Bug 20612: Make OAuth2 use patron's client_id/secret pairs

This patch wires the OAuth related code so it leverages on the new
Koha::ApiKey(s) classes and tools introduced by bug 20568 instead of the
hardcoded entries in koha-conf.xml originally proposed by bug 20402.

To test revisit the test plan for bug 20402, and verify that it works.
But create API key pairs instead of writing them down in koha-conf.xml.
Also:
- Run:
  $ prove t/db_dependent/api/v1/oauth.t
=> SUCCESS: Tests pass!
- Sign off :-D

Sponsored-by: ByWater Solutions
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Benjamin Rokseth <benjamin.rokseth@deichman.no>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

diff --git a/Koha/OAuth.pm b/Koha/OAuth.pm
index e322206..fb1f1e4 100644 (file)
--- a/Koha/OAuth.pm
+++ b/Koha/OAuth.pm
@@ -17,6 +17,7 @@ package Koha::OAuth;
 
 use Modern::Perl;
 
+use Koha::ApiKeys;
 use Koha::OAuthAccessTokens;
 
 =head1 NAME
@@ -53,17 +54,18 @@ and allowed to get authorization.
 sub _verify_client_cb {
     my (%args) = @_;
 
-    my ($client_id, $client_secret)
-        = @args{ qw/ client_id client_secret / };
+    my ($client_id, $client_secret) = @args{ qw/ client_id client_secret / };
 
-    return (0, 'unauthorized_client') unless $client_id;
+    my $api_key;
 
-    my $clients = C4::Context->config('api_client');
-    $clients = [ $clients ] unless ref $clients eq 'ARRAY';
-    my ($client) = grep { $_->{client_id} eq $client_id } @$clients;
-    return (0, 'unauthorized_client') unless $client;
+    if ($client_id) {
+        $api_key = Koha::ApiKeys->find( $client_id );
+    }
+
+    # client_id mandatory and exists on the DB
+    return (0, 'unauthorized_client') unless $api_key && $api_key->active;
 
-    return (0, 'access_denied') unless $client_secret eq $client->{client_secret};
+    return (0, 'access_denied') unless $api_key->secret eq $client_secret;
 
     return (1, undef, []);
 }

diff --git a/Koha/REST/V1/Auth.pm b/Koha/REST/V1/Auth.pm
index 65f0e71..1df26e4 100644 (file)
--- a/Koha/REST/V1/Auth.pm
+++ b/Koha/REST/V1/Auth.pm
@@ -26,10 +26,12 @@ use Net::OAuth2::AuthorizationServer;
 use C4::Auth qw( check_cookie_auth get_session haspermission );
 use C4::Context;
 
+use Koha::ApiKeys;
 use Koha::Account::Lines;
 use Koha::Checkouts;
 use Koha::Holds;
 use Koha::OAuth;
+use Koha::OAuthAccessTokens;
 use Koha::Old::Checkouts;
 use Koha::Patrons;
 
@@ -125,11 +127,8 @@ sub authenticate_api_request {
         );
 
         if ($valid_token) {
-            my $clients = C4::Context->config('api_client');
-            $clients = [ $clients ] unless ref $clients eq 'ARRAY';
-            my ($client) = grep { $_->{client_id} eq $valid_token->{client_id} } @$clients;
-
-            my $patron = Koha::Patrons->find($client->{patron_id});
+            my $patron_id   = Koha::ApiKeys->find( $valid_token->{client_id} )->patron_id;
+            my $patron      = Koha::Patrons->find($patron_id);
             my $permissions = $authorization->{'permissions'};
             # Check if the patron is authorized
             if ( haspermission($patron->userid, $permissions)