User: Make email required at all times, password required for new users

[Maffooch]

Creating local users is not the best experience. To accommodate a flow that supports sending temporary passwords to user, and forcing them to login again, we need to make the password field and email field required attributes for new users

[sc-7616]

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on improving the security and robustness of the user management functionality by enforcing email and password requirements, restricting password updates, validating password strength, implementing least privilege, and improving test coverage.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the security and robustness of the user management functionality in the application. The changes include:

1. Enforcing Email and Password Requirements: The changes ensure that email and password fields are required when creating or editing user accounts, which helps to maintain better user identification and authentication.

2. Restricting Password Updates: The changes disallow password updates through the API, forcing users to update their passwords through a more secure and user-controlled process, such as a web interface or a dedicated password reset functionality.

3. Validating Password Strength: The changes include tests to ensure that the application properly validates the strength of user passwords, preventing the use of weak passwords that could lead to security vulnerabilities.

4. Implementing Least Privilege: The changes include tests to ensure that users are only granted the minimum required permissions based on their roles and responsibilities, following the principle of least privilege.

5. Improving Test Coverage: The changes introduce new test cases to cover various security-related aspects of the user management functionality, such as user creation, password validation, and permission management. This helps to ensure the overall security and reliability of the application.

Files Changed:

• unittests/test_apiv2_notifications.py: The changes add an email field to the user creation payload in the test case, which is a common requirement for user registration. The changes also ensure that the test environment is properly cleaned up after the tests are completed.
• dojo/forms.py: The changes make the email field required and the password field required in the user creation and editing forms, which improves the overall security of the user management functionality.
• tests/user_test.py: The changes introduce a new user with a strong password and the "Writer" global role. While the password used in the test case is strong, the code should avoid directly setting passwords and instead use hashed and salted passwords to protect against password-related attacks.
• dojo/api_v2/serializers.py: The changes require the email field in the UserSerializer and restrict password updates through the API, which are positive security enhancements.
• unittests/test_apiv2_user.py: The changes include tests for user creation with strong and weak passwords, as well as tests for password update restrictions, which help to ensure the security of the User API endpoint.
• unittests/test_rest_framework.py: The changes introduce new test cases to ensure that users can only be created with the appropriate permissions, which helps to prevent unauthorized access and privilege escalation.

Code Analysis

We ran 9 analyzers against 6 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Authn/Authz Analyzer	4 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[mtesauro]

Approved

[cneill]

Just a small comment about one of the tests

[cneill]

I guess test_create_user_with_non_configuration_permissions will fail with both object does not exist and a message about the user missing a password, but seems like we should supply the password just to make it clearer what's supposed to fail here.

[Maffooch]

sure thing