Commit graph

15 commits

Author SHA1 Message Date
f965db69f1
Bug 34163: Handle both anonymous userenv when generating CSRF tokens
An anonymous session might have a userenv which is undef or which is
a hashref of undef/empty values.

This patch generates the "anonymous" prefix for undef/empty 'id'
values, which prevents CSRF errors when logging in via OAuth2/OIDC
following a Koha logout.

Test plan:
Before applying patch:
1. Go to https://wiki.koha-community.org/wiki/Testing_SSO
2. Set up OpenID Connect realm, user, client, and Koha
integration to Keycloak for koha-testing-docker as noted in the wiki

3. Go to http://localhost:8080/cgi-bin/koha/opac-main.pl?logout.x=1
4. Click on OIDC "Log in with XXXX" button and log into IDP
5. Note that you're not logged in and you instead see an error message like:
"There was an error authenticating to external identity provider wrong_csrf_token"

6. Apply patch
7. Go to "Sessions" section of the test realm in Keycloak
e.g. http://sso:8082/auth/admin/master/console/#/test/sessions
8. Click "Action" on the far right side of the screen
9. Choose "Sign out all active sessions"

After applying patch:
10. koha-plack --restart kohadev
11. Go to http://localhost:8080/cgi-bin/koha/opac-main.pl?logout.x=1
12. Click on OIDC "Log in with XXXX" button and log into IDP
13. Note that you're logged in

14. prove t/Token.t
15. Note all tests pass

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-09-12 09:45:01 -03:00
ad0aa754ee
Bug 27849: (follow-up) Add test
Compacting the code a bit too.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-08-01 09:53:35 -03:00
3cb8640cbf Bug 29543: Add JWT token handling
Mojo::JWT is installed already, it's not a new dependency.
We need a way to send the patron a token when it's correctly logged in,
and not assumed it's logged in only if patronid is passed

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-02-02 21:05:29 -10:00
f1f9c6dc74 Bug 26384: Fix executable flags
.pm must not have -x
.t must have -x
.pl must have -x

Test plan:
Apply only the first patch, run the tests and confirm that the failures
make sense
Apply this patch and confirm that the test now returns green

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-09-11 09:56:56 +02:00
6653a24148
Bug 17845: (RM follow-up) Restore a removed test
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-03-10 18:49:37 +00:00
07b0c5bc0e
Bug 17845: Adjust few other occurrences
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-03-10 15:18:28 +00:00
7d8b96803f
Bug 24545: Fix license statements
Bug 9978 should have fixed them all, but some were missing.
We want all the license statements part of Koha to be identical, and
using the GPLv3 statement.

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-02-24 13:31:26 +00:00
e9fa69ca64 Bug 21998: Silent tests
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-03-22 20:21:45 +00:00
ee73d577ed Bug 21998: Throw exception on bad pattern
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-03-22 20:21:44 +00:00
b794643bb0 Bug 21998: Add pattern parameter in Koha::Token
Allow a pattern too in Koha::Token->generate. Only supported length.
Does not affect CSRF calls. So tiny change without further impact.

Test plan:
Run  t/Token.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-03-22 20:21:43 +00:00
7190593d9d Bug 18124: [Follow-up] Handle default parameters in a sub
Adds a internal routine to handle default values for the parameters
id and secret.
Also adds a parameter session_id for generate_csrf and check_csrf. This
session parameter is combined with the id parameter when generating or
checking a token.

Test plan:
Run t/Token.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-03-30 09:07:08 +00:00
3562816dd1 Bug 18124: Restrict CSRF token to user's session
Currently the CSRF token generated is based on the borrowernumber, and
is valid across user's session.
We need to restrict the CSRF token to the current session.

With this patch the CSRF token is generated concatenating the id
(borrowernumber) and the CGISESSID cookie.

Test plan:
Run t/Token.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-03-30 09:07:08 +00:00
a4e4c97521 Bug 17110: Add unit test for MaxAge parameter in Token.t
Test plan:
Run t/Token.t

Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-09 13:40:41 +00:00
0fe7a4aa8e Bug 16929: [QA Follow-up] Shortcut methods and use statements
Resolves the following comments:

I'd prefer to see a generate_csrf method than a CSRF flag.
It'd be better to use instead of require the 2 modules.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Marc <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-10 13:26:00 +00:00
523d0be9dc Bug 16929: Prevent opac-memberentry waiting for random chars
Move calls to WWW::CSRF to Koha::Token.
Send a safe random string to WWW::CSRF instead of letting CSRF make a
blocking call to Bytes::Random::Secure. If your server has not enough
entropy, opac-memberentry will hang waiting for more characters in
dev/random. Koha::Token uses Bytes::Random::Secure with the NonBlocking
flag.

Test plan:
[1] Do not yet apply this patch.
[2] If your server has not enough entropy, calling opac-memberentry may
    take a while. But this not may be the case for you (no worries).
[3] Apply this patch.
[4] Verify that opac-memberentry still works as expected.
[5] Run t/Token.t

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Yes, my server had entropy trouble (reason for finding the problem).
This patch resolves the delay.

Tested all 3 patches together, works as expected.
Signed-off-by: Marc <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-10 13:25:59 +00:00