Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bring production up to date with master #286

Merged
merged 212 commits into from
Sep 18, 2019
Merged

Bring production up to date with master #286

merged 212 commits into from
Sep 18, 2019

Conversation

gene1wood
Copy link
Contributor

This will bring the production branch up to date with what's live in production. It will also apply two changes that are live in dev, and present in master but not yet live in production.

gdestuynder and others added 30 commits May 18, 2018 14:45
…m/cis/blob/master/docs/rfcs/AutomaticAccessExpiration.md

Note that the users MUST have an authoritativeGroups entry for the
clientid (uuid) for the access to be updated (authoritativeGroups.lastUsed) and granted/denied.

This means code in the Auth0 publisher needs to be added to detect when
the value is setup and add the attribute to the corresponding users ; or
; default setup `lastUsed` on the first login attempt (which has the
vulnerability of being able to "never login" then 10000 days later still
be able to login for the first time. This is less of an issue for RPs
that would always have had this setup of course.

Note also that this is fully independent from access groups and any
other access, and overrides every other access when setup.

See also: mozilla-iam/sso-dashboard-configuration#148
This involves some refactoring.

Note that this also means:
- accessing *any* RP will update your authoritativeGroups.lastUsed
timestamp for that RP
- only RPs with an expiration setting in apps.yml will enforce the
access expiration at this time. We may enable it by default everywhere
in the future.
- if you are granted access to an RP, but never use the access, your
timestamp in lastUsed is never set. This means you can keep that access
and it will NOT expire until you first login to the RP, and after the
lastUsed attribute expires. This is a known issue that we're accepting
as expiration of access is yet another additional level of security, not the
primary decision for access.

We may be able to fix the issue eventually, if groups get tied to roles,
which themselves must be tied to an RP-subject for example (so that we
know why RPs you have access to, and thus set your lastUsed timestamp as
soon as you get access, regardless of you logging in or not)
Support for expiration of access
clarify examples and settings
but this solves the primary account method for mozilians.org until we
come up with a good primary login method selection UX
force Fxa to be higher security than github. it may or may not be true, but this solves the primary account method for mozilians.org until we come up with a good primary login method selection UX
caching reasons (it may be longer to update)
2fa work-around for a not-so-corner case
…nstead of the AAL state (comes from

id_token only)
check the fxa 2fa param (comes from user info endpoint or id_token) i…
Fix nodejs8 support for fetch user script jsonwebtoken no longer returns a string
last-resort maintenance page for login
It uses
https://github.com/mozilla-iam/cis/blob/profilev2/docs/.well-known/mozilla-iam.json
and stores 2 new configuration variables (the public key to verify and
the well-known endpoint URL)
This comment should have changed when 0e6cf7d was made.
This is to facilitate testing Common Voice using passwordless and LDAP without ratcheting
gene1wood and others added 13 commits August 26, 2019 07:37
Tested out webtask cacheing and confirmed that it does work
Support wildcards in AWS-Federated-AMR role picker
This was deployed but removed from the repo
Re-introduce Everyone-is-in-the-everyone-group.js This was deployed but removed from the repo
disabling rule for now
# Conflicts:
#	README.md
#	manual/social-fxa.js
#	pages/login.html
#	rules/AccessRules.json
#	rules/Everyone-is-in-the-everyone-group.json
#	rules/Force-MFA-setup-for-GitHub-logins.json
#	rules/Force-MFA-setup-for-social-logins.json
#	rules/SAML-gcp-gsuite.json
#	rules/SAML-test-mozilla-com-google.json
#	rules/SAML-thinksmart.json
#	rules/force-users-login-most-secure-method.js
#	rules/temporary-LDAP-re-reintegration.json
#	rules/temporary-cis-api-integration.json
#	rules/temporary-hrdata.js
#	rules/temporary-hrdata.json
buildspec.yml Show resolved Hide resolved
rules/AWS-Federated-AMR.js Show resolved Hide resolved
Makefile Show resolved Hide resolved
gene1wood and others added 6 commits September 16, 2019 11:14
Add some details to the README about CI
These two rules don't exist in the master branch
nor in the live dev or production environments

Force-MFA-setup-for-GitHub-logins.js
temporary-cis-api-integration.js
…on because it was reverted out of production in #227
@gene1wood gene1wood merged commit e35db32 into mozilla-iam:production Sep 18, 2019
@gene1wood
Copy link
Contributor Author

This was deployed live at 7:35am PDT

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants