Closed Bug 898176 Opened 11 years ago Closed 11 years ago

Deploy MozIdP with P3P header code for IE and security fixes

Categories

(Cloud Services :: Operations: Miscellaneous, task)

Product:
Cloud Services
Component:
Operations: Miscellaneous
Platform:
x86
macOS
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: mostlygeek, Assigned: mostlygeek)

References

(
URL
)

Details

(Whiteboard: [qa+]) 

New code was added to MozIdP to handle P3P issues with IE and its default security levels.
Updated bug to also include the new security fixes: 

- when user changes their password in LDAP
- *and* their BrowserID certificate has expired (5 minutes) they will be prompted to reauthenticate to moz-idp again. 

For QA (:kthiessen) to make things easier

- get a temporary LDAP user from Infra
- log in w/ this user to moz-idp
- change the LDAP password
- wait 5minutes
- log in again w/ user, it *should* prompt you for the new password again

Changes from previous behaviour: 

- before the user would stay logged in for 24 hours, regardless if they changed their password or not
Summary: Deploy new version of MozIdP with P3P header code for IE → Deploy MozIdP with P3P header code for IE and security fixes
Blocks: 901115
Hi, 

:jrgm found some bugs with the current staging version. They are:

- C based crypto libraries were no longer being used. They are now. Didn't affect functionality other than things were slow. 
- useragent library upgraded to 2.0.7 to detect IE11. This won't affect things for a while but it's good to be in sync with BrowserId. 

I'm going to push out a new staging server with these changes so we can Q/A a version that is meant to be in prod.
:ktheissen I pushed out a new staging server with the latest code changes. Everything should be working the same, albeit a little faster. Let me know if there are any issues.
Whiteboard: [qa+]
[Including this as a comment rather than a separate bug because of security implications.]


According to https://mana.mozilla.org/wiki/display/SVCOPS/Mozilla+IDP#MozillaIDP-HowLDAPpasswordchangesaffectPersonasignin%3F (as of 2013-08-02 Mon 14:30):

<blockquote><pre>
How LDAP password changes affect Persona sign in?

These settings are currently in Q/A and will be released into production soon. ...

Persona / browserId is designed to be decentralized. Once the user has their certificate from the Mozilla IdP server, the browser won't come back until the issued certificate expires. After the certificate has expired the IdP will automatically issue a new certificate or request the user sign in again.

So we set up the following limits:

    Persona certificates expire after 5 minutes.
    An encrypted cookie is set with a 90 day expiry to match Mozilla's LDAP password policy. The cookie contains:
        the user's email address
        the time of their last password change from LDAP

When the browser comes back for a new certificate the IdP will check LDAP to ensure that:

    the secure cookie exists
    their account is not disabled
    the last password change time matches

If all of those conditions match then a new certificate is automatically issued. Otherwise the user is presented with the login window again.
</pre></blockquote>
 

Accordingly, I did the following:

1. Log into beta.123done.org with an LDAP account.
2. Arrange to have Jen Hayashi [:nej] disable the account.
3. Wait 5 minutes.
4. Hit reload.

Expected:

1. I would be logged out and faced with the login dialog.

Actual:

1. I was still logged in.

:mostlygeek seems to think the password change is necessary.  By my reading of the spec, it is not.   I'm leaving the documentation here in the bug, and we'll thumb-wrestle over results.
Using the password-change flow doesn't seem to work for Catalin, either:

https://github.com/mozilla/vinz-clortho/issues/113
I went in and fixed the bug that was causing changed passwords to not trigger a re-auth. Pushed a new staging server and is ready for Q/A again. 

So my test process: 

1. log into beta.123done.org w/ mozidptest@login.allizom.org
2. logout
3. change ldap pw with: https://ldap.mozilla.org/passwordreset/
4. wait 3 minutes for cert to expire (3min is the minimum cert time)
5. attempt to use persona to log in. 
6. got the user/pass window. \o/

Please ping me for the LDAP testing account: mozidptest@mozilla.com, so you don't have to IT for another one.
Blocks: 907846
Additionally, if LDAP password is not changed, should be able to sign in w/ persona wihtout user/pass for 24hrs.
The flow outlined above looks good.  Sorry for the delays; the LDAP failure yesterday and some timing issues today delayed the end of testing.

:mostlygeek, you may push this to production, assuming any co-ordination you need to do with :gene or other Ops folks is done.
:mostlygeek, you said to me in IRC that this would go to production on Friday, which would be 2013-08-30.  Could you confirm that here in the bug, so we can get wider visibility of status?
:kthiessen it was my bad. 

Friday is a bad day to deploy new code, especially into a very visible tool like our IdP. If QA has time to test the latest version of stage, we can schedule our change window for next Tuesday/Wednesday with all the latest features that addresses other usability issues. 

If not, then we'll release this version without the UX enhancements.
QA approves this code as part of rel2013_09_09.15.45.21 to go to production.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Old deployment -- marking VERIFIED.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.