Closed Bug 1225366 Opened 9 years ago Closed 9 years ago

allow duo authentication for users already enrolled with duo

Categories

(bugzilla.mozilla.org :: General, defect)

Product:
bugzilla.mozilla.org
Component:
General
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: glob, Assigned: glob)

Details

Attachments

(1 file)

1225366_1.patch
8.96 KB, patch
dylan
: review+
dylan
: feedback+
Details | Diff | Splinter Review 
i was chatting with atoll on irc about the duo situation on bmo.

he pointed me towards the /preauth endpoint:
https://www.duosecurity.com/docs/authapi#/preauth

this will allow us to change our enrolment process to provide duo support to users who are currently enrolled, and provide an appropriate message to people who are not.  this negates current duo licensing concerns.

after someone provides their ldap email address, we'd query /preauth and if we get { result: auth } or { result: allow } we can continue the enrolment process.

otherwise we should display a message that duo isn't available for their account.

once duo is available to all employees (q1 2016 is the current estimate), then we can update the message to direct people towards the enrolment process instead.
"our enrolment process" above references BMO's MFA enrolment process, not login.mozilla.com or Duo iframe enrolment process.

Advise discussing with :rtucker to confirm, but I'm happy to be online for that if needed to clarify/research/whatever anything here.
Attached patch 1225366_1.patchSplinter Review 
- add preauth check so we can display a nice error to the user if they are not duo-enrolled
Assignee: nobody → glob
Status: NEW → ASSIGNED
Attachment #8688857 - Flags: review?(dylan)
Comment on attachment 8688857 [details] [diff] [review]
1225366_1.patch

Review of attachment 8688857 [details] [diff] [review]:
-----------------------------------------------------------------

::: Bugzilla/DuoAPI.pm
@@ +143,5 @@
> +    my $self = shift;
> +    my $res = $self->api_call(@_);
> +    my $json = $res->content();
> +    if ($json !~ /^{/) {
> +        croak($json);

Would this be more useful as croak('Invalid response: ' . $json); ?

::: template/en/default/account/prefs/mfa.html.tmpl
@@ +138,4 @@
>        [% IF Param("duo_host") && user.in_group("mozilla-employee-confidential") %]
>          <button type="button" id="mfa-select-duo">Duo Security</button><br>
>          <blockquote>
> +          Requires a <a href="https://login.mozilla.com/duo_enrollments/" target="_blank">Duo Security</a>

Consider linking to a mana page here, rather than to login.m.c, since the relevant EUS mana page would provide users with steps to *request* Duo, and once you've received an allocation, to *enroll* Duo - while the page linked here only functions if you are both permitted to enroll AND haven't yet actually enrolled yet.

::: template/en/default/mfa/duo/not_enrolled.html.tmpl
@@ +48,5 @@
> +    completed the Duo Security enrollment process.
> +  </p>
> +
> +  <p>
> +    Note: Duo Security MFA may not yet be available for your Mozilla account.

Consider "Contact EUS for more information" or similar.
(In reply to Richard Soderberg [:atoll] from comment #3)
> ::: Bugzilla/DuoAPI.pm
> Would this be more useful as croak('Invalid response: ' . $json); ?

that's code from the a module duo supplies so i'm hesitant to carry changes here unless necessary.  in this case it isn't :)

> Consider linking to a mana page here, rather than to login.m.c, since the
> relevant EUS mana page would provide users with steps to *request* Duo, and
> once you've received an allocation, to *enroll* Duo - while the page linked
> here only functions if you are both permitted to enroll AND haven't yet
> actually enrolled yet.

sounds reasonable.
https://mana.mozilla.org/wiki/display/SD/DuoSecurity ?
 
> > +    Note: Duo Security MFA may not yet be available for your Mozilla account.
> 
> Consider "Contact EUS for more information" or similar.

also reasonable; thanks.
Sure, that looks like a good link.
Comment on attachment 8688857 [details] [diff] [review]
1225366_1.patch

Review of attachment 8688857 [details] [diff] [review]:
-----------------------------------------------------------------

r=dylan

(it took some digging to find my duo testing creds)
Attachment #8688857 - Flags: review?(dylan) → review+
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   94800e1..14bb07a  master -> master
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: