From: Dan Wells <dbw2@calvin.edu>
Date: Fri, 29 Jan 2016 21:02:32 +0000 (-0500)
Subject: LP#1528627 Proof of Concept "MasterKey" AuthProxy Module
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=refs%2Fheads%2Fuser%2Fdbwells%2Flp1528627_masterkey_poc;p=working%2FEvergreen.git

LP#1528627 Proof of Concept "MasterKey" AuthProxy Module

This module allows a user with the "masterkey" password to login as
any other user in the system, similar to root-level "su" in Unix.

USE THIS CODE AND MODULE AT YOUR OWN RISK.

To set up:
- In opensrf.xml, set auth_proxy <enabled> to 'true' (if not already)
- In same file, uncomment the configuration section for MasterKey
  within the auth_proxy configuration area
- Set the <masterkey> to some super-secret value

This has been tested with OPAC logins, but should work with any logins
supported by AuthProxy.pm (e.g. staff logins should work, but may have
developed some bugs since last tested).

Signed-off-by: Dan Wells <dbw2@calvin.edu>
---

diff --git a/Open-ILS/examples/opensrf.xml.example b/Open-ILS/examples/opensrf.xml.example
index 3b47481f86..35517c7874 100644
--- a/Open-ILS/examples/opensrf.xml.example
+++ b/Open-ILS/examples/opensrf.xml.example
@@ -483,6 +483,19 @@ vim:et:ts=4:sw=4:
                             </org_units>
                         </authenticator>
                         -->
+                        <!-- the following is a sample configuration for the MasterKey module; FOR TESTING ONLY, USE AT YOUR OWN RISK; please do not use the default password (in <masterkey> tag below) on a private server with outside access! -->
+                        <!--
+                        <authenticator>
+                            <name>masterkey</name>
+                            <module>OpenILS::Application::AuthProxy::MasterKey</module>
+                            <masterkey>whenILeftYouIWasButTheLearner</masterkey>
+                            <login_types>
+                                <type>staff</type>
+                                <type>opac</type>
+                                <type>persist</type>
+                            </login_types>
+                        </authenticator>
+                        -->
                         <!-- 'native' is a proxied version of Evergreen's standard authentication -->
                         <authenticator>
                             <name>native</name>
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/MasterKey.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/MasterKey.pm
new file mode 100644
index 0000000000..dbd585eaa7
--- /dev/null
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/MasterKey.pm
@@ -0,0 +1,26 @@
+package OpenILS::Application::AuthProxy::MasterKey;
+use strict;
+use warnings;
+use base 'OpenILS::Application::AuthProxy::AuthBase';
+use OpenILS::Event;
+
+my $logger = $OpenILS::Application::AuthProxy::AuthBase::logger;
+
+sub authenticate {
+    my ( $self, $args ) = @_;
+    my $password = $args->{'password'};
+
+    if (!$password) {
+        $logger->debug("User login failed: No password provided");
+        return OpenILS::Event->new( 'LOGIN_FAILED' );
+    }
+
+    if ($password eq $self->{'masterkey'}) {
+        return OpenILS::Event->new('SUCCESS');
+    } else {
+        $logger->debug("User login failed: User does not possess the master key");
+        return OpenILS::Event->new( 'LOGIN_FAILED' );
+    }
+}
+
+1;