CRM-16173 System for simple, secure API connections

    Details

    • Documentation Required?:
      None
    • Funding Source:
      Core Team Funds

      Description

      Securely setting up an API key to integrate an external system demands significant effort, e.g.

      • Setup HTTPS (generate keypair, generate csr, get it signed, install to server)
      • Create a site key
      • Create a CMS user
      • Create a role and assign permissions to the role
      • Assign an API key
      • Send the site key and API key to the external system
      • (Note: For some scripts, like bin/cron.php, the process is very similar, but you use a username and password instead of an API key.)

      In an ideal world:

      • An admin who wants to make a link could simply say "Connect to system X", review the expected permissions, and approve. Similarly, revoking access should be as simple as "Disconnect"ing.
      • Permissions would be more fine-grained. In addition to specifying "view all contacts" or "administer CiviCRM", allow filtering based on specific API entities/actions/params.
      • Public services aimed for general usage could be certified/audited to ensure that they operate securely (and banned if they abuse their access).
      • Communications would be strongly encrypted, even on diverse/funky hosting infrastructure.

        Attachments

          Activity

          [CRM-16173] System for simple, secure API connections
          Tim Otten added a comment -

          PR: https://github.com/civicrm/civicrm-core/pull/5520

          I'm not sure if you want to do QA or prefer Kurund or Coleman.

          Tim Otten added a comment -

          There are still a few items on my TODO list, but the PR has a "complete" process for discovering, connecting, and disconnecting applications - and for enforcing limited API permissions. I think this is a good point to start some QA with a new person. It could particularly use some abuse in terms of weird sysadmin behavior

          The remaining TODOs:

          • (High) Display the list of requested permissions before making a connection
          • (High) Publish and consume a certificate revocation list (CRL)
          • (Medium) Completely hide shared secrets. (Currently, the Cxn.get API reveals them.)
          • (Medium) Detect changes in app metadata (e.g. new permissions, new endpoint, new cert, new description) and prompt admin to approve.
          • (Medium) Report more site metadata so that apps can be targeted/adapted better (e.g. Civi version, default language, extension list)
          • (Low) Enable an authenticated "Settings" link (which redirects to the application's website)
          • (Low) Change application guids from random hex to vanity strings (alphanumeric)
          • (Low) Implement enable/disable buttons (to temporarily suspend an application without breaking cxn ID's)
          Tim Otten added a comment -

          There's a screenshot of this system at http://i.imgur.com/QQk0jHD.png .

          Updated status on TODOs:

          Done:

          • (High) Display the list of requested permissions before making a connection
          • (High) Respect "Force HTTPS" option
          • (Medium) Completely hide shared secrets. (Currently, the Cxn.get API reveals them.)
          • (Medium) Report more site metadata so that apps can be targeted/adapted better (e.g. Civi version, default language, extension list)
          • (Low) Change application guids from random hex to vanity strings (alphanumeric)

          WIP:

          • (High) Publish and consume a certificate revocation list (CRL)

          Todo:

          • (Medium) Detect changes in app metadata (e.g. new permissions, new endpoint, new cert, new description) and prompt admin to approve.
          • (Low) Enable an authenticated "Settings" link (which redirects to the application's website)
          • (Low) Implement enable/disable buttons (to temporarily suspend an application without breaking cxn ID's)
          David Greenberg added a comment -

          Reassigning to Tim to work on outstandings.

          Tim Otten added a comment -

          The overall subsystem is launched, although there are 2 outstanding/non-critical issues related to the subsystem.We can close the overarching ticket.

            People

            • Assignee:
              Tim Otten
              Reporter:
              Tim Otten

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 2 days, 1 hour, 30 minutes Original Estimate - 2 days, 1 hour, 30 minutes
                2d 1h 30m
                Remaining:
                Time Spent - 1 week, 3 days, 1 hour, 5 minutes Remaining Estimate - 3 days, 4 hours, 30 minutes
                3d 4h 30m
                Logged:
                Time Spent - 1 week, 3 days, 1 hour, 5 minutes Remaining Estimate - 3 days, 4 hours, 30 minutes
                1w 3d 1h 5m