Fix, do not authenticate Web session when using RPC

Author: florentx

CHANGES.rst

@@ -7,6 +7,9 @@ Changelog
 
 * Fix `context_get` arguments.
 
+* Do not authenticate with ``/web/session/authenticate`` when
+  protocol is ``jsonrpc`` or ``xmlrpc``.  It cannot authenticate API keys.
+
 * Fix PyPI classifiers.
 
 * Update documentation.

odooly.py

@@ -17,6 +17,7 @@
 import traceback
 
 from configparser import ConfigParser
+from getpass import getpass
 from threading import current_thread
 from urllib.parse import urljoin, urlencode
 from xmlrpc.client import Fault, ServerProxy, MININT, MAXINT
@@ -583,7 +584,6 @@ def _auth(self, user, password, context):
             verified = password and uid
             # Ask for password
             if not password and uid is not False:
-                from getpass import getpass
                 if user is None:
                     name = 'admin' if uid == SUPERUSER_ID else f'UID {uid}'
                 else:
@@ -948,16 +948,16 @@ def upgrade_cancel(self, *modules):
         """Press button ``Cancel Upgrade/Install/Uninstall``."""
         return self._upgrade(modules, button='cancel')
 
-    def session_authenticate(self, **kwargs):
+    def session_authenticate(self, login=None, password=None):
         """Create a Webclient session for current user."""
-        auth_cached = self._cache_get('auth').get(self.uid)
+        if not login:
+            login = self.user.login
         params = {
             'db': self.db_name,
-            'login': self.user and self.user.login,
-            'password': auth_cached and auth_cached[1],
-            **kwargs,
+            'login': login,
+            'password': password or getpass(f"Password for {login!r}: "),
         }
-        self.session_info = self.client.web_session.authenticate(**params)
+        self.session_info = self.client._authenticate_session(**params)
 
     def session_destroy(self):
         """Terminate current Webclient session."""
@@ -1115,14 +1115,18 @@ def close(self):
         self._connections = []
 
     def _authenticate(self, db, login, password):
-        if self.web and self.version_info > 8.0:
-            info = self.web_session.authenticate(db=db, login=login, password=password)
-        elif self.common:
+        if self.common:
             info = {'uid': self.common.login(db, login, password)}
+        elif self.web and self.version_info > 8.0:
+            info = self._authenticate_session(db, login, password)
         else:
             raise Error("Cannot authenticate")
         return info
 
+    def _authenticate_session(self, db, login, password):
+        info = self.web_session.authenticate(db=db, login=login, password=password)
+        return info
+
     def _login(self, user, password=None, database=None):
         """Switch `user` and (optionally) `database`.
 

tests/_common.py

@@ -21,8 +21,7 @@ def OBJ(model, method, *params, **kw):
         kw['context'] = sample_context
     elif kw['context'] is None:
         del kw['context']
-    extra = (params, kw) if kw else (params,)
-    return ('object.execute_kw', sentinel.AUTH, model, method, *extra)
+    return ('object.execute_kw', sentinel.AUTH, model, method, params) + ((kw,) if kw else ())
 
 
 class XmlRpcTestCase(TestCase):
@@ -44,8 +43,6 @@ def setUp(self):
 
         self.service = self._patch_service()
         if self.server and self.database:
-            if float(self.server_version) > 8.0:
-                self._patch_http_post()
             # create the client
             self.client = odooly.Client(
                 self.server, self.database, self.user, self.password)

tests/test_client.py

@@ -45,7 +45,6 @@ class TestService(XmlRpcTestCase):
     uid = 22
 
     def _patch_service(self):
-        self._patch_http_post()
         return mock.patch('odooly.ServerProxy._ServerProxy__request').start()
 
     def _get_client(self):
@@ -96,8 +95,6 @@ def test_service_openerp_client(self, server_version=11.0):
         server = f"{self.server}/{self.protocol}"
         return_values = [str(server_version), ['newdb'], 1, {}]
         if self.protocol == 'jsonrpc':
-            if server_version > 8.0:
-                return_values[2:] = [{'uid': 22, 'user_context': {'lang': 'it_IT'}}]
             return_values = [{'result': rv} for rv in return_values]
         self.service.side_effect = return_values
         client = odooly.Client(server, 'newdb', 'usr', 'pss')
@@ -126,18 +123,15 @@ def test_service_openerp_client(self, server_version=11.0):
             self.assertIn('/%s|db' % self.protocol, str(client.db.get_progress))
 
         if self.protocol == 'xmlrpc':
-            expected_calls = [call('server_version', ()), call('list', ())]
-            if server_version <= 8.0:
-                expected_calls += [
-                    call('login', ('newdb', 'usr', 'pss')),
-                    call('execute_kw', ('newdb', 1, 'pss', 'res.users', 'context_get', ()))
-                ]
+            expected_calls = [
+                call('server_version', ()),
+                call('list', ()),
+                call('login', ('newdb', 'usr', 'pss')),
+                call('execute_kw', ('newdb', 1, 'pss', 'res.users', 'context_get', ()))
+            ]
         else:
-            # server_version, list, web_auth
-            expected_calls = [ANY, ANY, ANY]
-            if server_version <= 8.0:
-                # server_version, list, login, context_get
-                expected_calls += [ANY]
+            # server_version, list, login, context_get
+            expected_calls = [ANY, ANY, ANY, ANY]
         self.assertCalls(*expected_calls)
         self.assertOutput('')
 
@@ -200,7 +194,7 @@ def test_create(self):
         self.assertOutput('')
 
     def test_create_getpass(self):
-        getpass = mock.patch('getpass.getpass',
+        getpass = mock.patch('odooly.getpass',
                              return_value='password').start()
         self.service.db.list.return_value = ['database']
         expected_calls = self.startup_calls + (
@@ -242,7 +236,7 @@ def test_create_from_config(self):
         env_tuple = (self.server, 'database', 'usr', None)
         read_config = mock.patch('odooly.read_config',
                                  return_value=env_tuple).start()
-        getpass = mock.patch('getpass.getpass',
+        getpass = mock.patch('odooly.getpass',
                              return_value='password').start()
         self.service.db.list.return_value = ['database']
         expected_calls = self.startup_calls + (
@@ -363,19 +357,15 @@ def test_create_database(self):
         expected_calls = [
             call.db.create_database('abc', 'db1', False, 'en_US', 'admin'),
             call.db.list(),
+            call.common.login('db1', 'admin', 'admin'),
+            call.object.execute_kw('db1', 1, 'admin', 'res.users', 'context_get', ()),
             call.db.create_database('xyz', 'db2', False, 'fr_FR', 'secret'),
             call.db.list(),
+            call.common.login('db2', 'admin', 'secret'),
+            call.object.execute_kw('db2', 1, 'secret', 'res.users', 'context_get', ()),
         ]
-        if float(self.server_version) <= 8.0:
-            expected_calls[2:2] = [
-                call.common.login('db1', 'admin', 'admin'),
-                call.object.execute_kw('db1', 1, 'admin', 'res.users', 'context_get', ()),
-            ]
-            expected_calls[6:] = [
-                call.common.login('db2', 'admin', 'secret'),
-                call.object.execute_kw('db2', 1, 'secret', 'res.users', 'context_get', ()),
-            ]
 
+        if float(self.server_version) <= 8.0:
             self.assertRaises(
                 odooly.Error, create_database, 'xyz', 'db2',
                 user_password='secret', lang='fr_FR', login='other_login', country_code='CA',
@@ -388,6 +378,8 @@ def test_create_database(self):
             expected_calls += [
                 call.db.create_database('xyz', 'db2', False, 'fr_FR', 'secret', 'other_login', 'CA'),
                 call.db.list(),
+                call.common.login('db2', 'other_login', 'secret'),
+                call.object.execute_kw('db2', 1, 'secret', 'res.users', 'context_get', ()),
             ]
         self.assertCalls(*expected_calls)
         self.assertOutput('')

tests/test_interact.py

@@ -36,7 +36,7 @@ def test_main(self):
         mock.patch('sys.argv', new=['odooly', '--env', 'demo']).start()
         read_config = mock.patch('odooly.read_config',
                                  return_value=env_tuple).start()
-        getpass = mock.patch('getpass.getpass',
+        getpass = mock.patch('odooly.getpass',
                              return_value='password').start()
         self.service.db.list.return_value = ['database']
         self.service.common.login.side_effect = [17, 51]
@@ -107,7 +107,7 @@ def test_invalid_user_password(self):
         mock.patch('sys.argv', new=['odooly', '--env', 'demo']).start()
         mock.patch('os.environ', new={'LANG': 'fr_FR.UTF-8'}).start()
         mock.patch('odooly.read_config', return_value=env_tuple).start()
-        mock.patch('getpass.getpass', return_value='x').start()
+        mock.patch('odooly.getpass', return_value='x').start()
         self.service.db.list.return_value = ['database']
         self.service.common.login.side_effect = [17, None]
         self.service.object.execute_kw.side_effect = [{}, 42, {}, TypeError, 42, {}]