1221423 - unable to impersonate users when 2fa is enabled

Status: RESOLVED FIXED

(bugzilla.mozilla.org :: General, defect)

Description

[:glob ✱]

unable to impersonate users when 2fa is enabled - the following error is displayed after providing the 2fa code:

> Your Bugzilla password is required to begin a sudo session. Please go back and enter your password.

Comment 1

[David Lawrence [:dkl]]

Attachment: 1221423_1.patch

Had to refactor how sudo works in relogin.cgi quite a bit to make this work with mfa unfortunately.

Comment 2

[:glob ✱]

Comment on attachment 8683453 [details] [diff] [review]
1221423_1.patch

Review of attachment 8683453 [details] [diff] [review]:
-----------------------------------------------------------------

::: relogin.cgi
@@ +103,5 @@
> +    my $crypt_password = $user->cryptpassword;
> +    if (!$mfa_token
> +        && (!$current_password
> +            || (bz_crypt($current_password, $crypt_password) ne $crypt_password)))
> +    {

passing a mfa_token param for a user that doesn't have mfa enabled bypasses the password check (because $mfa_token will be true, and $user->mfa will be false).

Comment 3

[David Lawrence [:dkl]]

Attachment: 1221423_2.patch

Thanks for the review. Hopefully logic is better in this version.

Comment 4

[:glob ✱]

Comment on attachment 8683734 [details] [diff] [review]
1221423_2.patch

Review of attachment 8683734 [details] [diff] [review]:
-----------------------------------------------------------------

r=glob

Comment 5

[David Lawrence [:dkl]]

To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   4c8b7b1..4f66eb9  master -> master

Comment 6

[David Lawrence [:dkl]]

Fix test bustage

To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   4f66eb9..2038430  master -> master