Koha/reserve/placerequest.pl
Robin Sheat 4cbeeedbe8 Bug 6296: allow users to be authenticated by SSL client certs
This adds a new syspref: AllowPKIAuth. It can have one of three states:
* None
* Common Name
* emailAddress

If a) this is set to something that's not "None", and b) the webserver
is passing SSL client cert details on to Koha, then the relevant field
in the user's certificate will be matched up against the field in the
database and they will be automatically logged in. This is used as a
secure form of single sign-on in some organisations.

The "Common Name" field is matched up against the userid, while
"emailAddress" is matched against the primary email.

This is an example of what might go in the Apache configuration for the
virtual host:

    #SSLVerifyClient require # only allow PKI authentication
    SSLVerifyClient optional
    SSLVerifyDepth 2
    SSLCACertificateFile /etc/apache2/ssl/test/ca.crt
    SSLOptions +StdEnvVars

The last line ensures that the required details are
passed to Koha.

To test the PKI authentication, use the following curl command:
    curl -k --cert client.crt --key client.key  https://URL/
(look through the output to find the "Welcome," line to indicate that a user
has been authenticated or the "Log in to Your Account" to indicate that a
user has not been authenticated)

To create the certificates needed for the above command, the following series
of commands will work:
    # Create the CA Key and Certificate for signing Client Certs
    openssl genrsa -des3 -out ca.key 4096
    openssl req -new -x509 -days 365 -key ca.key -out ca.crt
    # This is the ca.crt file that the Apache config needs to know about,
    # so put the file at /etc/apache2/ssl/test/ca.crt

    # Create the Server Key, CSR, and Certificate
    openssl genrsa -des3 -out server.key 1024
    openssl req -new -key server.key -out server.csr

    # We're self signing our own server cert here.  This is a no-no in
    # production.
    openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key \
        -set_serial 01 -out server.crt

    # Create the Client Key and CSR
    openssl genrsa -des3 -out client.key 1024
    openssl req -new -key client.key -out client.csr

    # Sign the client certificate with our CA cert. Unlike signing our own
    # server cert, this is what we want to do.
    openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key \
        -set_serial 02 -out client.crt
    openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
    # In theory we can install this client.p12 file in Firefox or Chrome, but
    # the exact steps for doing so are unclear, and outside the scope of this
    # patch

Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Tested with Common Name and E-mail authentication, as well as with PKI
authentication disabled. Regular logins continue to work in all cases when
SSL authentication is set to optional on the server.

Signed-off-by: Ian Walls <koha.sekjal@gmail.com>
QA comment: synchronized updatedatabase.pl version of syspref with sysprefs.sql
version, to avoid divergent databases between new and upgrading users.
2012-03-19 17:02:44 +01:00

142 lines
5.1 KiB
Perl
Executable file

#!/usr/bin/perl
#script to place reserves/requests
#writen 2/1/00 by chris@katipo.oc.nz
# Copyright 2000-2002 Katipo Communications
#
# This file is part of Koha.
#
# Koha is free software; you can redistribute it and/or modify it under the
# terms of the GNU General Public License as published by the Free Software
# Foundation; either version 2 of the License, or (at your option) any later
# version.
#
# Koha is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with Koha; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
use strict;
use warnings;
use CGI;
use C4::Biblio;
use C4::Items;
use C4::Output;
use C4::Reserves;
use C4::Circulation;
use C4::Members;
use C4::Auth qw/checkauth/;
my $input = CGI->new();
checkauth($input, 0, { reserveforothers => 'place_holds' }, 'intranet');
my @bibitems=$input->param('biblioitem');
# FIXME I think reqbib does not exist anymore, it's used in line 82, to AddReserve of contraint type 'o'
# I bet it's a 2.x feature, reserving a given biblioitem, that is useless in Koha 3.0
# we can remove this line, the AddReserve of constrainttype 'o',
# and probably remove the reserveconstraint table as well, I never could fill anything in this table.
my @reqbib=$input->param('reqbib');
my $biblionumber=$input->param('biblionumber');
my $borrowernumber=$input->param('borrowernumber');
my $notes=$input->param('notes');
my $branch=$input->param('pickup');
my $startdate=$input->param('reserve_date') || '';
my @rank=$input->param('rank-request');
my $type=$input->param('type');
my $title=$input->param('title');
my $borrower=GetMember('borrowernumber'=>$borrowernumber);
my $checkitem=$input->param('checkitem');
my $expirationdate = $input->param('expiration_date');
my $multi_hold = $input->param('multi_hold');
my $biblionumbers = $multi_hold ? $input->param('biblionumbers') : ($biblionumber . '/');
my $bad_bibs = $input->param('bad_bibs');
my %bibinfos = ();
my @biblionumbers = split '/', $biblionumbers;
foreach my $bibnum (@biblionumbers) {
my %bibinfo = ();
$bibinfo{title} = $input->param("title_$bibnum");
$bibinfo{rank} = $input->param("rank_$bibnum");
$bibinfos{$bibnum} = \%bibinfo;
}
my $found;
# if we have an item selectionned, and the pickup branch is the same as the holdingbranch
# of the document, we force the value $rank and $found .
if ($checkitem ne ''){
$rank[0] = '0' unless C4::Context->preference('ReservesNeedReturns');
my $item = $checkitem;
$item = GetItem($item);
if ( $item->{'holdingbranch'} eq $branch ){
$found = 'W' unless C4::Context->preference('ReservesNeedReturns');
}
}
if ($type eq 'str8' && $borrower){
foreach my $biblionumber (keys %bibinfos) {
my $count=@bibitems;
@bibitems=sort @bibitems;
my $i2=1;
my @realbi;
$realbi[0]=$bibitems[0];
for (my $i=1;$i<$count;$i++) {
my $i3=$i2-1;
if ($realbi[$i3] ne $bibitems[$i]) {
$realbi[$i2]=$bibitems[$i];
$i2++;
}
}
my $const;
if ($checkitem ne ''){
my $item = GetItem($checkitem);
if ($item->{'biblionumber'} ne $biblionumber) {
$biblionumber = $item->{'biblionumber'};
}
}
if ($multi_hold) {
my $bibinfo = $bibinfos{$biblionumber};
AddReserve($branch,$borrower->{'borrowernumber'},$biblionumber,'a',[$biblionumber],
$bibinfo->{rank},$startdate,$expirationdate,$notes,$bibinfo->{title},$checkitem,$found);
} else {
if ($input->param('request') eq 'any'){
# place a request on 1st available
AddReserve($branch,$borrower->{'borrowernumber'},$biblionumber,'a',\@realbi,$rank[0],$startdate,$expirationdate,$notes,$title,$checkitem,$found);
} elsif ($reqbib[0] ne ''){
# FIXME : elsif probably never reached, (see top of the script)
# place a request on a given item
AddReserve($branch,$borrower->{'borrowernumber'},$biblionumber,'o',\@reqbib,$rank[0],$startdate,$expirationdate,$notes,$title,$checkitem, $found);
} else {
AddReserve($branch,$borrower->{'borrowernumber'},$biblionumber,'a',\@realbi,$rank[0],$startdate,$expirationdate,$notes,$title,$checkitem, $found);
}
}
}
if ($multi_hold) {
if ($bad_bibs) {
$biblionumbers .= $bad_bibs;
}
print $input->redirect("request.pl?biblionumbers=$biblionumbers&multi_hold=1");
} else {
print $input->redirect("request.pl?biblionumber=$biblionumber");
}
} elsif ($borrower eq ''){
print $input->header();
print "Invalid borrower number please try again";
# Not sure that Dump() does HTML escaping. Use firebug or something to trace
# instead.
# print $input->Dump;
}