From: Jeff Godin <jgodin@tadl.org>
Date: Wed, 13 May 2015 22:41:02 +0000 (-0700)
Subject: WIP: client/ils password separation
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=refs%2Fheads%2Fuser%2Fjeff%2Fsip_password_separation_rebase;p=working%2FSIPServer.git

WIP: client/ils password separation

Initial support for having a SIP client password distinct from the
ILS password.

Signed-off-by: Jeff Godin <jgodin@tadl.org>
---

diff --git a/SIPServer.pm b/SIPServer.pm
index 0e36676..d456378 100755
--- a/SIPServer.pm
+++ b/SIPServer.pm
@@ -631,7 +631,7 @@ sub telnet_transport {
         $pwd =~ s/[\r\n]+$//;
 
         if (exists($config->{accounts}->{$uid})
-        && ($pwd eq $config->{accounts}->{$uid}->password())) {
+        && _verify_client_password($config->{accounts}->{$uid}, $pwd) == 1) {
             $account = $config->{accounts}->{$uid};
             last;
         } else {
@@ -723,3 +723,20 @@ sub sip_protocol_loop {
 
     }
 }
+
+sub _verify_client_password {
+    # Accept a config hash representing a single login, and a supplied client password
+    # Return 1 on match, otherwise 0
+    # XXX: implement support for salted + hashed "clientpassword" value
+    my ($login_config, $pwd_from_client) = @_;
+
+    # if config has a clientpassword, verify against that
+    if (exists($login_config->{clientpassword})) {
+        syslog("LOG_INFO", "_verify_client_password: checking supplied password against clientpassword from config");
+        return 1 if ($pwd_from_client eq $login_config->{clientpassword});
+    } else { # otherwise, verify against "password" attribute
+        syslog("LOG_INFO", "_verify_client_password: checking supplied password against password from config");
+        return 1 if ($pwd_from_client eq $login_config->{password});
+    }
+    return 0; # password did not match
+}
diff --git a/SIPconfig.xml b/SIPconfig.xml
index 180f4d4..7da7da8 100644
--- a/SIPconfig.xml
+++ b/SIPconfig.xml
@@ -66,6 +66,10 @@
       <login id="lpl-sc" password="1234" institution="LPL" />
       <login id="lpl-sc-beacock" password="xyzzy" location_code="WORKSTATION5"
              delimiter="|" error-detect="enabled" institution="LPL" />
+      <login id="uwols-sipclient-1"
+             clientpassword="salted-hash-here"
+             password="ils_secret"
+             institution="OWOLS" />
   </accounts>
 
 <!-- Institution tags will hold stuff used to interface to -->
diff --git a/Sip/MsgType.pm b/Sip/MsgType.pm
index 4079467..4b070ad 100644
--- a/Sip/MsgType.pm
+++ b/Sip/MsgType.pm
@@ -860,7 +860,7 @@ sub handle_login {
     if (!exists($server->{config}->{accounts}->{$uid})) {
         syslog("LOG_WARNING", "MsgType::handle_login: Unknown login '$uid'");
         $status = 0;
-    } elsif ($server->{config}->{accounts}->{$uid}->{password} ne $pwd) {
+    } elsif (SIPServer::_verify_client_password($server->{config}->{accounts}->{$uid}, $pwd) != 1) {
         syslog("LOG_WARNING", "MsgType::handle_login: Invalid password for login '$uid'");
         $status = 0;
     } else {