subject:"\[Koha\-bugs\] \[Bug 30649\] Vendor EDI account passwords should be encrypted in the database"

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2023-09-19 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

Tomás Cohen Arazi  changed:

   What|Removed |Added

   Keywords|additional_work_needed  |

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2023-07-12 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

--- Comment #45 from Matt Blenkinsop  ---
Nice work everyone!

Pushed to oldstable for 22.11.x

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2023-07-12 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

Matt Blenkinsop  changed:

   What|Removed |Added

 Version(s)|23.05.00,22.11.07   |23.05.00,22.11.08,22.11.07
released in||
 Status|Pushed to stable|Pushed to oldstable

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2023-06-16 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

Nick Clemens  changed:

   What|Removed |Added

 Blocks||34033


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34033
[Bug 34033] DB update problems from bug 30649
-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2023-06-16 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

--- Comment #44 from Emmi Takkinen  ---
Oh and also SET password = $password needs guotation marks around $password :D
Ran into this while updating my test database. After fixing them manually
update proceeded without problems.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2023-06-16 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

--- Comment #43 from Emmi Takkinen  ---
Also there's no table edi_vendor_accounts.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2023-06-16 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

Emmi Takkinen  changed:

   What|Removed |Added

 CC||emmi.takki...@koha-suomi.fi

--- Comment #42 from Emmi Takkinen  ---
There's a typo in atomicupdate file. 

"SELECT * FROM vendor_edit_accounts" should be "SELECT * FROM
vendor_edi_accounts"

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2023-06-12 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

jkbijo...@gmail.com changed:

   What|Removed |Added

 CC||jkbijo...@gmail.com

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2023-06-09 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

Tomás Cohen Arazi  changed:

   What|Removed |Added

 CC||tomasco...@gmail.com

--- Comment #41 from Tomás Cohen Arazi  ---
Follow-up pushed to master. Backporting to 23.05 as well.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2023-06-08 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

--- Comment #40 from Jonathan Druart  ---
(In reply to David Cook from comment #39)
> Would this work without the encryption_key being set though? Might need to
> add a catch for that

I don't think we should anything more, with bug 33934 the output of the upgrade
process will tell what went wrong.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2023-06-07 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

--- Comment #39 from David Cook  ---
Would this work without the encryption_key being set though? Might need to add
a catch for that

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2023-06-07 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

--- Comment #38 from Martin Renvoize  ---
I threw that together.. needs testing though.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2023-06-07 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

Martin Renvoize  changed:

   What|Removed |Added

   Keywords||additional_work_needed

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2023-06-07 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

--- Comment #37 from Martin Renvoize  ---
Created attachment 152097
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=152097=edit
Bug 30649: (follow-up) Improve database update

This patch implements the proposed switch to use the standard DB handle
and only require Koha::Encryption if necessary.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2023-06-07 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

Jonathan Druart  changed:

   What|Removed |Added

   See Also||https://bugs.koha-community
   ||.org/bugzilla3/show_bug.cgi
   ||?id=33934

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2023-06-06 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

--- Comment #36 from David Cook  ---
(In reply to Jonathan Druart from comment #35)
> We could maybe require the module only if there are rows in
> vendor_edi_accounts?

Sounds reasonable to me

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2023-06-06 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

Jonathan Druart  changed:

   What|Removed |Added

   See Also||https://bugs.koha-community
   ||.org/bugzilla3/show_bug.cgi
   ||?id=31059

--- Comment #35 from Jonathan Druart  ---
Reported on the ML, it's breaking the upgrade
  ERROR - Exception 'Koha::Exceptions::MissingParameter' thrown 'No
encryption_key in koha-conf.xml'

We should not use Koha module in db revs.

Here we have Koha::Database that can be replaced easily with $dbh, however
there is no good solution for Koha::Encryption.

We could maybe require the module only if there are rows in
vendor_edi_accounts?

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2023-06-02 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

--- Comment #34 from Pedro Amorim  ---
Nice work everyone!

Pushed to 22.11.x for next release

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2023-06-02 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

Pedro Amorim  changed:

   What|Removed |Added

 Version(s)|23.05.00|23.05.00,22.11.07
released in||
 Status|Pushed to master|Pushed to stable

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2023-05-15 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

--- Comment #33 from Tomás Cohen Arazi  ---
Pushed to master for 23.05.

Nice work everyone, thanks!

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2023-05-15 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

Tomás Cohen Arazi  changed:

   What|Removed |Added

 Version(s)||23.05.00
released in||
 Status|Passed QA   |Pushed to master

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2023-01-19 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

Martin Renvoize  changed:

   What|Removed |Added

   Severity|enhancement |normal

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-11-29 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

--- Comment #32 from Kyle M Hall  ---
(In reply to Jonathan Druart from comment #28)
> I don't know how this is relevant, but borrowers.secret is MEDIUMTEXT and
> you are using VARCHAR(256) here.
> 
> By the way, 256? Typo for 255?

I like the idea of using mediumtext much better for encrypted data fields than
varchar.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-11-29 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

--- Comment #31 from Kyle M Hall  ---
Created attachment 144325
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=144325=edit
Bug 30649: (QA follow-up) Switch password field to mediumtext

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-11-29 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

Kyle M Hall  changed:

   What|Removed |Added

 Attachment #144323|0   |1
is obsolete||

--- Comment #30 from Kyle M Hall  ---
Created attachment 144324
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=144324=edit
Bug 30649: Vendor EDI account passwords should be encrypted in the database

We are storing edi vendor acccount passwords in clear text in the
database. Now that Koha has the Koha::Encryption module, we should
use that to encrypt passwords for all existing and new EDI accounts.

Test Plan:
1) Apply this patch
2) Create one or more EDI vendor accounts
3) Run a report to view the account passwords, note they are in clear
   text
4) Run updatedatabase.pl
5) Re-run the report, account passwords should be encrypted now
6) Edit a vendor EDI account, note you can still view and update the
   password for an account

Signed-off-by: David Nind 
Signed-off-by: Martin Renvoize 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-11-29 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

Kyle M Hall  changed:

   What|Removed |Added

 Attachment #142989|0   |1
is obsolete||

--- Comment #29 from Kyle M Hall  ---
Created attachment 144323
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=144323=edit
Bug 30649: Vendor EDI account passwords should be encrypted in the database

We are storing edi vendor acccount passwords in clear text in the
database. Now that Koha has the Koha::Encryption module, we should
use that to encrypt passwords for all existing and new EDI accounts.

Test Plan:
1) Apply this patch
2) Create one or more EDI vendor accounts
3) Run a report to view the account passwords, note they are in clear
   text
4) Run updatedatabase.pl
5) Re-run the report, account passwords should be encrypted now
6) Edit a vendor EDI account, note you can still view and update the
   password for an account

Signed-off-by: David Nind 
Signed-off-by: Martin Renvoize 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-11-29 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

Jonathan Druart  changed:

   What|Removed |Added

 CC||jonathan.druart+koha@gmail.
   ||com

--- Comment #28 from Jonathan Druart  ---
I don't know how this is relevant, but borrowers.secret is MEDIUMTEXT and you
are using VARCHAR(256) here.

By the way, 256? Typo for 255?

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-11-26 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

--- Comment #27 from Victor Grousset/tuxayo  ---
(In reply to Kyle M Hall from comment #22)
> (In reply to Victor Grousset/tuxayo from comment #21)
> > That's why I wondered if there was any gain compared to just storing the
> > passwords into koha-conf.xml directly? (or another file)
> 
> Simply put, imo, that would mean librarians could no longer update that data
> without help from the server administrator, making their jobs more difficult.

Hence the earlier «maybe Koha can't write to that file and that would need a
separate file»


(In reply to David Cook from comment #26)
> So sysadmins really need to keep in mind that the database and server-side
> config need to be restored together.

Ah yes, so actually encrypting data in the DB does not protect from a backup
leak. (I wrongly said that earlier) Since a backup should have the config
files.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-11-13 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

Katrin Fischer  changed:

   What|Removed |Added

Version|21.05   |master

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-11-09 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

--- Comment #26 from David Cook  ---
(In reply to Katrin Fischer from comment #25)
> (In reply to David Cook from comment #24)
> > (In reply to Katrin Fischer from comment #23)
> > > It might also hinder a a quick desaster recovery to a different server? At
> > > least something more to think about for backups etc.
> > 
> > With the encryption key in koha-conf.xml, they wouldn't be able to decrypt
> > the encrypted passwords in the database either. 
> 
> True, so something to keep in mind then for the sysadmins?

Yeah, I mean there's other bits of config that this happens for too. I use the
"OAI-PMH:ConfFile" syspref, and if you just restore the database dump without
including the server-side file, it'll break the OAI.

So sysadmins really need to keep in mind that the database and server-side
config need to be restored together.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-11-09 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

--- Comment #25 from Katrin Fischer  ---
(In reply to David Cook from comment #24)
> (In reply to Katrin Fischer from comment #23)
> > It might also hinder a a quick desaster recovery to a different server? At
> > least something more to think about for backups etc.
> 
> With the encryption key in koha-conf.xml, they wouldn't be able to decrypt
> the encrypted passwords in the database either. 

True, so something to keep in mind then for the sysadmins?

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-11-09 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

--- Comment #24 from David Cook  ---
(In reply to Katrin Fischer from comment #23)
> It might also hinder a a quick desaster recovery to a different server? At
> least something more to think about for backups etc.

With the encryption key in koha-conf.xml, they wouldn't be able to decrypt the
encrypted passwords in the database either. 

(In reply to Kyle M Hall from comment #22)
> (In reply to Victor Grousset/tuxayo from comment #21)
> > That's why I wondered if there was any gain compared to just storing the
> > passwords into koha-conf.xml directly? (or another file)
> 
> Simply put, imo, that would mean librarians could no longer update that data
> without help from the server administrator, making their jobs more difficult.

Agreed with Kyle. There needs to be a balance between security and
functionality/convenience.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-11-09 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

--- Comment #23 from Katrin Fischer  ---
It might also hinder a a quick desaster recovery to a different server? At
least something more to think about for backups etc.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-11-07 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

--- Comment #22 from Kyle M Hall  ---
(In reply to Victor Grousset/tuxayo from comment #21)
> That's why I wondered if there was any gain compared to just storing the
> passwords into koha-conf.xml directly? (or another file)

Simply put, imo, that would mean librarians could no longer update that data
without help from the server administrator, making their jobs more difficult.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-11-06 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

--- Comment #21 from Victor Grousset/tuxayo  ---
(In reply to Martin Renvoize from comment #16)
> The value does come from the encryption.  If the database is somehow
> compromised (for example, someone accidentally shares a backup.. it could be
> as simple as that).. by having the data in the databawse encrypted the
> nafarious actor doesn't have something useful to them.. They still need to
> hack the machine to get ahold of the key (from the conf file) and/or read
> the code to understand what sort of algorithm is used.

That's why I wondered if there was any gain compared to just storing the
passwords into koha-conf.xml directly? (or another file)

The question would have been more relevant on bug 28998 now that such a
mechanism is implemented, the work is done and it's not very hard to use on any
data to be protected from SQL injection or accidental backup publication.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-11-02 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

--- Comment #20 from David Cook  ---
(In reply to Martin Renvoize from comment #18)
> OK.. I decided to open another bug for my thoughts on key change..
> 
> I'll pass this one but highlight to the RM that we may need to rethink the
> DB update.

I've commented on Bug 32078 with what I think would be a fairly straightforward
approach to allow key rotation.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-11-02 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

--- Comment #19 from David Cook  ---
(In reply to Martin Renvoize from comment #17)
> When we upgraded
> from SHA to BCrypt for user account hashing we added a layer inside the
> codebase to upgrade the hash on first access I seem to recall.

We were upgrading from MD5 hashes to BCrypt hashes, which were easy to
differentiate, since the BCrypt hashes started with "$2a$08$".

We also had the user input so you could always compare hashes. In this case
with the decryption I don't think there's any way to know whether or not you
got a valid decrypted value (unless the encryption module throws an
exception)...

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-11-02 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

Martin Renvoize  changed:

   What|Removed |Added

 Status|Signed Off  |Passed QA

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-11-02 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

--- Comment #18 from Martin Renvoize  ---
OK.. I decided to open another bug for my thoughts on key change..

I'll pass this one but highlight to the RM that we may need to rethink the DB
update.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-11-02 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

Martin Renvoize  changed:

   What|Removed |Added

   See Also||https://bugs.koha-community
   ||.org/bugzilla3/show_bug.cgi
   ||?id=32078

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-11-02 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

--- Comment #17 from Martin Renvoize  ---
Still contemplating QA here.. the code works as expected and I'm happy with the
implementation as a whole.

However.. I'm not so sure about the in place database upgrade... we tend to try
and steer away from referencing Koha modules from within the atomicupdates in
case there's a change to said module down the line.  That said.. that's not a
blocker for me, just a consideration.  When we upgraded from SHA to BCrypt for
user account hashing we added a layer inside the codebase to upgrade the hash
on first access I seem to recall.

My other pondering is around what happens if/when an admin wants to change the
encryption key for the server.. that's out of scope for this particular bug,
but I feel like we should have an option for it somewhere.. either a script to
update encrypted data's to use the new key (given the old and new key as input)
or a way to defined the keys as an array and upgrade on access or something
like that.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-11-02 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

--- Comment #16 from Martin Renvoize  ---
(In reply to Victor Grousset/tuxayo from comment #14)
> (In reply to Kyle M Hall from comment #9)
> > (In reply to Victor Grousset/tuxayo from comment #8)
> > > I don't get how to encrypt a password to an external service and still be
> > > able to use the external service. Does that mean Koha can in full autonomy
> > > decrypt it?
> > 
> > Yes, we store a key in the koha konf file for encryption and decryption. I
> > need to rebase this patch to use the work from Bug 28998.
> 
> Ok IIUC the security value doesn't come from encryption but from having the
> date out of the DB. So a simple SQL injection can't get it.
> Is there any gain compared to just storing the passwords into koha-conf.xml
> directly? 
> (hum, maybe Koha can't write to that file and that would need a separate
> file)
> Like is it a plausible attack scenario to be able to read the file but not
> the DB? That when needing both would help.

The value does come from the encryption.  If the database is somehow
compromised (for example, someone accidentally shares a backup.. it could be as
simple as that).. by having the data in the databawse encrypted the nafarious
actor doesn't have something useful to them.. They still need to hack the
machine to get ahold of the key (from the conf file) and/or read the code to
understand what sort of algorithm is used.

So this closes one door.. if they have full access to the server, they have all
the elements they need to access the plaintext credentials.. but the
improvement here is that they now have to have that full access rather than
just a db dump.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-11-02 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

Martin Renvoize  changed:

   What|Removed |Added

 QA Contact|testo...@bugs.koha-communit |martin.renvoize@ptfs-europe
   |y.org   |.com

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-11-02 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

Martin Renvoize  changed:

   What|Removed |Added

 Attachment #142820|0   |1
is obsolete||

--- Comment #15 from Martin Renvoize  ---
Created attachment 142989
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=142989=edit
Bug 30649: Vendor EDI account passwords should be encrypted in the database

We are storing edi vendor acccount passwords in clear text in the
database. Now that Koha has the Koha::Encryption module, we should
use that to encrypt passwords for all existing and new EDI accounts.

Test Plan:
1) Apply this patch
2) Create one or more EDI vendor accounts
3) Run a report to view the account passwords, note they are in clear
   text
4) Run updatedatabase.pl
5) Re-run the report, account passwords should be encrypted now
6) Edit a vendor EDI account, note you can still view and update the
   password for an account

Signed-off-by: David Nind 
Signed-off-by: Martin Renvoize 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-10-31 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

--- Comment #14 from Victor Grousset/tuxayo  ---
(In reply to Kyle M Hall from comment #9)
> (In reply to Victor Grousset/tuxayo from comment #8)
> > I don't get how to encrypt a password to an external service and still be
> > able to use the external service. Does that mean Koha can in full autonomy
> > decrypt it?
> 
> Yes, we store a key in the koha konf file for encryption and decryption. I
> need to rebase this patch to use the work from Bug 28998.

Ok IIUC the security value doesn't come from encryption but from having the
date out of the DB. So a simple SQL injection can't get it.
Is there any gain compared to just storing the passwords into koha-conf.xml
directly? 
(hum, maybe Koha can't write to that file and that would need a separate file)
Like is it a plausible attack scenario to be able to read the file but not the
DB? That when needing both would help.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-10-30 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

David Nind  changed:

   What|Removed |Added

 CC||da...@davidnind.com

--- Comment #13 from David Nind  ---
Testing notes (using koha-testing-docker):

1. Enable EDIFACT system preference
2. Creating EDI vendor accounts: Administration > Acquisition parameters > EDI
accounts
3. Before applying the patch, I added an EDI vendor account (to test that
existing accounts are updated)
3. Step 3 - SQL for report: select * from vendor_edi_accounts
4. Step 4 - after the databaseupdate: I ran flush_memcached and restart_all,
and cleared the browser cache

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-10-30 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

David Nind  changed:

   What|Removed |Added

 Attachment #142057|0   |1
is obsolete||

--- Comment #12 from David Nind  ---
Created attachment 142820
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=142820=edit
Bug 30649: Vendor EDI account passwords should be encrypted in the database

We are storing edi vendor acccount passwords in clear text in the
database. Now that Koha has the Koha::Encryption module, we should
use that to encrypt passwords for all existing and new EDI accounts.

Test Plan:
1) Apply this patch
2) Create one or more EDI vendor accounts
3) Run a report to view the account passwords, note they are in clear
   text
4) Run updatedatabase.pl
5) Re-run the report, account passwords should be encrypted now
6) Edit a vendor EDI account, note you can still view and update the
   password for an account

Signed-off-by: David Nind 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-10-30 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

David Nind  changed:

   What|Removed |Added

 Status|Needs Signoff   |Signed Off

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-10-18 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

Kyle M Hall  changed:

   What|Removed |Added

 CC||martin.renvoize@ptfs-europe
   ||.com

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-10-18 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

Kyle M Hall  changed:

   What|Removed |Added

 Attachment #142056|0   |1
is obsolete||

--- Comment #11 from Kyle M Hall  ---
Created attachment 142057
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=142057=edit
Bug 30649: Vendor EDI account passwords should be encrypted in the database

We are storing edi vendor acccount passwords in clear text in the
database. Now that Koha has the Koha::Encryption module, we should
use that to encrypt passwords for all existing and new EDI accounts.

Test Plan:
1) Apply this patch
2) Create one or more EDI vendor accounts
3) Run a report to view the account passwords, note they are in clear
   text
4) Run updatedatabase.pl
5) Re-run the report, account passwords should be encrypted now
6) Edit a vendor EDI account, note you can still view and update the
   password for an account

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-10-18 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

Kyle M Hall  changed:

   What|Removed |Added

 Attachment #134302|0   |1
is obsolete||

--- Comment #10 from Kyle M Hall  ---
Created attachment 142056
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=142056=edit
Bug 30649: Vendor EDI account passwords should be encrypted in the database

We are storing edi vendor acccount passwords in clear text in the
database. Now that Koha has the Koha::Encryption module, we should
use that to encrypt passwords for all existing and new EDI accounts.

Test Plan:
1) Apply this patch
2) Create one or more EDI vendor accounts
3) Run a report to view the account passwords, note they are in clear
   text
4) Run updatedatabase.pl
5) Re-run the report, account passwords should be encrypted now
6) Edit a vendor EDI account, note you can still view and update the
   password for an account

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-10-18 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

Kyle M Hall  changed:

   What|Removed |Added

 Status|BLOCKED |Needs Signoff

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database

2022-10-18 Thread bugzilla-daemon

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649

Kyle M Hall  changed:

   What|Removed |Added

Summary|Vendor EDI account  |Vendor EDI account
   |passwords should be |passwords should be
   |encrypted   |encrypted in the database

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

53 matches

Mail list logo