Last Comment Bug 1213757 - delegate password and 2fa resets to servicedesk
: delegate password and 2fa resets to servicedesk
Status: RESOLVED FIXED
:
Product: bugzilla.mozilla.org
Classification: Other
Component: General (show other bugs)
: Production
: Unspecified Unspecified
-- normal (vote)
: ---
Assigned To: Byron Jones ‹:glob›
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-12 00:26 PDT by Byron Jones ‹:glob›
Modified: 2015-10-29 09:05 PDT (History)
3 users (show)
See Also:
Due Date:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
1213757_1.patch (4.85 KB, patch)
2015-10-12 01:02 PDT, Byron Jones ‹:glob›
dylan: review-
dylan: feedback+
Details | Diff | Splinter Review
1213757_2.patch (4.85 KB, patch)
2015-10-13 23:08 PDT, Byron Jones ‹:glob›
dylan: review+
Details | Diff | Splinter Review

Description User image Byron Jones ‹:glob› 2015-10-12 00:26:19 PDT
in order to centralise identity verification we're going to delegate security-group password and 2fa resets to servicedesk.

we need to:
- change the email address in the "you need to contact us to reset your password" from bmo-admin to servicedesk
- change the "can disable 2fa" group from admin to a new group
- create a new "servicedesk" group, owned by mpoessy
Comment 1 User image Reed Loden [:reed] (use needinfo?) 2015-10-12 00:57:59 PDT
And how do you deal with non-MoCo employees who don't have access to servicedesk?
Comment 2 User image Byron Jones ‹:glob› 2015-10-12 01:02:39 PDT
Created attachment 8672497 [details] [diff] [review]
1213757_1.patch

- add bz_can_disable_mfa group
- move mfa checks and auditing from editusers to Bugzilla::User
- update contact email address in SecureMail
Comment 3 User image Byron Jones ‹:glob› 2015-10-12 01:29:40 PDT
(In reply to Reed Loden [:reed] (use needinfo?) from comment #1)
> And how do you deal with non-MoCo employees who don't have access to
> servicedesk?

servicedesk will forward the request to the bmo admins to take action.
Comment 4 User image Byron Jones ‹:glob› 2015-10-12 21:23:54 PDT
i've created and populated the 'servicedesk' group.
Comment 5 User image Dylan Hardison [:dylan] 2015-10-13 17:09:49 PDT
Comment on attachment 8672497 [details] [diff] [review]
1213757_1.patch

Review of attachment 8672497 [details] [diff] [review]:
-----------------------------------------------------------------

This one also conflicted with the duo patch as well. After working around that it seems mostly sane though.
Comment 6 User image Byron Jones ‹:glob› 2015-10-13 23:08:27 PDT
Created attachment 8673484 [details] [diff] [review]
1213757_2.patch
Comment 7 User image Dylan Hardison [:dylan] 2015-10-15 08:53:16 PDT
Comment on attachment 8673484 [details] [diff] [review]
1213757_2.patch

Review of attachment 8673484 [details] [diff] [review]:
-----------------------------------------------------------------

r=dylan

::: editusers.cgi
@@ -274,2 @@
>              $otherUser->set_mfa('');
> -            Bugzilla->audit(sprintf('%s disabled 2FA for %s', $user->login, $otherUser->login));

What's the reasoning behind removing the audit log entry?
Comment 8 User image Byron Jones ‹:glob› 2015-10-15 08:55:05 PDT
(In reply to Dylan William Hardison [:dylan] from comment #7)
> What's the reasoning behind removing the audit log entry?

i moved it to Bugzilla::User->update()
Comment 9 User image Byron Jones ‹:glob› 2015-10-20 04:31:53 PDT
i'm holding off committing this patch for now - we want to do a quick training session of the servicedesk staff first.
Comment 10 User image Byron Jones ‹:glob› 2015-10-29 09:05:09 PDT
we're good to go here now.

To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   175f9c1..b6d9211  master -> master

Note You need to log in before you can comment on or make changes to this bug.