Details
-
Type:
Improvement
-
Status: Done/Fixed
-
Priority:
Major
-
Resolution: Fixed/Completed
-
Affects Version/s: Unscheduled
-
Fix Version/s: 4.6.12
-
Component/s: CiviCRM API, Core CiviCRM
-
Labels:
-
Documentation Required?:None
-
Funding Source:Core Team Funds
Description
Securely setting up an API key to integrate an external system demands significant effort, e.g.
- Setup HTTPS (generate keypair, generate csr, get it signed, install to server)
- Create a site key
- Create a CMS user
- Create a role and assign permissions to the role
- Assign an API key
- Send the site key and API key to the external system
- (Note: For some scripts, like bin/cron.php, the process is very similar, but you use a username and password instead of an API key.)
In an ideal world:
- An admin who wants to make a link could simply say "Connect to system X", review the expected permissions, and approve. Similarly, revoking access should be as simple as "Disconnect"ing.
- Permissions would be more fine-grained. In addition to specifying "view all contacts" or "administer CiviCRM", allow filtering based on specific API entities/actions/params.
- Public services aimed for general usage could be certified/audited to ensure that they operate securely (and banned if they abuse their access).
- Communications would be strongly encrypted, even on diverse/funky hosting infrastructure.
Attachments
Issue Links
- links to
(4 links to)
1.
|
CiviConnect: Allow apps to define a "Settings" link |
|
Done/Fixed | Tim Otten |
|
|
|||||||||
2.
|
CiviConnect: Publish and consume a certificate revocation list |
|
Done/Fixed | Tim Otten |
|
|
|||||||||
3.
|
CiviConnect: Implement enable/disable buttons | 
|
Done/Fixed | Tim Otten |
|
|
|||||||||
4.
|
CiviConnect: Detect changes in app metadata and prompt for approval | 
|
Open | Tim Otten |
|
|
|||||||||
5.
|
CiviConnect: Allow unlisted services without disabling security |
|
Open | Tim Otten |
|
|
|||||||||
6.
|
CiviConnect: Deploy |
|
Done/Fixed | Tim Otten |
|
|
|||||||||
7.
|
CiviConnect: Publish anonymized site profiles |
|
Done/Fixed | Coleman Watts |
|
|
Activity
There are still a few items on my TODO list, but the PR has a "complete" process for discovering, connecting, and disconnecting applications - and for enforcing limited API permissions. I think this is a good point to start some QA with a new person. It could particularly use some abuse in terms of weird sysadmin behavior
The remaining TODOs:
- (High) Display the list of requested permissions before making a connection
- (High) Publish and consume a certificate revocation list (CRL)
- (Medium) Completely hide shared secrets. (Currently, the Cxn.get API reveals them.)
- (Medium) Detect changes in app metadata (e.g. new permissions, new endpoint, new cert, new description) and prompt admin to approve.
- (Medium) Report more site metadata so that apps can be targeted/adapted better (e.g. Civi version, default language, extension list)
- (Low) Enable an authenticated "Settings" link (which redirects to the application's website)
- (Low) Change application guids from random hex to vanity strings (alphanumeric)
- (Low) Implement enable/disable buttons (to temporarily suspend an application without breaking cxn ID's)
There's a screenshot of this system at http://i.imgur.com/QQk0jHD.png .
Updated status on TODOs:
Done:
- (High) Display the list of requested permissions before making a connection
- (High) Respect "Force HTTPS" option
- (Medium) Completely hide shared secrets. (Currently, the Cxn.get API reveals them.)
- (Medium) Report more site metadata so that apps can be targeted/adapted better (e.g. Civi version, default language, extension list)
- (Low) Change application guids from random hex to vanity strings (alphanumeric)
WIP:
- (High) Publish and consume a certificate revocation list (CRL)
Todo:
- (Medium) Detect changes in app metadata (e.g. new permissions, new endpoint, new cert, new description) and prompt admin to approve.
- (Low) Enable an authenticated "Settings" link (which redirects to the application's website)
- (Low) Implement enable/disable buttons (to temporarily suspend an application without breaking cxn ID's)
Reassigning to Tim to work on outstandings.
The overall subsystem is launched, although there are 2 outstanding/non-critical issues related to the subsystem.We can close the overarching ticket.
PR: https://github.com/civicrm/civicrm-core/pull/5520
I'm not sure if you want to do QA or prefer Kurund or Coleman.