From d3013b50cb2676a5fc2ad0a9ac0840e6c4cd2057 Mon Sep 17 00:00:00 2001 From: "Guillaume Destuynder (kang)" Date: Thu, 15 Feb 2018 15:22:05 -0800 Subject: [PATCH 1/4] Fix 174 Add default-off rule that denies login for maintenance. Order is 999. Only use this when required as it forbids ALL logins. NOTE: This introduce a new message 'maintenancemode' which needs to also be present on the sso dashboard (it works without, but looks prettier with) --- rules/default-deny-for-maintenance.js | 6 ++++++ rules/default-deny-for-maintenance.json | 4 ++++ 2 files changed, 10 insertions(+) create mode 100644 rules/default-deny-for-maintenance.js create mode 100644 rules/default-deny-for-maintenance.json diff --git a/rules/default-deny-for-maintenance.js b/rules/default-deny-for-maintenance.js new file mode 100644 index 0000000..5b421e3 --- /dev/null +++ b/rules/default-deny-for-maintenance.js @@ -0,0 +1,6 @@ +function (user, context, callback) { + // Denies all users from logging in + // Only use for maintenance purposes + + return callback(null, user, global.postError('maintenancemode', context)); +} diff --git a/rules/default-deny-for-maintenance.json b/rules/default-deny-for-maintenance.json new file mode 100644 index 0000000..06ac848 --- /dev/null +++ b/rules/default-deny-for-maintenance.json @@ -0,0 +1,4 @@ +{ + "enabled": false, + "order": 999 +} From 4d2121494ac3048e98cfffa3ce74578ed3858dc4 Mon Sep 17 00:00:00 2001 From: "Guillaume Destuynder (kang)" Date: Wed, 28 Mar 2018 15:44:41 -0700 Subject: [PATCH 2/4] Support newer fxa claims for twofa, picture, etc. --- manual/social-fxa.js | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/manual/social-fxa.js b/manual/social-fxa.js index a5d0d98..256c372 100644 --- a/manual/social-fxa.js +++ b/manual/social-fxa.js @@ -4,12 +4,6 @@ // Token endpoint: https://oauth-latest.dev.lcip.org/v1/token // scopes: openid profile function(accessToken, ctx, cb) { - // An Fxa profile looks like: - // { - // "email": "kang+fxa@mozilla.com", - // "uid": "14e701f4bfd647ce925c0239a2065665", - // "sub": "14e701f4bfd647ce925c0239a2065665" - // } // See docs at https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Firefox_Accounts/Introduction request.get('https://latest.dev.lcip.org/profile/v1/profile', { 'headers': { @@ -23,11 +17,17 @@ function(accessToken, ctx, cb) { } var p = JSON.parse(b); + // If you need to debug FxA's reply, un-comment this and look at the webtask logs + // console.log('FxA profile output: '+p); return cb(null, { user_id: p.uid, + picture: p.avatar, + preferredLanguage: p.locale, email: p.email, email_verified: true, - fxa_sub: p.sub + fxa_sub: p.sub, + fxa_amrValues: p.amrValues, + fxa_twoFactorAuthentication: p.twoFactorAuthentication }); }); From e7b8bac3c69c23df21b946e67246d7d18ffdf472 Mon Sep 17 00:00:00 2001 From: "Guillaume Destuynder (kang)" Date: Wed, 28 Mar 2018 15:49:22 -0700 Subject: [PATCH 3/4] Change GitHub force MFA rule to be a global social provider force-MFA rule Add FxA to enforced MFA rules --- rules/Force-MFA-setup-for-GitHub-logins.js | 8 -------- rules/Force-MFA-setup-for-social-logins.js | 18 ++++++++++++++++++ ... => Force-MFA-setup-for-social-logins.json} | 0 3 files changed, 18 insertions(+), 8 deletions(-) delete mode 100644 rules/Force-MFA-setup-for-GitHub-logins.js create mode 100644 rules/Force-MFA-setup-for-social-logins.js rename rules/{Force-MFA-setup-for-GitHub-logins.json => Force-MFA-setup-for-social-logins.json} (100%) diff --git a/rules/Force-MFA-setup-for-GitHub-logins.js b/rules/Force-MFA-setup-for-GitHub-logins.js deleted file mode 100644 index 55859ac..0000000 --- a/rules/Force-MFA-setup-for-GitHub-logins.js +++ /dev/null @@ -1,8 +0,0 @@ -function (user, context, callback) { - if ((context.connection === 'github') && (!user.two_factor_authentication)) { - console.log('GitHub user not allowed to log in because 2FA was disabled on the account: '+user.user_id); - return callback(null, user, global.postError('githubrequiremfa', context)); - } else { - return callback(null, user, context); - } -} diff --git a/rules/Force-MFA-setup-for-social-logins.js b/rules/Force-MFA-setup-for-social-logins.js new file mode 100644 index 0000000..b44e65d --- /dev/null +++ b/rules/Force-MFA-setup-for-social-logins.js @@ -0,0 +1,18 @@ +function (user, context, callback) { + if ((context.connection === 'github') && (!user.two_factor_authentication)) { + // Force MFA for GitHub logins + console.log('GitHub user not allowed to log in because 2FA was disabled on the account: '+user.user_id); + return callback(null, user, global.postError('githubrequiremfa', context)); + } else if ((context.connection === 'github') && (!user.fxa_twoFactorAuthentication)) { + // Force MFA for Firefox Accounts (FxA) logins + // Note FxA also provides the standard amrValues which can be used to specify which 2FA we want to allow. + // Right now we trust FxA to make this choice for us (which is, require TOTP for user.fxa_twoFactorAuthentication to + // be set to True + console.log('Firefox Accounts user not allowed to log in because 2FA was disabled on the account: '+user.user_id); + return callback(null, user, global.postError('fxarequiremfa', context)); + + // Forcing MFA for Google accounts is not currently supported + } else { + return callback(null, user, context); + } +} diff --git a/rules/Force-MFA-setup-for-GitHub-logins.json b/rules/Force-MFA-setup-for-social-logins.json similarity index 100% rename from rules/Force-MFA-setup-for-GitHub-logins.json rename to rules/Force-MFA-setup-for-social-logins.json From 0ab76ed07871de5c730f2265001835915445031e Mon Sep 17 00:00:00 2001 From: "Guillaume Destuynder (kang)" Date: Wed, 28 Mar 2018 16:03:21 -0700 Subject: [PATCH 4/4] Add FirefoxAccounts social connection type to the possible matches, same level as GitHub (2FA enforcement available) --- rules/Force-MFA-setup-for-social-logins.js | 2 +- rules/force-users-login-most-secure-method.js | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/Force-MFA-setup-for-social-logins.js b/rules/Force-MFA-setup-for-social-logins.js index b44e65d..24ca504 100644 --- a/rules/Force-MFA-setup-for-social-logins.js +++ b/rules/Force-MFA-setup-for-social-logins.js @@ -3,7 +3,7 @@ function (user, context, callback) { // Force MFA for GitHub logins console.log('GitHub user not allowed to log in because 2FA was disabled on the account: '+user.user_id); return callback(null, user, global.postError('githubrequiremfa', context)); - } else if ((context.connection === 'github') && (!user.fxa_twoFactorAuthentication)) { + } else if ((context.connection === 'firefoxaccounts') && (!user.fxa_twoFactorAuthentication)) { // Force MFA for Firefox Accounts (FxA) logins // Note FxA also provides the standard amrValues which can be used to specify which 2FA we want to allow. // Right now we trust FxA to make this choice for us (which is, require TOTP for user.fxa_twoFactorAuthentication to diff --git a/rules/force-users-login-most-secure-method.js b/rules/force-users-login-most-secure-method.js index 7c15478..f136f34 100644 --- a/rules/force-users-login-most-secure-method.js +++ b/rules/force-users-login-most-secure-method.js @@ -48,6 +48,7 @@ var WHITELIST = ['HvN5D3R64YNNhvcHKuMKny1O0KJZOOwH', // mozillians.org account v // Lower is better var matchOrder = {'ad': 0, 'github': 1, + 'firefoxaccounts': 1, 'google-oauth2': 2, 'email': 3 };