git.koha-community.org Git - koha.git/commit

Bug 20402: Implement OAuth2 authentication for REST API

It implements only the "client credentials" flow with no scopes
support. API clients are tied to an existing patron and have the same
permissions as the patron they are tied to.
API Clients are defined in $KOHA_CONF.

Test plan:
0. Install Net::OAuth2::AuthorizationServer 0.16
1. In $KOHA_CONF, add an <api_client> element under <config>:
     <api_client>
       <client_id>$CLIENT_ID</client_id>
       <client_secret>$CLIENT_SECRET</client_secret>
       <patron_id>X</patron_id> 
     </api_client>
2. Apply patch, run updatedatabase.pl and reload starman
3. Install Firefox extension RESTer [1]
4. In RESTer, go to "Authorization" tab and create a new OAuth2
   configuration:
   - OAuth flow: Client credentials
   - Access Token Request Method: POST
   - Access Token Request Endpoint: http://$KOHA_URL/api/v1/oauth/token
   - Access Token Request Client Authentication: Credentials in request
     body
   - Client ID: $CLIENT_ID
   - Client Secret: $CLIENT_SECRET
5. Click on the newly created configuration to generate a new token
   (which will be valid only for an hour)
6. In RESTer, set HTTP method to GET and url to
   http://$KOHA_URL/api/v1/patrons then click on SEND
   If patron X has permission 'borrowers', it should return 200 OK
   with the list of patrons
   Otherwise it should return 403 with the list of required permissions
   (Please test both cases)
7. Wait an hour (or run the following SQL query:
   UPDATE oauth_access_tokens SET expires = 0) and repeat step 6.
   You should have a 403 Forbidden status, and the token must have been
   removed from the database.
8. Create a bunch of tokens using RESTer, make some of them expires
   using the previous SQL query, and run the following command:
     misc/cronjobs/cleanup_database.pl --oauth-tokens
   Verify that expired tokens were removed, and that the others are
   still there
9. prove t/db_dependent/api/v1/oauth.t

[1] https://addons.mozilla.org/en-US/firefox/addon/rester/

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

author	Julian Maurice <julian.maurice@biblibre.com>
	Tue, 13 Mar 2018 12:17:12 +0000 (13:17 +0100)
committer	Jonathan Druart <jonathan.druart@bugs.koha-community.org>
	Tue, 8 May 2018 18:55:42 +0000 (15:55 -0300)
commit	43a4b3c22c7a694975032a787c118fc1aeef5411
tree	619a7379d677dad9ec8b98308b7cffe8c8c2731e	tree \| snapshot
parent	896bb7ec54d128d829ed34a06a85a64586e53bff	commit \| diff

C4/Installer/PerlDependencies.pm		diff \| blob \| history
Koha/OAuth.pm	[new file with mode: 0644]	blob
Koha/OAuthAccessToken.pm	[new file with mode: 0644]	blob
Koha/OAuthAccessTokens.pm	[new file with mode: 0644]	blob
Koha/REST/V1.pm		diff \| blob \| history
Koha/REST/V1/Auth.pm		diff \| blob \| history
Koha/REST/V1/OAuth.pm	[new file with mode: 0644]	blob
Koha/Schema/Result/OauthAccessToken.pm	[new file with mode: 0644]	blob
api/v1/swagger/paths.json		diff \| blob \| history
api/v1/swagger/paths/oauth.json	[new file with mode: 0644]	blob
etc/koha-conf.xml		diff \| blob \| history
installer/data/mysql/atomicupdate/oauth_tokens.perl	[new file with mode: 0644]	blob
misc/cronjobs/cleanup_database.pl		diff \| blob \| history
t/db_dependent/api/v1/oauth.t	[new file with mode: 0755]	blob