[Bug 20624] New: Allow switching off the OAuth2 client credentials grant

classic Classic list List threaded Threaded
44 messages Options
12
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] New: Allow switching off the OAuth2 client credentials grant

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

            Bug ID: 20624
           Summary: Allow switching off the OAuth2 client credentials
                    grant
 Change sponsored?: ---
           Product: Koha
           Version: master
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5 - low
         Component: Authentication
          Assignee: [hidden email]
          Reporter: [hidden email]
        QA Contact: [hidden email]
                CC: [hidden email]

--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Allow switching off the OAuth2 client credentials grant

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

Tomás Cohen Arazi <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Depends on|                            |20402, 20568, 20612


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402
[Bug 20402] Implement OAuth2 authentication for REST API
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20568
[Bug 20568] Add API key management interface for patrons
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20612
[Bug 20612] Make OAuth2 use patron's client_id/secret pairs
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Allow switching off the OAuth2 client credentials grant

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

Martin Renvoize <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |martin.renvoize@ptfs-europe
                   |                            |.com

--- Comment #1 from Martin Renvoize <[hidden email]> ---
Holistic review found here:
https://github.com/PTFS-Europe/koha/pull/112#pullrequestreview-113933459

--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Allow switching off the OAuth2 client credentials grant

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

Martin Renvoize <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Depends on|                            |20627


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20627
[Bug 20627] Prevent leakages of user permissions to api access tokens
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

Tomás Cohen Arazi <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Allow switching off the     |Disable the OAuth2 client
                   |OAuth2 client credentials   |credentials grant by
                   |grant                       |default

--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

Tomás Cohen Arazi <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|[hidden email]-commun |[hidden email]
                   |ity.org                     |

--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

Tomás Cohen Arazi <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Depends on|20627                       |


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20627
[Bug 20627] Prevent leakages of user permissions to api access tokens
--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

--- Comment #2 from Tomás Cohen Arazi <[hidden email]> ---
Created attachment 74986
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74986&action=edit
Bug 20624: Add RESTOAuth2ClientCredentials syspref

Signed-off-by: Tomas Cohen Arazi <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

--- Comment #3 from Tomás Cohen Arazi <[hidden email]> ---
Created attachment 74987
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74987&action=edit
Bug 20624: Unit tests

This patch adds tests to verify that disabling the RESTOAuth2ClientCredentials
syspref
makes any request on the /api/v1/oauth/token using the
'client_credentials' grant fail with 'grant not implemented'.

To test:
- Apply this patch
- Run:
  $ kshell
 k$ prove t/db_dependent/api/v1/oauth.t
=> FAIL: Tests fail because the change is not implemented!

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

--- Comment #4 from Tomás Cohen Arazi <[hidden email]> ---
Created attachment 74988
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74988&action=edit
Bug 20624: Make /api/v1/oauth/token respect RESTOAuth2ClientCredentials

This patch makes the /api/v1/oauth/token enpoint respect the
RESTOAuth2ClientCredentials syspref. It will return 400 (with
'Unimplemented grant type' error message) on the event of the syspref
being disabled and the grant_type => 'client_credentials' value passed.

To test:
- Run:
  $ kshell
 k$ prove t/db_dependent/api/v1/oauth.t
=> FAIL: It fails because the off-switch is not implemented
- Apply this patch
- Run:
  k$ prove t/db_dependent/api/v1/oauth.t
=> SUCCESS: Tests pass!
- Sign off :-D

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

--- Comment #5 from Tomás Cohen Arazi <[hidden email]> ---
Created attachment 74989
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74989&action=edit
Bug 20624: Make staff client respect RESTOAuth2ClientCredentials

This patch makes the staff client UI respect the
RESTOAuth2ClientCredentials syspref.

To test:
- Make sure RESTOAuth2ClientCredentials is "Don't enable"
- Go to a patron's detail page
=> SUCCESS: The 'More' dropdown doesn't show the API keys management
link.
- Enable RESTOAuth2ClientCredentials
- Reload
=> SUCCESS: The 'More' dropdown shows the API keys management link
- Click on the API keys management link
=> SUCCESS: You can edit the api keys
- Disable the syspref
- Reload
=> SUCCESS: You are presented an error 400 page.
- Sign off :-D

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

Tomás Cohen Arazi <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]
             Status|NEW                         |Needs Signoff

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

Tomás Cohen Arazi <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]
                   |                            |, [hidden email],
                   |                            |[hidden email]

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

Katrin Fischer <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--- Comment #6 from Katrin Fischer <[hidden email]> ---
Applied 20402, then bug 20568, but the latest patch there doesn't apply:
Apply? [(y)es, (n)o, (i)nteractive] y
Applying: Bug 20568: API keys management in interface
Applying: Bug 20568: Add mandatory description field for api keys
Applying: Bug 20568: Unit tests
Applying: Bug 20568: API key management for OPAC users
error: sha1 information is lacking or useless
(koha-tmpl/opac-tmpl/bootstrap/en/includes/usermenu.inc).
error: could not build fake ancestor
Patch failed at 0001 Bug 20568: API key management for OPAC users
The copy of the patch that failed is found in: .git/rebase-apply/patch
When you have resolved this problem run "git bz apply --continue".
If you would prefer to skip this patch, instead run "git bz apply --skip".
To restore the original branch and stop patching run "git bz apply --abort".
Patch left in /tmp/Bug-20568-API-key-management-for-OPAC-users-Igx9Ny.patch

Sorry, stuck :(

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

--- Comment #7 from Tomás Cohen Arazi <[hidden email]> ---
Created attachment 75020
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=75020&action=edit
Bug 20624: (QA follow-up) Unit tests for missing deps situation

This patch tests the situation in which Net::OAuth2::AuthorizationServer
is missing. It mocks Module::Load::Conditional::can_load and expects the
/token endpoint answers 'Unimplemented grant type' to all requests, and
the 'authenticate_api_request' in 'under' exit with unauthorized (403)
to requests in which the Authorization header is passed containing a
Bearer token, but OAuth2 is not really available.

To test:
- Apply this patch
- Run:
  $ kshell
 k$ prove t/db_dependent/api/v1/oauth.t
=> FAIL: Tests fail because our REST endpoints don't support this
behaviour.

Signed-off-by: Tomas Cohen Arazi <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

--- Comment #8 from Tomás Cohen Arazi <[hidden email]> ---
Created attachment 75021
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=75021&action=edit
Bug 20624: (QA follow-up) Handle missing deps gracefuly

This patch makes the /token endpoint and the authenticate_api_request
method behave correctly in the event of missing deps for OAuth2.

To test:
- Run:
  $ kshell
 k$ prove t/db_dependent/api/v1/oauth.t
=> FAIL: The behaviour is not implemented
- Apply this patch
- Run:
 k$ prove t/db_dependent/api/v1/oauth.t
=> SUCCESS: Tests pass!

Signed-off-by: Tomas Cohen Arazi <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

--- Comment #9 from Tomás Cohen Arazi <[hidden email]> ---
(In reply to Katrin Fischer from comment #6)

> Applied 20402, then bug 20568, but the latest patch there doesn't apply:
> Apply? [(y)es, (n)o, (i)nteractive] y
> Applying: Bug 20568: API keys management in interface
> Applying: Bug 20568: Add mandatory description field for api keys
> Applying: Bug 20568: Unit tests
> Applying: Bug 20568: API key management for OPAC users
> error: sha1 information is lacking or useless
> (koha-tmpl/opac-tmpl/bootstrap/en/includes/usermenu.inc).
> error: could not build fake ancestor
> Patch failed at 0001 Bug 20568: API key management for OPAC users
> The copy of the patch that failed is found in: .git/rebase-apply/patch
> When you have resolved this problem run "git bz apply --continue".
> If you would prefer to skip this patch, instead run "git bz apply --skip".
> To restore the original branch and stop patching run "git bz apply --abort".
> Patch left in /tmp/Bug-20568-API-key-management-for-OPAC-users-Igx9Ny.patch
>
> Sorry, stuck :(

Dependent bugs rebased!

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

Katrin Fischer <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Depends on|20402                       |

--- Comment #10 from Katrin Fischer <[hidden email]> ---
bug 20402 is already a dependency of bug 20612


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402
[Bug 20402] OAuth2 client credentials grant for REST API
--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

Katrin Fischer <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Depends on|                            |20402


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402
[Bug 20402] OAuth2 client credentials grant for REST API
--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

--- Comment #11 from Katrin Fischer <[hidden email]> ---
... trying to figure out the right sequence that will make git bz happy.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

--- Comment #12 from Katrin Fischer <[hidden email]> ---
20402
20568
20612
20624
... always tell git bz to ignore dependencies as it doesn't notice what's
already applied.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

--- Comment #13 from Katrin Fischer <[hidden email]> ---
Treating this as a false positive as it's not added by the patch set:

 FAIL   Koha/REST/V1/Auth.pm
   OK     critic
   OK     forbidden patterns
   OK     git manipulation
   OK     pod
   FAIL   pod coverage
                POD is missing for 'validate_query_parameters'

The link is gone, but the page remains accessible directly:
http://localhost:8081/cgi-bin/koha/members/apikeys.pl?patron_id=1

Tests fail for me:

t/db_dependent/api/v1/oauth.t .. 1/2
#   Failed test '/oauth/token tests'
#   at t/db_dependent/api/v1/oauth.t line 116.
Can't call method "expires" on an undefined value at
t/db_dependent/api/v1/oauth.t line 93.
# Looks like your test exited with 255 just after 1.
t/db_dependent/api/v1/oauth.t .. Dubious, test returned 255 (wstat 65280,
0xff00)
Failed 2/2 subtests

Test Summary Report
-------------------
t/db_dependent/api/v1/oauth.t (Wstat: 65280 Tests: 1 Failed: 1)
  Failed test:  1
  Non-zero exit status: 255
  Parse errors: Bad plan.  You planned 2 tests but ran 1.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

Kyle M Hall <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Needs Signoff               |Signed Off

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

Kyle M Hall <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #74986|0                           |1
        is obsolete|                            |
  Attachment #74987|0                           |1
        is obsolete|                            |
  Attachment #74988|0                           |1
        is obsolete|                            |
  Attachment #74989|0                           |1
        is obsolete|                            |
  Attachment #75020|0                           |1
        is obsolete|                            |
  Attachment #75021|0                           |1
        is obsolete|                            |

--- Comment #14 from Kyle M Hall <[hidden email]> ---
Created attachment 75060
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=75060&action=edit
Bug 20624: Add RESTOAuth2ClientCredentials syspref

Signed-off-by: Tomas Cohen Arazi <[hidden email]>

Signed-off-by: Kyle M Hall <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

--- Comment #15 from Kyle M Hall <[hidden email]> ---
Created attachment 75061
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=75061&action=edit
Bug 20624: Unit tests

This patch adds tests to verify that disabling the RESTOAuth2ClientCredentials
syspref
makes any request on the /api/v1/oauth/token using the
'client_credentials' grant fail with 'grant not implemented'.

To test:
- Apply this patch
- Run:
  $ kshell
 k$ prove t/db_dependent/api/v1/oauth.t
=> FAIL: Tests fail because the change is not implemented!

Signed-off-by: Kyle M Hall <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

--- Comment #16 from Kyle M Hall <[hidden email]> ---
Created attachment 75062
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=75062&action=edit
Bug 20624: Make /api/v1/oauth/token respect RESTOAuth2ClientCredentials

This patch makes the /api/v1/oauth/token enpoint respect the
RESTOAuth2ClientCredentials syspref. It will return 400 (with
'Unimplemented grant type' error message) on the event of the syspref
being disabled and the grant_type => 'client_credentials' value passed.

To test:
- Run:
  $ kshell
 k$ prove t/db_dependent/api/v1/oauth.t
=> FAIL: It fails because the off-switch is not implemented
- Apply this patch
- Run:
  k$ prove t/db_dependent/api/v1/oauth.t
=> SUCCESS: Tests pass!
- Sign off :-D

Signed-off-by: Kyle M Hall <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

--- Comment #17 from Kyle M Hall <[hidden email]> ---
Created attachment 75063
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=75063&action=edit
Bug 20624: Make staff client respect RESTOAuth2ClientCredentials

This patch makes the staff client UI respect the
RESTOAuth2ClientCredentials syspref.

To test:
- Make sure RESTOAuth2ClientCredentials is "Don't enable"
- Go to a patron's detail page
=> SUCCESS: The 'More' dropdown doesn't show the API keys management
link.
- Enable RESTOAuth2ClientCredentials
- Reload
=> SUCCESS: The 'More' dropdown shows the API keys management link
- Click on the API keys management link
=> SUCCESS: You can edit the api keys
- Disable the syspref
- Reload
=> SUCCESS: You are presented an error 400 page.
- Sign off :-D

Signed-off-by: Kyle M Hall <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

--- Comment #18 from Kyle M Hall <[hidden email]> ---
Created attachment 75064
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=75064&action=edit
Bug 20624: (QA follow-up) Unit tests for missing deps situation

This patch tests the situation in which Net::OAuth2::AuthorizationServer
is missing. It mocks Module::Load::Conditional::can_load and expects the
/token endpoint answers 'Unimplemented grant type' to all requests, and
the 'authenticate_api_request' in 'under' exit with unauthorized (403)
to requests in which the Authorization header is passed containing a
Bearer token, but OAuth2 is not really available.

To test:
- Apply this patch
- Run:
  $ kshell
 k$ prove t/db_dependent/api/v1/oauth.t
=> FAIL: Tests fail because our REST endpoints don't support this
behaviour.

Signed-off-by: Tomas Cohen Arazi <[hidden email]>

Signed-off-by: Kyle M Hall <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

--- Comment #19 from Kyle M Hall <[hidden email]> ---
Created attachment 75065
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=75065&action=edit
Bug 20624: (QA follow-up) Handle missing deps gracefuly

This patch makes the /token endpoint and the authenticate_api_request
method behave correctly in the event of missing deps for OAuth2.

To test:
- Run:
  $ kshell
 k$ prove t/db_dependent/api/v1/oauth.t
=> FAIL: The behaviour is not implemented
- Apply this patch
- Run:
 k$ prove t/db_dependent/api/v1/oauth.t
=> SUCCESS: Tests pass!

Signed-off-by: Tomas Cohen Arazi <[hidden email]>

Signed-off-by: Kyle M Hall <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 20624] Disable the OAuth2 client credentials grant by default

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624

--- Comment #20 from Tomás Cohen Arazi <[hidden email]> ---
Created attachment 75132
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=75132&action=edit
Bug 20624: (QA follow-up) Add miising POD in Koha::REST::V1::OAuth

Signed-off-by: Tomas Cohen Arazi <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
12