From 16851a23aa914cf7426e4cc62e8a6fc040dcbea8 Mon Sep 17 00:00:00 2001 From: Nick Clemens Date: Thu, 17 Sep 2020 18:34:21 +0000 Subject: [PATCH] Bug 15720: Add connexion user and password options to connexion daemon Currently the connexion daemon does not utilize the user and password passed in the requests, it expects a user and password to be defined in the config file and for that user to be a valid Koha user with cataloging permissions. With that user in place all requests to the daemon are authorized. As the connections are over TCP we allow defining a new connexion user and password to protect Koha account information. If not defined current behaviour is preserved. Connexion user and password must both be set it either is set. Sample config file: host: port: 8888 koha:http://localhost:8081 log:/var/log/koha/kohadev/connexion.log match:ISBN user:kohauser password:kohapass overlay_action:replace nomatch_action:create_new item_action:always_add import_mode:redirect debug:1 To test: 1 - Create connexion file and save on the Koha serve 2 - perl misc/bin/connexion_import_daemon.pl -c /kohadevbox/koha/connexion.cnf 3 - Ensure the user specified above (connexuser) exists and has edit catalogue permissions 4 - In another terminal make a request to the server: echo -en 'U6turtleA9connexionP5shell00024 a62clear00024 4500' | nc -v localhost 8888 5 - The request should succeed and record added to batch (probably the import fails, but not important) 6 - Add to config file connexion_user:conuser 7 - Stop and restart the daemon - it should fail on missing connexion_password 8 - Comment out connexion_user and add connexion_password:conpass 9 - Stop and restart daemon, it fails on missing connexion_user 10 - Uncomment the user and restart 11 - Make another request echo -en 'U6turtleA9connexionP5shell00024 a62clear00024 4500' | nc -v localhost 8888 12 - It fails 'Unauthorized request' 13 - Make another request echo -en 'U7conuserA9connexionP7conpass00024 a62clear00024 4500' | nc -v localhost 8888 14 - It succeeds! Signed-off-by: Allison Blanning Signed-off-by: Kyle M Hall Signed-off-by: Jonathan Druart --- misc/bin/connexion_import_daemon.pl | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/misc/bin/connexion_import_daemon.pl b/misc/bin/connexion_import_daemon.pl index 22407eb2a8..9d430ffc96 100755 --- a/misc/bin/connexion_import_daemon.pl +++ b/misc/bin/connexion_import_daemon.pl @@ -60,6 +60,11 @@ Config file format: add_only_for_matches, add_only_for_new or ignore import_mode - stage or direct framework - to be used if import_mode is direct + connexion_user - User sent from connexion client + connexion_password - Password sent from connexion client + + Note: If connexion parameters are not defined request authentication will not be checked + You should specify a different user for connexion to protect the Koha credentials All process related parameters (all but ip and port) have default values as per Koha import process. @@ -141,6 +146,14 @@ sub parse_config { $self->{password} = delete( $param{password} ) or die "No koha user password in config file"; + if( defined $param{connexion_user} || defined $param{connexion_password}){ + # If either is defined we expect both + $self->{connexion_user} = delete( $param{connexion_user} ) + or die "No koha connexion_user in config file"; + $self->{connexion_password} = delete( $param{connexion_password} ) + or die "No koha user connexion_password in config file"; + } + $self->{host} = delete( $param{host} ); $self->{port} = delete( $param{port} ) or die "Port not specified"; @@ -247,7 +260,6 @@ sub read_request { } $in = join '', @in_arr; - $in =~ m/(.)$/; my $lastchar = $1; my ($xml, $user, $password, $local_user); @@ -300,6 +312,7 @@ sub read_request { $self->log("Invalid request", $in, @details); return; } + $user = $local_user if !$user && $local_user; $self->log("Request", @details); $self->log($in) if $self->{debug}; @@ -319,10 +332,16 @@ sub _trim_identifier { sub handle_request { my ( $self, $io ) = @_; - my ($data, $user, $password) = $self->read_request($io) or return $self->error_response("Bad request"); + unless( + !(defined $self->{connexion_user}) || + ($user eq $self->{connexion_user} && $password eq $self->{connexion_password}) + ){ + return $self->error_response("Unauthorized request"); + } + my $ua; if ($self->{user}) { $user = $self->{user}; -- 2.39.5