delegate password and 2fa resets to servicedesk

RESOLVED FIXED

Status

()

bugzilla.mozilla.org
General
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: glob, Assigned: glob)

Tracking

Production

Details

Attachments

(1 attachment, 1 obsolete attachment)

(Assignee)

Description

2 years ago
in order to centralise identity verification we're going to delegate security-group password and 2fa resets to servicedesk.

we need to:
- change the email address in the "you need to contact us to reset your password" from bmo-admin to servicedesk
- change the "can disable 2fa" group from admin to a new group
- create a new "servicedesk" group, owned by mpoessy
And how do you deal with non-MoCo employees who don't have access to servicedesk?
(Assignee)

Comment 2

2 years ago
Created attachment 8672497 [details] [diff] [review]
1213757_1.patch

- add bz_can_disable_mfa group
- move mfa checks and auditing from editusers to Bugzilla::User
- update contact email address in SecureMail
Attachment #8672497 - Flags: review?(dylan)
(Assignee)

Comment 3

2 years ago
(In reply to Reed Loden [:reed] (use needinfo?) from comment #1)
> And how do you deal with non-MoCo employees who don't have access to
> servicedesk?

servicedesk will forward the request to the bmo admins to take action.
(Assignee)

Comment 4

2 years ago
i've created and populated the 'servicedesk' group.
Comment on attachment 8672497 [details] [diff] [review]
1213757_1.patch

Review of attachment 8672497 [details] [diff] [review]:
-----------------------------------------------------------------

This one also conflicted with the duo patch as well. After working around that it seems mostly sane though.
Attachment #8672497 - Flags: review?(dylan)
Attachment #8672497 - Flags: review-
Attachment #8672497 - Flags: feedback+
(Assignee)

Comment 6

2 years ago
Created attachment 8673484 [details] [diff] [review]
1213757_2.patch
Attachment #8672497 - Attachment is obsolete: true
Attachment #8673484 - Flags: review?(dylan)
Comment on attachment 8673484 [details] [diff] [review]
1213757_2.patch

Review of attachment 8673484 [details] [diff] [review]:
-----------------------------------------------------------------

r=dylan

::: editusers.cgi
@@ -274,2 @@
>              $otherUser->set_mfa('');
> -            Bugzilla->audit(sprintf('%s disabled 2FA for %s', $user->login, $otherUser->login));

What's the reasoning behind removing the audit log entry?
Attachment #8673484 - Flags: review?(dylan) → review+
(Assignee)

Comment 8

2 years ago
(In reply to Dylan William Hardison [:dylan] from comment #7)
> What's the reasoning behind removing the audit log entry?

i moved it to Bugzilla::User->update()
(Assignee)

Comment 9

2 years ago
i'm holding off committing this patch for now - we want to do a quick training session of the servicedesk staff first.
(Assignee)

Comment 10

2 years ago
we're good to go here now.

To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   175f9c1..b6d9211  master -> master
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.