This change adds the ability to enable and configure TCP keepalive
support for the SIP server using SIPconfig.xml.
For the sake of backwards compatibility, it defaults to disabled
and additional parameters default match typical kernel defaults.
Technical detail can be found in the perldoc for C4/SIP/SIPserver.pm
Test plan:
0. Apply the patch
1. koha-sip --restart kohadev
2. apt-get update && apt-get install tcpdump
3. In one window, run "tcpdump -A -n -v -i any 'port 6001'"
4. In another window, run the following:
echo -e "9300CNterm1|COterm1|CPCPL|\r" | nc 127.0.0.1 6001 -v
5. Note in tcpdump output that after the initial flood of packets,
nothing more is received
6. vi /etc/koha/sites/kohadev/SIPconfig.xml
7. In the "server-params" element, add attributes like the following:
custom_tcp_keepalive='1'
custom_tcp_keepalive_time='10'
custom_tcp_keepalive_intvl='5'
8. koha-sip --restart kohadev
9. In one window, run "tcpdump -A -n -v -i any 'port 6001'"
10. In another window, run the following:
echo -e "9300CNterm1|COterm1|CPCPL|\r" | nc 127.0.0.1 6001 -v
11. Note in tcpdump output that after the initial flood of packets,
ACK packets are sent out every 10+ seconds for the idle connection
Signed-off-by: Tadeusz „tadzik” Sośnierz <tadeusz@sosnierz.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
The cron can take a very long time to run on systems with many issues.
For example, a partner with ~250k auto_renew issues is taking about 9 hours to run.
If we run that same number of issues in 5 parallel chunks
( splitting the number of issues as evenly as possible ), it could take under 2 hours.
Test Plan:
1) Generate a number of issues marked for auto_renew
2) Run the automatic_renewals.pl, use the `time` utility to track how much time it took to run
3) Set parallel_loops to 10 in auto_renew_cronjob section of config in koha-conf
4) Repeat step 2, note the improvement in speed
5) Experiment with other values
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
When an unauthorized call to svc is made, we use the ErrorDocument middleware to respond with an HTML
page. The API doens't do this, it simply returns its status. We should mount the svc as its own app to avoid
the redirect to HTML for unauthorized responses
To test:
1 - Create a report
2 - Add to IntranetUserJs:
$(document).ready(function() {
// Your report ID
var reportId = '492';
// Fetch the report
$.get('/cgi-bin/koha/svc/report?id=' + reportId, function(data) {
console.log('Kaboom');
});
});
3 - Log out
4 - Attempt to login
5 - KO
6 - Apply patch
7 - Reset all (or copy the necessary changes to your plack/apache files)
8 - Generate report and update user js again
8 - Logout, login
9 - Success!
Signed-off-by: Brendan Lawlor <blawlor@clamsnet.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Note that -gt is the bash integer comparison and > is the
lexical one:
$ if [ '1' \> '09' ]; then echo true; fi
true
$ if [ '1' -gt '09' ]; then echo true; fi
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Added the dev/null redirection to suppress warn in bin/sh.
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
After execution of koha-elasticsearch command a file named 0 remains in
the current directory.
Inside the single parentheses, the character '>' is treated as a file
redirection, not as a comparison operator.
Test plan:
==========
1. Have a test installation with Elasticsearch. As root, perform:
./debian/scripts/koha-elasticsearch --rebuild kohadev
When the command finishes, check the contents of the current
directory (ls -ltr | tail). You sould notice a fresh file named '0'
2. Apply the patch. Delete the file named 0.
3. Repeat p. 1. There should be no file named 0 now.
Signed-off-by: Roman Dolny <roman.dolny@jezuici.pl>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
We all have a `demo` instance somewhere. It is so weird that the default
script for backing up Koha has a hardcoded exclusion for instances
called like that. This patch fixes that.
To test:
1. Add a demo instance:
$ ktd --shell
k$ sudo koha-create --create-db demo
2. Run:
k$ sudo debian/scripts/koha-run-backups
3. Check the backups:
k$ ls -l /var/spool/koha/demo/
=> FAIL: No backup for the demo instance
3. Apply this patch
4. Repeat 2
=> SUCCESS: Backup made!
5. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch adds some commented Elasticsearch security configuration,
which shows how to use username/password with HTTPS.
Test plan:
0. Apply patch
1. cp debian/templates/koha-conf-site.xml.in /etc/koha/koha-conf-site.xml.in
2. koha-create --create-db test
3. vi /etc/koha/sites/test/koha-conf.xml
4. Note that the comments for userinfo and use_https are in the koha-conf.xml
Signed-off-by: Magnus Enger <magnus@libriotech.no>
Works as advertised.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
We keep OPEN when people still use log_file or setsid.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
My Koha testing docker SIP started dying repeatedly after launch. After investigation, I
found it was a problem with logging and default ports.
In D12 there is no syslog anymore, everythign uses journal. Four our purposes, lets log SIP issues
to sip.log by default
Attaching a patch to clear things up.
To test:
1 - Open KTD/D12
2 - tail -f /var/log/koha/kohadev/*.log
3 - On another terminal 'restart_all'
4 - Wait a bit, notice SIP dying
5 - Apply patch
6 - Update SIPconfig:
server-params:
log_file='/var/log/koha/kohadev/sip.log'
service with port 8023:
port="127.0.0.1:8023/tcp"
7 - Restart all
8 - Confirm SIP no longer dies
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
The userenv (logged in user's info) are stored in
$C4::Context->context->{activeuser}, which persists in plack worker's
memory.
It's really bad in theory as we are not cleaning it before or after the
HTTP request, but only when set_userenv is called (what we are doing
commonly in C4::Auth::get_template_and_user).
If C4::Context->userenv is called before set_userenv we should get undef,
not the userenv from the previous request!
In practice this should not be a problem, but well... who really knows?
This patch suggests to have a middleware to deal with removing the
userenv at the beginning of each request (maybe it should be after, right? - FIXME).
To test:
1 - Edit /etc/koha/sites/kohadev/koha-conf.xml to set <plack_workers>1</plack_workers>
2 - Edit about.pl and add a line after: CGI->new:
warn Data::Dumper::Dumper( C4::Cointext->userenv() );
3 - tail -f /var/log/koha/kohadev/*.log
4 - View about.pl in staff interface, should get a "somethign's wrong" warning
5 - Reload, you get current user info
6 - Open an incognito tab, sign in as a different user and click some stuff
7 - Reload about.pl in other window
8 - You get the opac user info
9 - Apply patch
10 - Edit /etc/koha/sites/kohadev/plack.psgi and add the middleware after "RealIP":
enable "+Koha::Middleware::UserEnv";
11 - Restart all
12 - Reload about.pl - you get a "Something's wrong" warning
13 - Click things in opac on incognito window
14 - Reload about.pl - only "Something's wrong" - you no longer see any user info
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Written patch to add flag to both koha-dump and koha-run-backups.
Test plan:
1. do a sudo koha-dump and sudo koha-run-backups and check the contents of the .tar.gz backup in /var/spool/koha/instance/ and verify logs are in there
2. apply this patch
3. this time do sudo koha-dump --exclude-logs and sudo koha-run-backups --exclude-logs and check the contents of the .tar.gz backup in /var/spool/koha/instance and verify nothing from /var/log/koha is in there.
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Mimic missing stuff from apache-shared-opac.conf into apache-shared-opac-plack.conf, where /search and /opac-search.pl aliases were missing.
Note that while RewriteRule applies before reverse proxy directives and works, ScriptAlias applies purely to standard cgi perl scripts, meaning it didn't apply there.
Now it's mimicked analogously to how /index.html is configured.
This patch fixes an issue where someone might have just a reverse proxy to Plack configured without native Perl scripting, where this URL would then otherwise be failing.
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This adds a --status switch to the koha-plack command.
To test on ktd:
- Copy the script to /usr/sbin, so you run the modified script,
and not the one installed by Koha:
$ sudo cp debian/scripts/koha-plack /usr/sbin/
- Stop and start Plack for kohadev like so:
$ sudo koha-plack --stop kohadev
$ sudo koha-plack --start kohadev
And make sure this reports the correct status, both when Plack
is running and when it is not running:
$ sudo koha-plack --status kohadev
- Make sure --status is mentioned here:
$ sudo koha-plack --help
- See https://wiki.koha-community.org/wiki/Testing_man_pages for
details on how to check the manual page for the command
Signed-off-by: Tadeusz Sośnierz <tadeusz@sosnierz.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch introduces a Vue.js based record sources managing page. To
test it:
1. Apply this patch
2. Build the Vue.js stuff:
$ ktd --shell
k$ yarn js:build
k$ restart_all
3. On the staff interface, go to Administration > Record sources
4. Play with the interface and the offered actions
=> SUCCESS: Things go well
5. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch enabled the restart by default.
After a poll at hackfest24 we opted to enable this by default and the RM
requested I add the patch to the bug so we don't forget ;)
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch adds the ability to disable the automated plack restart we
introduce with this patchset via configuration.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Koha serves static .js files as application/javascript (if /etc/mime.types
says to) and serves them compressed, but output_with_http_headers uses the
currently-correct text/javascript mimetype, and Koha doesn't compress that.
Test plan:
1. Set the preference EnableAdvancedCatalogingEditor to Enable.
2. Open the browser Web Developer Tools to the Network tab
3. Load Cataloging - Advanced editor
4. Click on the line for the framework?frameworkcode=&callback=define load
5. Note the content-type text/javascript, no Content-Encoding line, and
the size of 1.9MB
6. Apply the patches from bug 36463 if they haven't been pushed, then this
patch, and reset_all
7. Repeat steps 1-4, and note a Content-Encoding: gzip header and a
Transferred size around 160KB
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch simply adds application/json to the mod_deflate configuration
To test:
1 - Open the netowrk tab in firefox
2 - Load http://localhost:8081/api/v1/libraries
3 - Not the transferred size, and note no 'Content-Encoding: gzip" header
4 - Apply patch, reset_all (or edit /etc/koha/apache-shared.conf)
5 - Reload
6 - Note smaller size, note gzip header
Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch fixes the syntax in marc21-retrieval-info-auth-dom.xml,
so that one can use the Zebra special retrieval elements documented
at https://software.indexdata.com/zebra/doc/special-retrieval.html
These are very useful when troubleshooting issues with authority
records in Zebra.
Test plan (using KTD):
1. yaz-client unix:/var/run/koha/kohadev/authoritysocket
2. Enter these commands:
. base authorities
. format xml
. elements zebra::snippet
. find e
. show 1
3. Result = diagnostic message:
Diagnostic message(s) from database:
[25] Specified element set name not valid for specified database
-- v2 addinfo 'zebra::snippet'
4. Apply the patch
5. Copy updated file: sudo cp debian/templates/marc21-retrieval-info-auth-dom.xml
/etc/koha/marc21-retrieval-info-auth-dom.xml
6. Stop and restart zebra (no need to rebuild the Zebra index):
. sudo koha-zebra --stop kohadev
. sudo pkill zebrasrv
. sudo koha-zebra --start kohadev
7. Repeat commands in step 2.
8. Result from show 1 = XML output:
Sent presentRequest (1+1).
Records: 1
Record type: XML
<record xmlns="http://www.indexdata.com/zebra/">
<snippet name="Any" type="w">Gontarski, S. <s>E</s></snippet>
</record>nextResultSetPosition = 2
Elapsed: 0.013929
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
http://localhost:8081/cgi-bin/koha/docs/CAS/CASProxy/examples/proxy_cas.pl
Test plan:
Hit the link
=> Erk
Copy the apache config to /etc/koha/apache-shared-intranet-git.conf
restart_all
Hit the link
=> 404
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This patch changes the Zebra output log time format from
the default "hh:mm:ss-DD/MM" to the more standard ISO 8601
"%FT%T".
This change makes the logs easier to read for both
humans and machines. One benefit includes easy searching
and sorting.
Test plan:
1. cp debian/scripts/koha-zebra /usr/sbin/koha-zebra
2. koha-zebra --stop kohadev
3. koha-zebra --start kohadev
4. ps -efww | grep "zebrasrv"
5. Note "-m %FT%T" in the grep output
6. tail -f /var/log/koha/kohadev/zebra-output.log
7. Run a few searches like http://localhost:8081/cgi-bin/koha/catalogue/search.pl?q=ccl%3Dargawarga%3D1 or http://localhost:8081/cgi-bin/koha/catalogue/search.pl?q=e
8. Note that the timestamp in the Zebra log is formatted "2020-12-22T00:13:42" instead of like "00:13:42-22/12"
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
To test:
- Copy the koha-worker script to the standard location:
$ sudo cp debian/scripts/koha-worker /usr/sbin/koha-worker
- Check "sudo koha-worker --help" and verify elastic_index is
mentioned in the list of "current queues"
- See https://wiki.koha-community.org/wiki/Testing_man_pages for
how to check the "man" page. There should be a new paragraph
about "Current queues" under "--queue"
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This change allows Koha::Middleware::CSRF to use the ErrorDocument and
HTTPExcetions middlewares to display the correct status codes and HTML
documents.
Leveraging Plack environmental variables, we're also able to pass along
data to the error page handlers to show warnings indicating that there
was a missing CSRF token.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The easiest here is to not empty 'op' but instead redirect to an error
page.
Minor changes: to keep the patch simple it removed the 'dev only' error and
display the error for non-dev installs. It should not be a problem
anyway and will prevent errors to be hidden in the log.
We could make KOHA_ERROR an arrayref, but later (we don't need it now
anyway).
Note that the OPAC still not benefit from a friendly specific error for
invalid token.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Well, this test was silly, I was focussed on propagating an error to the
UI, but we really need to explode in this case.
Note that this requires more work as login is now broken.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Suggestion to move the CSRF check to CGI->new so that we will check it
for every request, and it will cover svc scripts as well (they are not
using get_template_and_user).
The token will be retrieve from the param list *or the csrf_token
header* (do we want to name it x-koha-csrf-token instead?).
This will be done for *every* request that are not GET: CSRF token is now
required everywhere CGI is used (side-effects possible?).
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test plan
* Create some old fake backups:
backuproot=/var/spool/koha
instance=kohadev
backupdir="$backuproot"/"$instance"
for i in 1 2 3 4 ; do
for j in sql tar xxx ; do
file="$backupdir"/"$instance"-$(date -I -d "- $i day").${j}.gz
if ! test -e "$file" ; then
touch -t "$(date +%Y%m%d%H%M -d "- $i day")" "$file"
fi
done
done
* Verify that --days parameter is validated
sudo koha-run-backups --days 0
sudo koha-run-backups --days foo
* Run backup
sudo koha-run-backups --days 3
* Verify that backups from 3 days have been preserved and older backups have been deleted
* Verify that filenames that do not match the pattern (the .xxx.gz files) are preserved
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This is in case it's needed anyway (see comment on previous patch)
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This doesn't update the occurrence in the control file
as it says in control.in:
To test:
* Verify all occurrences of the README file have been updated. Exceptions:
* control (see above)
* changelog
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This removes the LEEME.Debian README file from the docs
directory. We don't even have an English README here as
we usually refer to the wiki for installation instructions.
It makes sense to remove it from the codebase.
To test:
* Verify that the file is removed
* Verify that all references to the file have been removed as well
Example: git grep LEEME
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
to test..
1/ install koha-common
$ sudo apt install koha-common
2/ start memcached, check PID
$ sudo service memcached start
$ sudo systemctl status memcached | grep PID
Main PID: 52851 (memcached)
3/ build and install new koha-common package (will trigger a restart)
$ sudo apt install ./koha-common-git+deadbeef.deb
5/ check that memcache is started, and has new PID (52900)
$ sudo systemctl status memcached | grep PID
Main PID: 52900 (memcached)
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
I think instead of a plain on/off switch we should use it in combination
with the plugin_repo's and set it to restrict to only those repos' (i.e.
disable uploads entirely if no repo's are listed, or just allow those
repo's when there are).
This patch achieves that, but only if plugins are installed via the
plugin browser method. We disable all direct upload avenues, so install
is blocked for other cases.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch enables enable_plugin_browser_upload by default,
since the current behaviour for Koha is to enable browser upload
when enable_plugins is 1.
Signed-off-by: Nicolas Legrand <nicolas.legrand@bulac.fr>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch adds a enable_plugin_browser_upload flag to koha-conf.xml, which
controls whether or not Koha intranet users can upload Koha plugins via
their browser. Like "enable_plugins", it defaults to 0 for new installs.
This is useful when you want to provide Koha intranet users with plugins
that are pre-installed by administrators (by CLI) or restricting them
to plugins from a Github repo. See the following for more information:
Bug 23975 - Add ability to search and install plugins from GitHub
Bug 23191 - Administrators should be able to install plugins from the command line
To test:
1) Apply the full patchset
2) Confirm <enable_plugins>1</enable_plugins> is present in koha-conf.xml
3) Add <plugins_restricted>1</plugins_restricted> to koha-conf.xml
4) Ensure that the <plugin_repos> block is not commented and contains at
least one trusted organisation in koha-conf.xml
If needed get it from: debian/templates/koha-conf-site.xml.in
5) Run restart_all (in koha-testing-docker)
6) Go to /cgi-bin/koha/plugins/plugins-home.pl and note that you don't see
an option to upload plugins
7) You should however see a search option and upon search you should have
results returned from the chosen trusted organisations listed in the
<plugin_repos> block mentioned above.
8) Clicking install on one of the results should work as expected and install
the plugin.
9) Go directly to /cgi-bin/koha/plugins/plugins-upload.pl and note that it says
"Plugin upload is restricted to only those plugins listed by your server
administrator" and gives instructions on how to enable unrestricted browser
upload.
Signed-off-by: Nicolas Legrand <nicolas.legrand@bulac.fr>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Rebased-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
In Debian 12/Bookworm:
root@kohadevbox:koha$ koha-shell kohadev
This account is currently not available.
This is because /etc/passwd has /usr/sbin/nologin as shell, which is coming from the --disabled-login param we passed to adduser in koha-create.
Looks like a bug has been fixed in adduser, because we didn't have this behavior in bullseye.
Context:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=625758#72
"""
- change and document (adduser(8)) that --disabled-password will behave
like --disabled-login and additionally set the shell to
/usr/sbin/nologin.
"""
427ade7d91
Test plan:
Confirm the above and that the change makes sense.
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
I think the correct behavior for this script should be that koha-foreach
will return 0 (success) if all the commands it tried to run succeeded, but
1 (failure) if any of the commands failed.
To test:
1. $ koha-create --create-db test
2. $ vi test.sh
if [ $USER = 'kohadev-koha' ]; then
echo "FAILED";
exit 1;
else
echo "SUCCESS";
exit 0;
fi
3. $ debian/scripts/koha-foreach sh test.sh
FAILED
kohadev: 1 status returned by "sh test.sh"
SUCCESS
4. $ echo $?
5. Note that the exit status is 0 (success)
6. Apply patch
7. $ debian/scripts/koha-foreach sh test.sh
FAILED
kohadev: 1 status returned by "sh test.sh"
SUCCESS
8. $ echo $?
9. Note that the exit status is 1 (failure)
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This change adds a mfa_range configuration option for TOTP
to koha-conf.xml, and overrides the "verify" method from
Auth::GoogleAuth in order to provide a new default for "range"
Test plan:
0. Apply the patch
1. koha-plack --restart kohadev
2. Go to
http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=TwoFactorAuthentication
3. Change the syspref to "Enable"
4. Go to
http://localhost:8081/cgi-bin/koha/members/moremember.pl?borrowernumber=51
5. Click "More" and "Manage two-factor authentication"
6. Register using an app
7. In an Incognito window, go to
http://localhost:8081/cgi-bin/koha/mainpage.pl
8. Sign in with the "koha" user
9. Note down a code from your Authenticator app
10. Wait until after 60 seconds and try it
11. Note it says "Invalid two-factor code"
12. Try a new code from the app
13. Note that it works
14. Add <mfa_range>10</mfa_range> to /etc/koha/sites/kohadev/koha-conf.xml
15. Clear memcached and koha-plack --restart kohadev
16. Sign in with the "koha" user
17. Note down a code from your Authenticator app
18. Wait 4 minutes and then try it
19. Note that it works
20. Disable your two-factor authentication and click to re-enable it
21. Use a code older than 60 seconds when registering for the two
factor authentication
22. Note that the code works
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
from debian and /etc koha-conf.xml files
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
