This patchset introduces the Two-factor authentication (2FA) idea in
Koha.
It is far for complete, and only implement one way of doing it, but at
least it's a first step.
The idea here is to offer the librarian user the ability to
enable/disable 2FA when logging in to Koha.
It will use time-based, one-time passwords (TOTP) as the second factor,
an application to handle that will be required.
https://en.wikipedia.org/wiki/Time-based_One-Time_Password
More developements are possible on top of this:
* Send a notice (sms or email) with the code
* Force 2FA for librarians
* Implementation for OPAC
* WebAuthn, FIDO2, etc. - https://fidoalliance.org/category/intro-fido/
Test plan:
0.
a. % apt install -y libauth-googleauth-perl && updatedatabase && restart_all
b. To test this you will need an app to generate the TOTP token, you can
use FreeOTP that is open source and easy to use.
1. Turn on TwoFactorAuthentication
2. Go to your account, click 'More' > 'Manage Two-Factor authentication'
3. Click Enable, scan the QR code with the app, insert the pin code and
register
4. Your account now requires 2FA to login!
5. Notice that you can browse until you logout
6. Logout
7. Enter the credential and the pincode provided by the app
8. Logout
9. Enter the credential, no pincode
10. Confirm that you are stuck on the second auth form (ie. you cannot
access other Koha pages)
11. Click logout => First login form
12. Enter the credential and the pincode provided by the app
Sponsored-by: Orex Digital
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
In Elasticsearch 7 hits.total is now an object which is not always an exact
value. You can always get an exact total by adding a track_total_hits
parameter set to true when using the Elasticsearch search method
To test:
1) Run prove t/db_dependent/Koha/SearchEngine/Elasticsearch/Search.t
2) If you observe an error about types, apply patch for bug 25669
3) Run prove t/db_dependent/Koha/SearchEngine/Elasticsearch/Search.t
4) Observe that tests with count fail
5) Apply patch
6) Observe that tests with count pass
7) Sign off
Sponsored-by: Lund University Library
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
The library usage is discouraged by the current maintainer and we don't
use it in the codebase anymore.
To test:
1. Apply this patch
2. Run:
$ git grep MIME::Lite
=> SUCCESS: No uses of the removed library
3. Sign off :-D
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
defining package as 'recommended', as suggested
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
to test...
- apply patch
- build package
- confirm in about.pl that minimum versions are updated
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch adds a new dependency, Email::Address. It is used in
Koha::Email to replace the current use of Email::Valid, which proved to
be problematic when it comes to UTF-8 characters.
Email::Address provides suitable regexes that -when used- keep our
tests passing, but also deal better with UTF-8 data.
To test:
1. Apply the regression tests patch
2. Notice the only change is that it tweaks a couple addresses so they
contain umlauts and also have the "Description <address>" format that
is used when sending carts.
3. Run:
$ kshell
k$ prove t/Koha/Email.t
=> FAIL: Tests fail! Things die because Email::Valid doesn't like the
from we passed.
4. Run:
$ sudo apt install libemail-address-perl
5. Apply this patch
6. Repeat 3
=> SUCCESS: Tests pass!
7. Try what is described in comment 1
=> SUCCESS: Things are back to normal
8. Sign off :-D
9. Send cookies
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
We remove YAML::Syck on bug 22824 and YAML on 27673, to use YAML::XS.
However we need one of them for CGI::Session::Serialize::yaml
It's preferable to change the serializer and use the default one instead
of writing one based on YAML::XS (or patch the existing ::yaml that does
not seem maintained).
There was an encoding bug reported on the default serializer (see commit
a858e8a8b8) but we fail to recreate it.
Test plan:
Create 3 libraries with branchcode=branchname: "CPL", "ÄÄÄ~ÄãÃ" and "✔️❤️ ★"
Use the 3 options of SessionStorage and switch from one logged in
library to another.
Confirm that everything is working correctly (ie. no ending issue in the
library name at the top-right corner)
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
CGI::Compile 0.24 has a bug:
https://github.com/miyagawa/CGI-Compile/issues/25
It can cause weird bugs, like breaking the authority detail display
after trying to modify an authority.
Steps to reproduce:
1. Install CGI::Compile 0.24
2. Restart starman with only 1 worker
3. Go to the detail page of an authority (authorities/detail.pl)
4. Go to the edit page (Edit » Edit record)
5. Check starman logs, you should see "Subroutine build_tabs redefined
at [...]"
6. Click on cancel to go back to the detail page, which should now show
a "blank" authority. Now the only way to get the authority back is to
restart starman.
Test plan:
1. Reproduce the bug
2. Install CGI::Compile 0.25 and restart starman
3. Make sure the bug is gone :)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
$YAML::XS::Boolean, which is used in Koha::SearchEngine::Elasticsearch,
was introduced in 0.67
Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
1/ apply patch
2/ build koha package
3/ confirm that libyaml-libyaml-perl package is installed, and
libyaml-syck-perl is not
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
From tht YAML pod:
"""
This module has been released to CPAN as YAML::Old, and soon YAML.pm will be changed to just be a frontend interface module for all the various Perl YAML implementation modules, including YAML::Old.
If you want robust and fast YAML processing using the normal Dump/Load API, please consider switching to YAML::XS. It is by far the best Perl module for YAML at this time. It requires that you have a C compiler, since it is written in C.
"""
See also
https://gitlab.com/koha-community/qa-test-tools/-/merge_requests/35
Test plan:
Try some place where YAML::XS is not used and confirm that it works
correctly
QA note: This patch removes some uses of YAML that were not useful
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Joonas Kylmälä <joonas.kylmala@helsinki.fi>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
- It is a required module. If it is missing, Koha will not start
- Set the minimum version to 2.00. While not strictly required, it's the
version that states that "Deprecation of Readonly::XS as a requirement
for fast, readonly scalars is complete", it is available in Debian
oldoldstable (jessie, 8), and Readonly::XS was not even needed with Perl
> 5.8, which allows us to:
- Remove dependency on Readonly::XS
Signed-off-by: Mason James <mtj@kohaaloha.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Since bug 26434, if the module is missing Koha does not start. So it
should be marked as required
Signed-off-by: Mason James <mtj@kohaaloha.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
It is known to be broken, we should remove its implementation
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
misc/translator/translate was doing three different things:
- extract translatable strings
- create or update PO files
- install translated templates
This patch separates responsibilities by moving the string extraction
code into several 'xgettext-like' scripts and adds gulp tasks to
automate string extraction and PO files update
This has several benefits:
- gulp runs tasks in parallel, so it's a lot faster (updating all PO
files is at least 10 times faster with my 4-cores CPU)
- there is no need for $KOHA_CONF to be defined
LangInstaller.pm relied on $KOHA_CONF to get the different paths
needed. I'm not sure why, since string extraction and PO update should
work on source files, not installed files
- string extraction code can be more easily tested
This patch also brings a couple of fixes and improvements:
- TT string extraction (strings wrapped in [% t(...) %]) was done with
Template::Parser and PPI, which was extremely slow, and had some
problems (see bug 24797).
This is now done with Locale::XGettext::TT2 (new dependency) which is
a lot faster, and fixes bug 24797
- Fix header in 4 PO files
For backward compatibility, 'create' and 'update' commands of
misc/translator/translate can still be used and will execute the
corresponding gulp task
Test plan:
1. Run `yarn install` and install Locale::XGettext::TT2
2. Run `gulp po:update`
3. Verify the contents of updated PO files
4. Run `cd misc/translator && ./translate install <lang>`
5. Verify that all (templates, sysprefs, xslt, installer files) is
correctly translated
6. Run `gulp po:create --lang <lang>` and verify that it created all PO
files for that language
7. Run `prove t/misc/translator`
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Need to install yarn & gulp, no errors
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch completely rewrites the Koha::Email class, inheriting from
Email::Stuffer. The latter suits well the use by Email::Sender, which is
to replace Mail::Sendmail on this patchset.
To test:
1. Apply this patch
2. Run:
$ kshell
k$ prove t/Koha/Email.t
=> SUCCESS: Tests pass!
3. Verify all conditional codepaths are covered
4. Sign off :-D
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Emma Perks <Emma.Perks2@uhb.nhs.uk>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Joonas Kylmälä <joonas.kylmala@helsinki.fi>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch adds version 3.008 of Template to the excludes list in our
cpanfile. It also adds support for displaying this version on the about
page.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
to test...
1/ check about.pl, see old module versions
2/ apply patch
3/ check about.pl, see updated module versions
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
No longer used.
Signed-off-by: Kelly McElligott <kelly@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
When using Elasticsearch, Catmandu::Store::ElasticSearch is required for
search, and Catmandu::MARC is required for indexation
Signed-off-by: Michal Denar <black23@gmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Without it, catalogue/detail.pl dies (and probably other scripts too)
Test plan:
1. Uninstall GD, reload starman
2. Go to catalogue/detail.pl. Confirm that it dies
3. Reinstall GD, reload starman
4. Go to catalogue/detail.pl. Confirm that it work normally
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Set the e-mail headers Mailer-X and MessageID by Koha,
to gain a better positive score from the spam filter.
To test:
1) Let Koha send an e-mail message.
2) Check the header of this e-mail message with your e-mail client.
There should be no X-Mailer header with value 'Koha'. If there
is an MessageID header, it is probably set by the MSA, e.g. Exim.
Example:
Message-Id: <E1iyZRY-0006XT-0t@FQDN>
3) Apply patch.
4) Repeat step 1.
5) Check the header of the new e-mail message with your e-mail client.
There should be a X-Mailer header with value 'Koha' and a MessageID
header with a value set by Koha.
Example:
X-Mailer: Koha
Message-Id: <15807387030.B731e.18490@FQDN>
6) Sign off.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
It is not used anywhere.
Also, remove PDF::API2::Page and PDF::API2::Util from cpanfile.
These modules are included in PDF::API2 which is already in cpanfile.
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
cpanfile is a format for describing CPAN dependencies for Perl
applications.
It is more concise - thus easier to read and maintain - than
C4::Installer::PerlDependencies, and allows to describe requirements
more accurately (using version ranges or features for instance)
Additionally it can be read by tools such as cpanm or carton for an
easy way to install dependencies on non-Debian-based systems.
For more information on cpanfile, see
http://search.cpan.org/~miyagawa/Module-CPANfile-1.1002/lib/cpanfile.pod
This patch replace C4::Installer::PerlDependencies by an equivalent
cpanfile and update all scripts/modules that were using PerlDependencies
It also removes dead code from C4::Installer::PerlModules (some
subroutines were not used at all, except in unit tests)
Added dependencies:
- Module::CPANfile
- CPAN::Meta (dependency of Module::CPANfile, but we need a more recent
version than the one Module::CPANfile requires)
Test plan:
1. Go to About page, tab Perl modules and keep this browser tab open
2. Apply patch
3. Install Module::CPANfile and CPAN::Meta
a. On Debian-based systems:
# will install libcpan-meta-perl as a dependency
sudo apt install libmodule-cpanfile-perl
b. Others:
# will install CPAN::Meta as a dependency
sudo cpanm Module::CPANfile
4. In a new browser tab, go to About page, tab Perl modules and compare
the table with the one in the previous browser tab
They should be identical, except for newly added dependencies
(Module::CPANfile and CPAN::Meta)
5. Do a 'standard' install
a. perl Makefile.PL (select 'standard')
b. make
c. sudo make install
d. Configure your database, web server, ... and go through the web
install process
6. Verify that the cpanfile got copied into PERL_MODULE_DIR (which
should be /usr/share/koha/lib)
7. Go to the about page of this fresh install and compare it with your
dev install
8. Verify that debian/list-deps still works
This takes a lot of time and it may not be necessary to wait until
the end. If you see some Debian package names that correspond to
modules in cpanfile, it means it still works
(you need apt-file for this script to work)
9. Verify that koha_perl_deps.pl still works
10. prove t/Installer_pm.t t/Installer_PerlModules.t
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>