Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1861888 - Requiring Staff To Use Duo 2FA On Bugzilla #2145

Merged
merged 11 commits into from
Jan 26, 2024
Merged

Bug 1861888 - Requiring Staff To Use Duo 2FA On Bugzilla #2145

merged 11 commits into from
Jan 26, 2024

Conversation

dklawren
Copy link
Collaborator

@dklawren dklawren commented Dec 8, 2023
edited
Loading

  • This pull request adds two new config parameters, duo_required_group and duo_required_excluded_group.
  • Any user that is added to the duo_required_group will automatically be redirected to the MFA preferences page if their current MFA is not set to Duo.
  • There they will be able to configure Duo for their account using the standard enrollment procedure.
  • If the user account is a member of the duo_required_excluded_group, then they will not be redirected to the MFA page and will operate normally.
  • Only bot accounts (addresses ending in tld or bugs) should be allowed to be added to the excluded group.
  • If a member of the required group is removed from that group, they are logged out, their password is cleared, and their MFA is cleared. They can then reset their password and setup TOTP instead.
  • If they were previously not a member and are added, then they are logged out and the next time they log in they, they are redirected to the MFA page if they are not already Duo enrolled. Otherwise the operate normally.

@dklawren dklawren added the WIP label Dec 8, 2023
@dklawren dklawren requested a review from cgsheeh January 6, 2024 22:29
@dklawren dklawren removed the WIP label Jan 6, 2024
cgsheeh
cgsheeh approved these changes Jan 9, 2024
View reviewed changes
Copy link
Collaborator

@cgsheeh cgsheeh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense to me.

Bugzilla/WebService/User.pm Outdated
@@ -352,6 +375,14 @@ sub get {
}
}

# If calling user is member of mozilla-employee-confidential,
# return ldap_email value as well
if (Bugzilla->user->in_group('mozilla-employee-confidential')
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: you can use $user here.

@dklawren
Copy link
Collaborator Author

I updated the code in Bugzilla/WebService/User.pm get() to have more consistent variable naming when dealing with the logged in user and the user objects being returned. Hopefully the code is less confusing now and less error prone.

dklawren added 10 commits January 19, 2024 11:15
@dklawren
Bug 1861888 - Requiring Staff To Use Duo 2FA On Bugzilla
b9dc6fe
@dklawren
Change duo config parameters to a drop down instead of text field
bb85a6b
@dklawren
Updated variable name to not conflict
1882c59
@dklawren
Log out user if their membership has changed and therefore their duo …
677bba2 
…requirement may have changed
@dklawren
Updated edituser.cgi to use Bugzilla::User->update() for updating gro…
f48aabb 
…up memberships. This way we can log out the user if their duo requirement status changes
@dklawren
More improvements and bug fixes
0933a55
@dklawren
More fixes and improvements
b3ad3cb
@dklawren
Updated Bugzilla/WebService/User.pm to be more consistent with variab…
6281f76 
…le naming of user objects in get()
@dklawren
- Use mfa required date to force mfa on next login when removing duo …
ce6a484 
…requirement

- Updated icon
- Updated test script
@dklawren
Fixed failing test
3e3cf3d
@dklawren dklawren requested a review from cgsheeh January 19, 2024 17:55
@dklawren
Copy link
Collaborator Author

Re-requesting review: Test script has been updated to cover more functionality. I am now setting the mfa_required_date to a date in the past (immediate change needed) which should require the user to setup TOTP when removed from the duo_required_group.

@dklawren dklawren merged commit 669203b into mozilla-bteam:master Jan 26, 2024
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cgsheeh cgsheeh cgsheeh approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dklawren @cgsheeh