odoo9-addon-keychain


Nameodoo9-addon-keychain JSON
Version 9.0.1.0.0 PyPI version JSON
download
home_pagehttps://akretion.com/
SummaryStore accounts and credentials
upload_time2017-04-11 18:51:06
maintainer
docs_urlNone
authorAkretion, Odoo Community Association (OCA)
requires_python
licenseAGPL-3
keywords
VCS
bugtrack_url
requirements No requirements were recorded.
Travis-CI No Travis.
coveralls test coverage No coveralls.
            .. image:: https://img.shields.io/badge/licence-AGPL--3-blue.svg
   :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
   :alt: License: AGPL-3

================
Keychain Account
================

This module allows you to store credentials of external systems.

* All the crendentials are stored in one place: easier to manage and to audit.
* Multi-account made possible without effort.
* Store additionnal data for each account. 
* Validation rules for additional data.
* Have different account for different environments (prod / test / env / etc).


By default, passwords are encrypted with a key stored in Odoo config.
It's far from an ideal password storage setup, but it's way better 
than password in clear text in the database.
It can be easily replaced by another system. See "Security" chapter below.

Accounts may be: market places (Amazon, Cdiscount, ...), carriers (Laposte, UPS, ...) 
or any third party system called from Odoo.

This module is aimed for developers.
The logic to choose between accounts will be achieved in dependent modules.


==========
Uses cases
==========

Possible use case for deliveries: you need multiple accounts for the same carrier. 
It can be for instance due to carrier restrictions (immutable sender address),
or business rules (each warehouse use a different account).


Configuration
=============

After the installation of this module, you need to add some entries
in Odoo's config file: (etc/openerp.cfg)

> keychain_key = fyeMIx9XVPBBky5XZeLDxVc9dFKy7Uzas3AoyMarHPA=

You can generate keys with `python keychain/bin/generate_key.py`.

This key is used to encrypt account passwords.

If you plan to use environments, you should add a key per environment:

> keychain_key_dev = 8H_qFvwhxv6EeO9bZ8ww7BUymNt3xtQKYEq9rjAPtrc=

> keychain_key_prod = y5z-ETtXkVI_ADoFEZ5CHLvrNjwOPxsx-htSVbDbmRc=

keychain_key is used for encryption when no environment is set.


Usage (for module dev)
======================


* Add this keychain as a dependency in __openerp__.py
* Subclass `keychain.account` and add your module in namespaces:  `(see after for the name of namespace )`

.. code:: python

    class LaposteAccount(models.Model):
        _inherit = 'keychain.account'

        namespace = fields.Selection(
            selection_add=[('roulier_laposte', 'Laposte')])

* Add the default data (as dict):

.. code:: python

    class LaposteAccount(models.Model):
        # ...
        def _roulier_laposte_init_data(self):
            return {
                "agencyCode": "",
                "recommandationLevel": "R1"
            }

* Implement validation of user entered data:

.. code:: python

    class LaposteAccount(models.Model):
        # ...
        def _roulier_laposte_validate_data(self, data):
            return len(data.get("agencyCode") > 3)

* In your code, fetch the account:

.. code:: python

    import random

    def get_auth(self):
        keychain = self.env['keychain.account']
        if self.env.user.has_group('stock.group_stock_user'):
            retrieve = keychain.suspend_security().retrieve
        else:
            retrieve = keychain.retrieve

        accounts = retrieve(
            [['namespace', '=', 'roulier_laposte']])
        account = random.choice(accounts)
        return {
            'login': account.login,
            'password': account.get_password()
        }


In this example, an account is randomly picked. Usually this is set according 
to rules specific for each client.

You have to restrict user access of your methods with suspend_security().

Warning: _init_data and _validate_data should be prefixed with your namespace!
Choose python naming function compatible name.

Switching from prod to dev
==========================

You may adopt one of the following strategies:

* store your dev accounts in production db using the dev key
* import your dev accounts with Odoo builtin methods like a data.xml (in a dedicated module).
* import your dev accounts with your own migration/cleanup script
* etc.

Note: only the password field is unreadable without the proper key, login and data fields 
are available on all environments.

You may also use a same `technical_name` and different `environment` for choosing at runtime
between accounts.

Usage (for user)
================

Go to *settings / keychain*, create a record with the following 

* Namespace: type of account (ie: Laposte)
* Name: human readable label "Warehouse 1"
* Technical Name: name used by a consumer module (like "warehouse_1")
* Login: login of the account
* Password_clear: For entering the password in clear text (not stored unencrypted)
* Password: password encrypted, unreadable without the key (in config)
* Data: a JSON string for additionnal values (additionnal config for the account, like: `{"agencyCode": "Lyon", "insuranceLevel": "R1"})`
* Environment: usually prod or dev or blank (for all)



.. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas
   :alt: Try me on Runbot
   :target: https://runbot.odoo-community.org/runbot/server-tools/9.0


Known issues / Roadmap
======================
- Account inheritence is not supported out-of-the-box (like defining common settings for all environments)
- Adapted to work with `server_environnement` modules
- Key expiration or rotation should be done manually
- Import passwords from data.xml

Security
========

This discussion: https://github.com/OCA/server-tools/pull/644 may help you decide if this module is suitable for your needs or not.

Common sense: Odoo is not a safe place for storing sensitive data. 
But sometimes you don't have any other possibilities. 
This module is designed to store credentials of data like carrier account, smtp, api keys...
but definitively not for credits cards number, medical records, etc.


By default, passwords are stored encrypted in the db using
symetric encryption `Fernet <https://cryptography.io/en/latest/fernet/>`_.
The encryption key is stored in openerp.tools.config.

Threats even with this module installed:

- unauthorized Odoo user want to access data: access is rejected by Odoo security rules
- authorized Odoo user try to access data with rpc api: he gets the passwords encrypted, he can't recover because the key and the decrypted password are not exposed through rpc
- db is stolen: without the key it's currently pretty hard to recover the passwords
- Odoo is compromised (malicious module or vulnerability): hacker has access to python and can do what he wants with Odoo: passwords of the current env can be easily decrypted
- server is compromised: idem

If your dev server is compromised, hacker can't decrypt your prod passwords
since you have different keys between dev and prod.

If you want something more secure: don't store any sensitive data in Odoo,
use an external system as a proxy, you can still use this module
for storing all other data related to your accounts.


Bug Tracker
===========

Bugs are tracked on `GitHub Issues
<https://github.com/OCA/server-tools/issues>`_. In case of trouble, please
check there if your issue has already been reported. If you spotted it first,
help us smashing it by providing a detailed and welcomed feedback.

Credits
=======

`Akretion <https://akretion.com>`_


Contributors
------------

* Raphaƫl Reverdy <raphael.reverdy@akretion.com>

Funders
-------

The development of this module has been financially supported by:

* `Akretion <https://akretion.com>`_

Maintainer
----------

.. image:: https://odoo-community.org/logo.png
   :alt: Odoo Community Association
   :target: https://odoo-community.org

This module is maintained by the OCA.

OCA, or the Odoo Community Association, is a nonprofit organization whose
mission is to support the collaborative development of Odoo features and
promote its widespread use.

To contribute to this module, please visit https://odoo-community.org.
            

Raw data

            {
    "_id": null,
    "home_page": "https://akretion.com/",
    "name": "odoo9-addon-keychain",
    "maintainer": "",
    "docs_url": null,
    "requires_python": "",
    "maintainer_email": "",
    "keywords": "",
    "author": "Akretion, Odoo Community Association (OCA)",
    "author_email": "support@odoo-community.org",
    "download_url": "",
    "platform": "UNKNOWN",
    "description": ".. image:: https://img.shields.io/badge/licence-AGPL--3-blue.svg\n   :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html\n   :alt: License: AGPL-3\n\n================\nKeychain Account\n================\n\nThis module allows you to store credentials of external systems.\n\n* All the crendentials are stored in one place: easier to manage and to audit.\n* Multi-account made possible without effort.\n* Store additionnal data for each account. \n* Validation rules for additional data.\n* Have different account for different environments (prod / test / env / etc).\n\n\nBy default, passwords are encrypted with a key stored in Odoo config.\nIt's far from an ideal password storage setup, but it's way better \nthan password in clear text in the database.\nIt can be easily replaced by another system. See \"Security\" chapter below.\n\nAccounts may be: market places (Amazon, Cdiscount, ...), carriers (Laposte, UPS, ...) \nor any third party system called from Odoo.\n\nThis module is aimed for developers.\nThe logic to choose between accounts will be achieved in dependent modules.\n\n\n==========\nUses cases\n==========\n\nPossible use case for deliveries: you need multiple accounts for the same carrier. \nIt can be for instance due to carrier restrictions (immutable sender address),\nor business rules (each warehouse use a different account).\n\n\nConfiguration\n=============\n\nAfter the installation of this module, you need to add some entries\nin Odoo's config file: (etc/openerp.cfg)\n\n> keychain_key = fyeMIx9XVPBBky5XZeLDxVc9dFKy7Uzas3AoyMarHPA=\n\nYou can generate keys with `python keychain/bin/generate_key.py`.\n\nThis key is used to encrypt account passwords.\n\nIf you plan to use environments, you should add a key per environment:\n\n> keychain_key_dev = 8H_qFvwhxv6EeO9bZ8ww7BUymNt3xtQKYEq9rjAPtrc=\n\n> keychain_key_prod = y5z-ETtXkVI_ADoFEZ5CHLvrNjwOPxsx-htSVbDbmRc=\n\nkeychain_key is used for encryption when no environment is set.\n\n\nUsage (for module dev)\n======================\n\n\n* Add this keychain as a dependency in __openerp__.py\n* Subclass `keychain.account` and add your module in namespaces:  `(see after for the name of namespace )`\n\n.. code:: python\n\n    class LaposteAccount(models.Model):\n        _inherit = 'keychain.account'\n\n        namespace = fields.Selection(\n            selection_add=[('roulier_laposte', 'Laposte')])\n\n* Add the default data (as dict):\n\n.. code:: python\n\n    class LaposteAccount(models.Model):\n        # ...\n        def _roulier_laposte_init_data(self):\n            return {\n                \"agencyCode\": \"\",\n                \"recommandationLevel\": \"R1\"\n            }\n\n* Implement validation of user entered data:\n\n.. code:: python\n\n    class LaposteAccount(models.Model):\n        # ...\n        def _roulier_laposte_validate_data(self, data):\n            return len(data.get(\"agencyCode\") > 3)\n\n* In your code, fetch the account:\n\n.. code:: python\n\n    import random\n\n    def get_auth(self):\n        keychain = self.env['keychain.account']\n        if self.env.user.has_group('stock.group_stock_user'):\n            retrieve = keychain.suspend_security().retrieve\n        else:\n            retrieve = keychain.retrieve\n\n        accounts = retrieve(\n            [['namespace', '=', 'roulier_laposte']])\n        account = random.choice(accounts)\n        return {\n            'login': account.login,\n            'password': account.get_password()\n        }\n\n\nIn this example, an account is randomly picked. Usually this is set according \nto rules specific for each client.\n\nYou have to restrict user access of your methods with suspend_security().\n\nWarning: _init_data and _validate_data should be prefixed with your namespace!\nChoose python naming function compatible name.\n\nSwitching from prod to dev\n==========================\n\nYou may adopt one of the following strategies:\n\n* store your dev accounts in production db using the dev key\n* import your dev accounts with Odoo builtin methods like a data.xml (in a dedicated module).\n* import your dev accounts with your own migration/cleanup script\n* etc.\n\nNote: only the password field is unreadable without the proper key, login and data fields \nare available on all environments.\n\nYou may also use a same `technical_name` and different `environment` for choosing at runtime\nbetween accounts.\n\nUsage (for user)\n================\n\nGo to *settings / keychain*, create a record with the following \n\n* Namespace: type of account (ie: Laposte)\n* Name: human readable label \"Warehouse 1\"\n* Technical Name: name used by a consumer module (like \"warehouse_1\")\n* Login: login of the account\n* Password_clear: For entering the password in clear text (not stored unencrypted)\n* Password: password encrypted, unreadable without the key (in config)\n* Data: a JSON string for additionnal values (additionnal config for the account, like: `{\"agencyCode\": \"Lyon\", \"insuranceLevel\": \"R1\"})`\n* Environment: usually prod or dev or blank (for all)\n\n\n\n.. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas\n   :alt: Try me on Runbot\n   :target: https://runbot.odoo-community.org/runbot/server-tools/9.0\n\n\nKnown issues / Roadmap\n======================\n- Account inheritence is not supported out-of-the-box (like defining common settings for all environments)\n- Adapted to work with `server_environnement` modules\n- Key expiration or rotation should be done manually\n- Import passwords from data.xml\n\nSecurity\n========\n\nThis discussion: https://github.com/OCA/server-tools/pull/644 may help you decide if this module is suitable for your needs or not.\n\nCommon sense: Odoo is not a safe place for storing sensitive data. \nBut sometimes you don't have any other possibilities. \nThis module is designed to store credentials of data like carrier account, smtp, api keys...\nbut definitively not for credits cards number, medical records, etc.\n\n\nBy default, passwords are stored encrypted in the db using\nsymetric encryption `Fernet <https://cryptography.io/en/latest/fernet/>`_.\nThe encryption key is stored in openerp.tools.config.\n\nThreats even with this module installed:\n\n- unauthorized Odoo user want to access data: access is rejected by Odoo security rules\n- authorized Odoo user try to access data with rpc api: he gets the passwords encrypted, he can't recover because the key and the decrypted password are not exposed through rpc\n- db is stolen: without the key it's currently pretty hard to recover the passwords\n- Odoo is compromised (malicious module or vulnerability): hacker has access to python and can do what he wants with Odoo: passwords of the current env can be easily decrypted\n- server is compromised: idem\n\nIf your dev server is compromised, hacker can't decrypt your prod passwords\nsince you have different keys between dev and prod.\n\nIf you want something more secure: don't store any sensitive data in Odoo,\nuse an external system as a proxy, you can still use this module\nfor storing all other data related to your accounts.\n\n\nBug Tracker\n===========\n\nBugs are tracked on `GitHub Issues\n<https://github.com/OCA/server-tools/issues>`_. In case of trouble, please\ncheck there if your issue has already been reported. If you spotted it first,\nhelp us smashing it by providing a detailed and welcomed feedback.\n\nCredits\n=======\n\n`Akretion <https://akretion.com>`_\n\n\nContributors\n------------\n\n* Rapha\u00ebl Reverdy <raphael.reverdy@akretion.com>\n\nFunders\n-------\n\nThe development of this module has been financially supported by:\n\n* `Akretion <https://akretion.com>`_\n\nMaintainer\n----------\n\n.. image:: https://odoo-community.org/logo.png\n   :alt: Odoo Community Association\n   :target: https://odoo-community.org\n\nThis module is maintained by the OCA.\n\nOCA, or the Odoo Community Association, is a nonprofit organization whose\nmission is to support the collaborative development of Odoo features and\npromote its widespread use.\n\nTo contribute to this module, please visit https://odoo-community.org.",
    "bugtrack_url": null,
    "license": "AGPL-3",
    "summary": "Store accounts and credentials",
    "version": "9.0.1.0.0",
    "project_urls": {
        "Homepage": "https://akretion.com/"
    },
    "split_keywords": [],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "9ffeb1f3725097c0d6d7700ee1dd8bc82fe582ef6e849ddaaf8e0e2eb2f960e8",
                "md5": "82cbcf75822e615e5569beea547f1759",
                "sha256": "b5bcbc29915cb23b679b56bd7c632efec1f7d54a33cdf95bca915807a0a81e35"
            },
            "downloads": -1,
            "filename": "odoo9_addon_keychain-9.0.1.0.0-py2-none-any.whl",
            "has_sig": false,
            "md5_digest": "82cbcf75822e615e5569beea547f1759",
            "packagetype": "bdist_wheel",
            "python_version": "py2",
            "requires_python": null,
            "size": 19799,
            "upload_time": "2017-04-11T18:51:06",
            "upload_time_iso_8601": "2017-04-11T18:51:06.641085Z",
            "url": "https://files.pythonhosted.org/packages/9f/fe/b1f3725097c0d6d7700ee1dd8bc82fe582ef6e849ddaaf8e0e2eb2f960e8/odoo9_addon_keychain-9.0.1.0.0-py2-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2017-04-11 18:51:06",
    "github": false,
    "gitlab": false,
    "bitbucket": false,
    "codeberg": false,
    "lcname": "odoo9-addon-keychain"
}
        
Elapsed time: 0.10767s