[Bug 27309] New: Add plugin hooks for capturing raw passwords (NNPDB)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=27309 Bug ID: 27309 Summary: Add plugin hooks for capturing raw passwords (NNPDB) Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Plugin architecture Assignee: koha-bugs@lists.koha-community.org Reporter: magnus@libriotech.no QA Contact: testopia@bugs.koha-community.org Bug 22706 tried to add hooks to make it possible to implement support for the Norwegian National Patron Database (NNPDB) via a plugin. That bug added a new hook called check_password, and this was called in two places: 1. In Koha::Patron::set_password https://git.koha-community.org/Koha-community/Koha/src/branch/master/Koha/Pa... 2. In Koha::Patron::store https://git.koha-community.org/Koha-community/Koha/src/branch/master/Koha/Pa... The second call to check_password was initially placed after this call: $self = $self->SUPER::store; so we could send both the raw password and the borrowernumber to the hook. This is of course a problem, since checking the password after the borrower has been stored means we can't reject the user completely based on the password. And so the call to the check_password hook was placed bwfore this line. This meant that the check_password hook could not serve the intended purpose of implementing the NNPDB. This bug proposes a new plugin hook, to be implemented after the ->store, to finally make it possible to implement NNPDB as a plugin. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=27309 Magnus Enger <magnus@libriotech.no> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch complexity|--- |Small patch Status|NEW |Needs Signoff -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=27309 --- Comment #1 from Magnus Enger <magnus@libriotech.no> --- Created attachment 114719 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=114719&action=edit Bug 27309 - Add plugin hooks for capturing passwords This might sound like a stupid idea, but it is necessary in order to implement support for the Norwegian National Patron Database as a plugin in Koha. The plugin hook captures the borrowernumber and raw password of a user and sends it to a plugin. I created a tiny plugin to be able to test the functionality: https://github.com/Libriotech/koha-plugin-capturepw This plugin will capture borrowernumbers and raw passwords when a user is added or updated. The borrowernumber and a md5-hashed version of the password is stored in a tiny database table (koha_plugin_no_libriotech_capturepw_capturepw) created by the plugin. To test: - Enable plugins - Install the CapturePW plugin - Add and edit users in all possible ways, including -- Setting a password for a new user -- Changing a password in the staff client -- Changing a password in the OPAC -- Creating a disabled user account Check the database table for updates after each operation. If a new line is added to the database for each operation, and the md5 hash changes when a password is changed, everything should be ok. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=27309 Magnus Enger <magnus@libriotech.no> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=22706 -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=27309 --- Comment #2 from Magnus Enger <magnus@libriotech.no> --- Added capture_raw_password to https://wiki.koha-community.org/wiki/Koha_Plugin_Hooks#Implemented_or_under_... -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=27309 Magnus Enger <magnus@libriotech.no> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=27311 -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=27309 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au --- Comment #3 from David Cook <dcook@prosentient.com.au> --- Could you elaborate more on your use case for this? I don't understand why you'd need to capture and store the password. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=27309 Owen Leonard <oleonard@myacpl.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |magnus@libriotech.no |ity.org | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=27309 --- Comment #4 from Magnus Enger <magnus@libriotech.no> --- (In reply to David Cook from comment #3)
Could you elaborate more on your use case for this? I don't understand why you'd need to capture and store the password.
In Norway we have a national patron database, that among other things holds patron's PIN codes. These are encrypted using a key that only vendors have access to. To be able to store and transmit the encypted PIN in the correct format, we need to be able to capture it, and encrypt it in the way the national patron database expects, so we can sync it to other ILSes. This was not my idea, and it might change in the future, but for now it is something we have to implement, in order to be able to answer RFPs etc. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=27309 --- Comment #5 from David Cook <dcook@prosentient.com.au> --- (In reply to Magnus Enger from comment #4)
(In reply to David Cook from comment #3)
Could you elaborate more on your use case for this? I don't understand why you'd need to capture and store the password.
In Norway we have a national patron database, that among other things holds patron's PIN codes. These are encrypted using a key that only vendors have access to. To be able to store and transmit the encypted PIN in the correct format, we need to be able to capture it, and encrypt it in the way the national patron database expects, so we can sync it to other ILSes.
This was not my idea, and it might change in the future, but for now it is something we have to implement, in order to be able to answer RFPs etc.
Thanks for explaining. I think that I understand more now. I just took a peek at bug 11401 and https://lanekortet.no/ (thanks Google Translate). I wonder why they don't use something like LDAP or use SSO. Inertia maybe. I still think how the NNPDB works is bizarre but I understand the rationale. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=27309 mathieu saby <mathsabypro@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mathsabypro@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=27309 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lucas@bywatersolutions.com Status|Needs Signoff |Failed QA --- Comment #6 from Lucas Gass <lucas@bywatersolutions.com> --- Do we need unit tests for this change? Also, the commit title needs amended: Processing additional checks * Commit title does not start with 'Bug XXXXX: ' - 82ca5ad8aef -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=27309 Kyle M Hall (khall) <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kyle@bywatersolutions.com -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org