From c0b1e4d432cb09b3fa926cc54a8a74c1833a4418 Mon Sep 17 00:00:00 2001
From: Dan Wells <dbw2@calvin.edu>
Date: Fri, 29 Jan 2016 16:02:32 -0500
Subject: [PATCH] LP#1528627 Proof of Concept "MasterKey" AuthProxy Module

This module allows a user with the "masterkey" password to login as
any other user in the system, similar to root-level "su" in Unix.

USE THIS CODE AND MODULE AT YOUR OWN RISK.

To set up:
- In opensrf.xml, set auth_proxy <enabled> to 'true' (if not already)
- In same file, uncomment the configuration section for MasterKey
  within the auth_proxy configuration area
- Set the <masterkey> to some super-secret value

This has been tested with OPAC logins, but should work with any logins
supported by AuthProxy.pm (e.g. staff logins should work, but may have
developed some bugs since last tested).

Signed-off-by: Dan Wells <dbw2@calvin.edu>
---
 Open-ILS/examples/opensrf.xml.example              | 13 +++++++++++
 .../lib/OpenILS/Application/AuthProxy/MasterKey.pm | 26 ++++++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/MasterKey.pm

diff --git a/Open-ILS/examples/opensrf.xml.example b/Open-ILS/examples/opensrf.xml.example
index 3b47481f86..35517c7874 100644
--- a/Open-ILS/examples/opensrf.xml.example
+++ b/Open-ILS/examples/opensrf.xml.example
@@ -483,6 +483,19 @@ vim:et:ts=4:sw=4:
                             </org_units>
                         </authenticator>
                         -->
+                        <!-- the following is a sample configuration for the MasterKey module; FOR TESTING ONLY, USE AT YOUR OWN RISK; please do not use the default password (in <masterkey> tag below) on a private server with outside access! -->
+                        <!--
+                        <authenticator>
+                            <name>masterkey</name>
+                            <module>OpenILS::Application::AuthProxy::MasterKey</module>
+                            <masterkey>whenILeftYouIWasButTheLearner</masterkey>
+                            <login_types>
+                                <type>staff</type>
+                                <type>opac</type>
+                                <type>persist</type>
+                            </login_types>
+                        </authenticator>
+                        -->
                         <!-- 'native' is a proxied version of Evergreen's standard authentication -->
                         <authenticator>
                             <name>native</name>
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/MasterKey.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/MasterKey.pm
new file mode 100644
index 0000000000..dbd585eaa7
--- /dev/null
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/MasterKey.pm
@@ -0,0 +1,26 @@
+package OpenILS::Application::AuthProxy::MasterKey;
+use strict;
+use warnings;
+use base 'OpenILS::Application::AuthProxy::AuthBase';
+use OpenILS::Event;
+
+my $logger = $OpenILS::Application::AuthProxy::AuthBase::logger;
+
+sub authenticate {
+    my ( $self, $args ) = @_;
+    my $password = $args->{'password'};
+
+    if (!$password) {
+        $logger->debug("User login failed: No password provided");
+        return OpenILS::Event->new( 'LOGIN_FAILED' );
+    }
+
+    if ($password eq $self->{'masterkey'}) {
+        return OpenILS::Event->new('SUCCESS');
+    } else {
+        $logger->debug("User login failed: User does not possess the master key");
+        return OpenILS::Event->new( 'LOGIN_FAILED' );
+    }
+}
+
+1;
-- 
2.11.0