[Koha-bugs] [Bug 13920] API authentication system - proposal

Thu Jun 25 11:33:32 CEST 2015

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13920

Julian Maurice <julian.maurice at biblibre.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #40592|0                           |1
        is obsolete|                            |

--- Comment #11 from Julian Maurice <julian.maurice at biblibre.com> ---
Created attachment 40625
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=40625&action=edit
Bug 13920: 9. API authentication system - Swagtenticator authentication - WIP

This feature implements REST API-key authentication and Koha permission
validation in the Swagger2-plugin extension.  This is basically a
Mojolicious to Koha authentication using Swagger2 RESTful API definition
to autodocument and check for proper user permissions, aka.
"KohaliciousSwagtenticator".

With this feature the API provider doesn't need to code anything in the
Controller to support Koha permissions. Simply by defining a custom
Swagger2 parameter "x-koha-parameters": {} the Swagtenticator knows to
check the user for proper Koha permissions.

Example (require any borrowers-permission):
...
  "paths": {
    "/borrowers": {
      "get": {
        "x-mojo-controller": "Koha::REST::V1::Borrowers",
        "x-koha-permission": {
          "borrowers": "*"
        },
        "operationId": "listBorrowers",
...

This x-koha-permission definition is turned to a HASH and given to the
C4::Auth::haspermission() for verification by the Swagger2-based plugin.

Bug dependencies:
  Buugg 13995 - Proper Exception handling,
    which helps a lot in dealing with all the various ways
    authentication can fail.
  Buugg 14437 - Refactor C4::Auth::haspermission() to Koha::Object and
    return better errors.
    Which returns the failing permission so we can create a more helpful
    API which tells which permissions are missing
    (also helps admins in giving the right permissions)

This feature is implemented by inheriting Mojolicious::Plugin::Swagger2
in Koha::REST::V1::Plugins::KohaliciousSwagtenticator and overloading
the necessary subroutines.

TEST PLAN:

1. Add the given example (up) to any "Operation Object *".
2. Call the "Operation object" (eg. /v1/borrowers/10) with user
   credetials not having any borrower-permissions.
3. Fail because of myriad of reasons.
   (see. KohaliciousSwagtenticator::check_key_auth())
4. Add some borrowers-permissions to the same user.
5. Succeed in your operation.

* from Swagger2.0 specification

-- 
You are receiving this mail because:
You are watching all bug changes.