[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 Tomás Cohen Arazi changed: What|Removed |Added Keywords|additional_work_needed | -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 --- Comment #45 from Matt Blenkinsop --- Nice work everyone! Pushed to oldstable for 22.11.x -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 Matt Blenkinsop changed: What|Removed |Added Version(s)|23.05.00,22.11.07 |23.05.00,22.11.08,22.11.07 released in|| Status|Pushed to stable|Pushed to oldstable -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 Nick Clemens changed: What|Removed |Added Blocks||34033 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34033 [Bug 34033] DB update problems from bug 30649 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 --- Comment #44 from Emmi Takkinen --- Oh and also SET password = $password needs guotation marks around $password :D Ran into this while updating my test database. After fixing them manually update proceeded without problems. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 --- Comment #43 from Emmi Takkinen --- Also there's no table edi_vendor_accounts. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 Emmi Takkinen changed: What|Removed |Added CC||emmi.takki...@koha-suomi.fi --- Comment #42 from Emmi Takkinen --- There's a typo in atomicupdate file. "SELECT * FROM vendor_edit_accounts" should be "SELECT * FROM vendor_edi_accounts" -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 jkbijo...@gmail.com changed: What|Removed |Added CC||jkbijo...@gmail.com -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 Tomás Cohen Arazi changed: What|Removed |Added CC||tomasco...@gmail.com --- Comment #41 from Tomás Cohen Arazi --- Follow-up pushed to master. Backporting to 23.05 as well. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 --- Comment #40 from Jonathan Druart --- (In reply to David Cook from comment #39) > Would this work without the encryption_key being set though? Might need to > add a catch for that I don't think we should anything more, with bug 33934 the output of the upgrade process will tell what went wrong. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 --- Comment #39 from David Cook --- Would this work without the encryption_key being set though? Might need to add a catch for that -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 --- Comment #38 from Martin Renvoize --- I threw that together.. needs testing though. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 Martin Renvoize changed: What|Removed |Added Keywords||additional_work_needed -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 --- Comment #37 from Martin Renvoize --- Created attachment 152097 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=152097=edit Bug 30649: (follow-up) Improve database update This patch implements the proposed switch to use the standard DB handle and only require Koha::Encryption if necessary. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 Jonathan Druart changed: What|Removed |Added See Also||https://bugs.koha-community ||.org/bugzilla3/show_bug.cgi ||?id=33934 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 --- Comment #36 from David Cook --- (In reply to Jonathan Druart from comment #35) > We could maybe require the module only if there are rows in > vendor_edi_accounts? Sounds reasonable to me -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 Jonathan Druart changed: What|Removed |Added See Also||https://bugs.koha-community ||.org/bugzilla3/show_bug.cgi ||?id=31059 --- Comment #35 from Jonathan Druart --- Reported on the ML, it's breaking the upgrade ERROR - Exception 'Koha::Exceptions::MissingParameter' thrown 'No encryption_key in koha-conf.xml' We should not use Koha module in db revs. Here we have Koha::Database that can be replaced easily with $dbh, however there is no good solution for Koha::Encryption. We could maybe require the module only if there are rows in vendor_edi_accounts? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 --- Comment #34 from Pedro Amorim --- Nice work everyone! Pushed to 22.11.x for next release -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 Pedro Amorim changed: What|Removed |Added Version(s)|23.05.00|23.05.00,22.11.07 released in|| Status|Pushed to master|Pushed to stable -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 --- Comment #33 from Tomás Cohen Arazi --- Pushed to master for 23.05. Nice work everyone, thanks! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 Tomás Cohen Arazi changed: What|Removed |Added Version(s)||23.05.00 released in|| Status|Passed QA |Pushed to master -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 Martin Renvoize changed: What|Removed |Added Severity|enhancement |normal -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 --- Comment #32 from Kyle M Hall --- (In reply to Jonathan Druart from comment #28) > I don't know how this is relevant, but borrowers.secret is MEDIUMTEXT and > you are using VARCHAR(256) here. > > By the way, 256? Typo for 255? I like the idea of using mediumtext much better for encrypted data fields than varchar. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 --- Comment #31 from Kyle M Hall --- Created attachment 144325 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=144325=edit Bug 30649: (QA follow-up) Switch password field to mediumtext -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 Kyle M Hall changed: What|Removed |Added Attachment #144323|0 |1 is obsolete|| --- Comment #30 from Kyle M Hall --- Created attachment 144324 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=144324=edit Bug 30649: Vendor EDI account passwords should be encrypted in the database We are storing edi vendor acccount passwords in clear text in the database. Now that Koha has the Koha::Encryption module, we should use that to encrypt passwords for all existing and new EDI accounts. Test Plan: 1) Apply this patch 2) Create one or more EDI vendor accounts 3) Run a report to view the account passwords, note they are in clear text 4) Run updatedatabase.pl 5) Re-run the report, account passwords should be encrypted now 6) Edit a vendor EDI account, note you can still view and update the password for an account Signed-off-by: David Nind Signed-off-by: Martin Renvoize -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 Kyle M Hall changed: What|Removed |Added Attachment #142989|0 |1 is obsolete|| --- Comment #29 from Kyle M Hall --- Created attachment 144323 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=144323=edit Bug 30649: Vendor EDI account passwords should be encrypted in the database We are storing edi vendor acccount passwords in clear text in the database. Now that Koha has the Koha::Encryption module, we should use that to encrypt passwords for all existing and new EDI accounts. Test Plan: 1) Apply this patch 2) Create one or more EDI vendor accounts 3) Run a report to view the account passwords, note they are in clear text 4) Run updatedatabase.pl 5) Re-run the report, account passwords should be encrypted now 6) Edit a vendor EDI account, note you can still view and update the password for an account Signed-off-by: David Nind Signed-off-by: Martin Renvoize -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 Jonathan Druart changed: What|Removed |Added CC||jonathan.druart+koha@gmail. ||com --- Comment #28 from Jonathan Druart --- I don't know how this is relevant, but borrowers.secret is MEDIUMTEXT and you are using VARCHAR(256) here. By the way, 256? Typo for 255? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 --- Comment #27 from Victor Grousset/tuxayo --- (In reply to Kyle M Hall from comment #22) > (In reply to Victor Grousset/tuxayo from comment #21) > > That's why I wondered if there was any gain compared to just storing the > > passwords into koha-conf.xml directly? (or another file) > > Simply put, imo, that would mean librarians could no longer update that data > without help from the server administrator, making their jobs more difficult. Hence the earlier «maybe Koha can't write to that file and that would need a separate file» (In reply to David Cook from comment #26) > So sysadmins really need to keep in mind that the database and server-side > config need to be restored together. Ah yes, so actually encrypting data in the DB does not protect from a backup leak. (I wrongly said that earlier) Since a backup should have the config files. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 Katrin Fischer changed: What|Removed |Added Version|21.05 |master -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 --- Comment #26 from David Cook --- (In reply to Katrin Fischer from comment #25) > (In reply to David Cook from comment #24) > > (In reply to Katrin Fischer from comment #23) > > > It might also hinder a a quick desaster recovery to a different server? At > > > least something more to think about for backups etc. > > > > With the encryption key in koha-conf.xml, they wouldn't be able to decrypt > > the encrypted passwords in the database either. > > True, so something to keep in mind then for the sysadmins? Yeah, I mean there's other bits of config that this happens for too. I use the "OAI-PMH:ConfFile" syspref, and if you just restore the database dump without including the server-side file, it'll break the OAI. So sysadmins really need to keep in mind that the database and server-side config need to be restored together. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 --- Comment #25 from Katrin Fischer --- (In reply to David Cook from comment #24) > (In reply to Katrin Fischer from comment #23) > > It might also hinder a a quick desaster recovery to a different server? At > > least something more to think about for backups etc. > > With the encryption key in koha-conf.xml, they wouldn't be able to decrypt > the encrypted passwords in the database either. True, so something to keep in mind then for the sysadmins? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 --- Comment #24 from David Cook --- (In reply to Katrin Fischer from comment #23) > It might also hinder a a quick desaster recovery to a different server? At > least something more to think about for backups etc. With the encryption key in koha-conf.xml, they wouldn't be able to decrypt the encrypted passwords in the database either. (In reply to Kyle M Hall from comment #22) > (In reply to Victor Grousset/tuxayo from comment #21) > > That's why I wondered if there was any gain compared to just storing the > > passwords into koha-conf.xml directly? (or another file) > > Simply put, imo, that would mean librarians could no longer update that data > without help from the server administrator, making their jobs more difficult. Agreed with Kyle. There needs to be a balance between security and functionality/convenience. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 --- Comment #23 from Katrin Fischer --- It might also hinder a a quick desaster recovery to a different server? At least something more to think about for backups etc. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 --- Comment #22 from Kyle M Hall --- (In reply to Victor Grousset/tuxayo from comment #21) > That's why I wondered if there was any gain compared to just storing the > passwords into koha-conf.xml directly? (or another file) Simply put, imo, that would mean librarians could no longer update that data without help from the server administrator, making their jobs more difficult. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 --- Comment #21 from Victor Grousset/tuxayo --- (In reply to Martin Renvoize from comment #16) > The value does come from the encryption. If the database is somehow > compromised (for example, someone accidentally shares a backup.. it could be > as simple as that).. by having the data in the databawse encrypted the > nafarious actor doesn't have something useful to them.. They still need to > hack the machine to get ahold of the key (from the conf file) and/or read > the code to understand what sort of algorithm is used. That's why I wondered if there was any gain compared to just storing the passwords into koha-conf.xml directly? (or another file) The question would have been more relevant on bug 28998 now that such a mechanism is implemented, the work is done and it's not very hard to use on any data to be protected from SQL injection or accidental backup publication. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 --- Comment #20 from David Cook --- (In reply to Martin Renvoize from comment #18) > OK.. I decided to open another bug for my thoughts on key change.. > > I'll pass this one but highlight to the RM that we may need to rethink the > DB update. I've commented on Bug 32078 with what I think would be a fairly straightforward approach to allow key rotation. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 --- Comment #19 from David Cook --- (In reply to Martin Renvoize from comment #17) > When we upgraded > from SHA to BCrypt for user account hashing we added a layer inside the > codebase to upgrade the hash on first access I seem to recall. We were upgrading from MD5 hashes to BCrypt hashes, which were easy to differentiate, since the BCrypt hashes started with "$2a$08$". We also had the user input so you could always compare hashes. In this case with the decryption I don't think there's any way to know whether or not you got a valid decrypted value (unless the encryption module throws an exception)... -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 Martin Renvoize changed: What|Removed |Added Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 --- Comment #18 from Martin Renvoize --- OK.. I decided to open another bug for my thoughts on key change.. I'll pass this one but highlight to the RM that we may need to rethink the DB update. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 Martin Renvoize changed: What|Removed |Added See Also||https://bugs.koha-community ||.org/bugzilla3/show_bug.cgi ||?id=32078 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 --- Comment #17 from Martin Renvoize --- Still contemplating QA here.. the code works as expected and I'm happy with the implementation as a whole. However.. I'm not so sure about the in place database upgrade... we tend to try and steer away from referencing Koha modules from within the atomicupdates in case there's a change to said module down the line. That said.. that's not a blocker for me, just a consideration. When we upgraded from SHA to BCrypt for user account hashing we added a layer inside the codebase to upgrade the hash on first access I seem to recall. My other pondering is around what happens if/when an admin wants to change the encryption key for the server.. that's out of scope for this particular bug, but I feel like we should have an option for it somewhere.. either a script to update encrypted data's to use the new key (given the old and new key as input) or a way to defined the keys as an array and upgrade on access or something like that. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 --- Comment #16 from Martin Renvoize --- (In reply to Victor Grousset/tuxayo from comment #14) > (In reply to Kyle M Hall from comment #9) > > (In reply to Victor Grousset/tuxayo from comment #8) > > > I don't get how to encrypt a password to an external service and still be > > > able to use the external service. Does that mean Koha can in full autonomy > > > decrypt it? > > > > Yes, we store a key in the koha konf file for encryption and decryption. I > > need to rebase this patch to use the work from Bug 28998. > > Ok IIUC the security value doesn't come from encryption but from having the > date out of the DB. So a simple SQL injection can't get it. > Is there any gain compared to just storing the passwords into koha-conf.xml > directly? > (hum, maybe Koha can't write to that file and that would need a separate > file) > Like is it a plausible attack scenario to be able to read the file but not > the DB? That when needing both would help. The value does come from the encryption. If the database is somehow compromised (for example, someone accidentally shares a backup.. it could be as simple as that).. by having the data in the databawse encrypted the nafarious actor doesn't have something useful to them.. They still need to hack the machine to get ahold of the key (from the conf file) and/or read the code to understand what sort of algorithm is used. So this closes one door.. if they have full access to the server, they have all the elements they need to access the plaintext credentials.. but the improvement here is that they now have to have that full access rather than just a db dump. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 Martin Renvoize changed: What|Removed |Added QA Contact|testo...@bugs.koha-communit |martin.renvoize@ptfs-europe |y.org |.com -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 Martin Renvoize changed: What|Removed |Added Attachment #142820|0 |1 is obsolete|| --- Comment #15 from Martin Renvoize --- Created attachment 142989 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=142989=edit Bug 30649: Vendor EDI account passwords should be encrypted in the database We are storing edi vendor acccount passwords in clear text in the database. Now that Koha has the Koha::Encryption module, we should use that to encrypt passwords for all existing and new EDI accounts. Test Plan: 1) Apply this patch 2) Create one or more EDI vendor accounts 3) Run a report to view the account passwords, note they are in clear text 4) Run updatedatabase.pl 5) Re-run the report, account passwords should be encrypted now 6) Edit a vendor EDI account, note you can still view and update the password for an account Signed-off-by: David Nind Signed-off-by: Martin Renvoize -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 --- Comment #14 from Victor Grousset/tuxayo --- (In reply to Kyle M Hall from comment #9) > (In reply to Victor Grousset/tuxayo from comment #8) > > I don't get how to encrypt a password to an external service and still be > > able to use the external service. Does that mean Koha can in full autonomy > > decrypt it? > > Yes, we store a key in the koha konf file for encryption and decryption. I > need to rebase this patch to use the work from Bug 28998. Ok IIUC the security value doesn't come from encryption but from having the date out of the DB. So a simple SQL injection can't get it. Is there any gain compared to just storing the passwords into koha-conf.xml directly? (hum, maybe Koha can't write to that file and that would need a separate file) Like is it a plausible attack scenario to be able to read the file but not the DB? That when needing both would help. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 David Nind changed: What|Removed |Added CC||da...@davidnind.com --- Comment #13 from David Nind --- Testing notes (using koha-testing-docker): 1. Enable EDIFACT system preference 2. Creating EDI vendor accounts: Administration > Acquisition parameters > EDI accounts 3. Before applying the patch, I added an EDI vendor account (to test that existing accounts are updated) 3. Step 3 - SQL for report: select * from vendor_edi_accounts 4. Step 4 - after the databaseupdate: I ran flush_memcached and restart_all, and cleared the browser cache -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 David Nind changed: What|Removed |Added Attachment #142057|0 |1 is obsolete|| --- Comment #12 from David Nind --- Created attachment 142820 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=142820=edit Bug 30649: Vendor EDI account passwords should be encrypted in the database We are storing edi vendor acccount passwords in clear text in the database. Now that Koha has the Koha::Encryption module, we should use that to encrypt passwords for all existing and new EDI accounts. Test Plan: 1) Apply this patch 2) Create one or more EDI vendor accounts 3) Run a report to view the account passwords, note they are in clear text 4) Run updatedatabase.pl 5) Re-run the report, account passwords should be encrypted now 6) Edit a vendor EDI account, note you can still view and update the password for an account Signed-off-by: David Nind -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 David Nind changed: What|Removed |Added Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 Kyle M Hall changed: What|Removed |Added CC||martin.renvoize@ptfs-europe ||.com -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 Kyle M Hall changed: What|Removed |Added Attachment #142056|0 |1 is obsolete|| --- Comment #11 from Kyle M Hall --- Created attachment 142057 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=142057=edit Bug 30649: Vendor EDI account passwords should be encrypted in the database We are storing edi vendor acccount passwords in clear text in the database. Now that Koha has the Koha::Encryption module, we should use that to encrypt passwords for all existing and new EDI accounts. Test Plan: 1) Apply this patch 2) Create one or more EDI vendor accounts 3) Run a report to view the account passwords, note they are in clear text 4) Run updatedatabase.pl 5) Re-run the report, account passwords should be encrypted now 6) Edit a vendor EDI account, note you can still view and update the password for an account -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 Kyle M Hall changed: What|Removed |Added Attachment #134302|0 |1 is obsolete|| --- Comment #10 from Kyle M Hall --- Created attachment 142056 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=142056=edit Bug 30649: Vendor EDI account passwords should be encrypted in the database We are storing edi vendor acccount passwords in clear text in the database. Now that Koha has the Koha::Encryption module, we should use that to encrypt passwords for all existing and new EDI accounts. Test Plan: 1) Apply this patch 2) Create one or more EDI vendor accounts 3) Run a report to view the account passwords, note they are in clear text 4) Run updatedatabase.pl 5) Re-run the report, account passwords should be encrypted now 6) Edit a vendor EDI account, note you can still view and update the password for an account -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 Kyle M Hall changed: What|Removed |Added Status|BLOCKED |Needs Signoff -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649 Kyle M Hall changed: What|Removed |Added Summary|Vendor EDI account |Vendor EDI account |passwords should be |passwords should be |encrypted |encrypted in the database -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/