo()
try:
return max(1, int(ICP.get_param(
'fusion_login_audit.alert_threshold', 5)))
except (TypeError, ValueError):
return 5
def _fc_alert_window_min(self):
ICP = self.env['ir.config_parameter'].sudo()
try:
return max(1, int(ICP.get_param(
'fusion_login_audit.alert_window_min', 15)))
except (TypeError, ValueError):
return 15
def _fc_alert_enabled(self):
ICP = self.env['ir.config_parameter'].sudo()
# CLAUDE.md rule #5: Boolean config_parameter deletes on False.
# An absent key means True (the default). Explicit 'False' or 'false'
# means disabled.
raw = ICP.get_param('fusion_login_audit.alert_enabled', 'True')
return str(raw).strip().lower() != 'false'
def _fc_recent_failure_count(self, attempted_login):
"""Failures for this attempted_login within the alert window."""
from datetime import timedelta
if not attempted_login:
return 0
cutoff = fields.Datetime.now() - timedelta(
minutes=self._fc_alert_window_min())
return self.env['fusion.login.audit'].sudo().search_count([
('attempted_login', '=', attempted_login),
('result', '=', 'failure'),
('event_time', '>=', cutoff),
])
def _fc_send_failure_alert(self, attempted_login):
"""Queue one alert mail unless cooldown is active. Cooldown is
60 minutes, keyed by attempted_login, stored in ir.config_parameter."""
from datetime import timedelta
if not self._fc_alert_enabled():
return
if not attempted_login:
return
ICP = self.env['ir.config_parameter'].sudo()
cd_key = f'fusion_login_audit.last_alert:{attempted_login}'
cd_raw = ICP.get_param(cd_key)
now = fields.Datetime.now()
if cd_raw:
try:
last = fields.Datetime.from_string(cd_raw)
if last and (now - last) < timedelta(minutes=60):
return # cooldown active
except (TypeError, ValueError):
pass
window = self._fc_alert_window_min()
cutoff = now - timedelta(minutes=window)
Audit = self.env['fusion.login.audit'].sudo()
rows = Audit.search([
('attempted_login', '=', attempted_login),
('result', '=', 'failure'),
('event_time', '>=', cutoff),
], order='event_time desc', limit=20)
# Admin recipients: members of base.group_system (the Settings group)
# who have an email set and are not portal/share users. Note:
# CLAUDE.md rule #6 — res.groups has no `users` field in Odoo 19, so
# search res.users by group_ids directly. The __system__ superuser
# (uid=1) is excluded automatically by Odoo's default user filter.
admins = self.env['res.users'].sudo().search([
('group_ids', 'in', self.env.ref('base.group_system').id),
('email', '!=', False),
('share', '=', False),
])
if not admins:
return
tmpl = self.env.ref(
'fusion_login_audit.mail_template_failure_burst',
raise_if_not_found=False)
if not tmpl:
return
# CLAUDE.md rule #12: in mail.template QWeb, `ctx` IS env.context.
# So `ctx.get('foo')` resolves to env.context.get('foo'). Pass data
# by SPREADING keys into the context, not wrapping in a dict.
# `with_context(ctx=ctx_data)` would silently render an empty subject.
ctx_data = {
'attempted_login': attempted_login,
'failure_count': len(rows),
'window_min': window,
'rows': [{
'event_time': fields.Datetime.to_string(r.event_time),
'ip_address': r.ip_address or '',
'country_code': r.country_code or '',
'browser': r.browser or '',
'os': r.os or '',
} for r in rows],
}
for admin in admins:
tmpl.with_context(**ctx_data).send_mail(
admin.id,
email_values={'email_to': admin.email,
'auto_delete': True},
force_send=False,
)
ICP.set_param(cd_key, fields.Datetime.to_string(now))
def _check_credentials(self, credential, env):
try:
return super()._check_credentials(credential, env)
except AccessDenied:
cred_type = (credential or {}).get('type', 'password')
reason = '2fa_failed' if cred_type == 'totp' else 'bad_password'
attempted_login = (credential or {}).get('login') or self.login
self._fc_record_login_event(
result='failure',
failure_reason=reason,
user_id=self.id,
attempted_login=(credential or {}).get('login') or self.login,
attempted_login=attempted_login,
_credential=credential,
)
try:
if self._fc_recent_failure_count(attempted_login) \
>= self._fc_alert_threshold():
self._fc_send_failure_alert(attempted_login)
except Exception:
_logger.exception(
"fusion_login_audit: failed to send failure alert")
raise
def _login(self, credential, user_agent_env):