Add functionality to limit MFA to specific user groups #409
Conversation
scott-nz
force-pushed
the
feature/restrict-to-group
branch
from
3881b50
to
638b420
Compare
|
Raised a little PR to fix the failing build: #410 |
Good point. There are scenarios where we prioritise a user's preference for MFA over global settings, an example being: having the minimum setting as being 'Optional' and allowing users to register before it's something that's enforced, letting them prioritise their user security before an administrator enforces it. IMO the same could be said here - have the user keep the MFA credentials after they are moved from an assigned group. Assuming the user still has some form of access to their CMS profile section (or another custom area to manage their MFA), it would still be possible to manually remove their registered MFA devices as required. |
Chiming in from the decisions we made building this; I completely agree with Bryn here. We allow admins to make suggestions/enforcements around requiring MFA, but whether a user has the autonomy to set up their own MFA, and keep using it once they've set it up ideally should not be affected by administrators - that's sort of inherently insecure. MFA should always show if you've set it up. I think there is an edge case that we begrudgingly put in this module to globally disable - although we suggested the solution for that was to just uninstall the module IIRC. |
|
That's a really good PR, thanks for contributing that @scott-nz! Plus one to what @ScopeyNZ said. Apart from that I'm posting the merge checklist below. Here's the merge checklist before we merge:
|
|
Just had a look at what's going on with the broken Behat test, and it appears to be something unrelated to this PR. Scenario: I can set MFA to be required # tests/Behat/features/mfa-enabled.feature:11
Given I go to "/admin/settings" # SilverStripe\Framework\Tests\Behaviour\FeatureContext::visit()
And I click the "Access" CMS tab # SilverStripe\Framework\Tests\Behaviour\CmsUiContext::iClickTheCmsTab()
Then I should see "Multi-factor authentication (MFA)" # SilverStripe\Framework\Tests\Behaviour\FeatureContext::assertPageContainsText()
When I select "MFA is required for everyone" from the MFA settings # SilverStripe\MFA\Tests\Behat\Context\LoginContext::iSelectFromTheMfaSettings()
And I press "Save" # SilverStripe\Framework\Tests\Behaviour\FeatureContext::pressButton()
Saving screenshot into /silverstripe-mfa/artifacts/screenshots/mfa-enabled.feature_17.png
Then I should see "Saved" # SilverStripe\Framework\Tests\Behaviour\FeatureContext::assertPageContainsText()
The text "Saved" was not found anywhere in the text of the current page. (Behat\Mink\Exception\ResponseTextException)The error message is:
|
|
Is it related to Maxime's work to Reactify the toast notifications? I think things like this should be fixed here. If it is related, maybe ask Max for a solution? |
|
The Save button functionality will be taking slightly longer now as there is now a many many relation that needs processing. This will be resulting in it taking longer for the notification to appear. |
Ok, I've just tested it and "wait" for 2 seconds fixed the issue on my localhost. Interesting... |
|
Lol, I think I've figured it out. Indeed, testsession makes sure it doesn't go on to the next step in case there are any pending requests to the server. However, looks like that check happens before the |
|
I believe that you can use |
|
Could be a side effect of the toast notification. I don't think |
That seems to work. I'm not sure it addresses the problem of async button, but I guess if it works, we could just go with it for now. @scott-nz would you like to update the test? |
scott-nz
force-pushed
the
feature/restrict-to-group
branch
3 times, most recently
from
aec7e0d
to
5671026
Compare
|
PR change requests made |
scott-nz
force-pushed
the
feature/restrict-to-group
branch
from
5f08b93
to
0f64f6c
Compare
|
cc @silverstripeux - a little enhancement that you'll be interested in :) |
|
Will check this out when @dnsl48 can demo it for PUX locally. |
|
Some UX feedback from @sachajudd Currently we have the field implemented like that (the bottom field is the new one from this PR):
However, it's inconsistent with the other fields we have on the page. E.g. let's consider the field "Who can edit pages on this site?". There are two radios and the field with list of groups shows up only when we choose the second radio.
The radio options may look like "MFA Required for all groups" and "MFA Required for Only these groups (choose from list)" |
|
@sachajudd
new field positioned after the Do you think that a note should be added stating that changing these settings will have no effect on users who have already successfully set up MFA? |
|
Hey @scott-nz, PUX has gone away and had another chat about this. We think it would be better to implement 3 radio options. Here's a quick mock up we are thinking: Let us know what you think. Noting here PUX will also raise a separate issue regarding an enhancement for the date field to be required. More information to come about this. Issue: # |
|
Hi @sachajudd, the suggested implementation will prevent a client from being able to enable MFA for specific groups but only make it optional, this seems like a feature regression. |
|
I've set up a meeting to discuss this early next week together, let's follow up back here once we've talked over the designs 🙂 |
GuySartorelli
force-pushed
the
feature/restrict-to-group
branch
from
13e686f
to
16c06b1
Compare
|
I've changed the target branch to |
|
I would have preferred that when MFA is "required" for specific groups, it would still be optional for everyone else so that they can opt-in to securing their account - this is what was suggested in this comment. There is still some outstanding action required as mentioned in this comment - I will action these changes so that the PR is fully ready for review, and then add it to our peer review column to be reviewed by another member of the team. |
|
I was having a problem where if I tried to sign in as a user who is not in the assigned group, I could not sign in at all. It would just keep redirecting me to the login form saying I must be logged in, and to enter my credentials. This is because I've made a change that fixes this specific scenario by amending the logic in I think that because of this, this change should be done in a new major release, where I'm just fleshing out the test coverage a bit more so I've set it to draft until I've finished with that. |
GuySartorelli
force-pushed
the
feature/restrict-to-group
branch
from
16c06b1
to
91e1089
Compare
GuySartorelli
force-pushed
the
feature/restrict-to-group
branch
from
91e1089
to
4c2396c
Compare
|
In addition to the above, I have:
|
|
@scott-nz I hope you don't mind me taking over the PR by the way - if you'd like to continue working on it I'll be happy to let you do so, I just figured this was the quickest way to get this over the line so it can finally get merged. |
GuySartorelli
force-pushed
the
feature/restrict-to-group
branch
from
4c2396c
to
b0a9f75
Compare
|
@GuySartorelli Happy with you taking over. It's good to see it progressing, I don't have the capacity / availability to get finish this off at the moment. |
GuySartorelli
force-pushed
the
feature/restrict-to-group
branch
from
b0a9f75
to
2cb929f
Compare
|
@GuySartorelli thanks for the updates I was thinking that this PR may have been superseded by CMS 5 enhancement around user access. One thing that might be OK to include is extension points so new logic can be added when developers extend this functionality |
User access is very different from who can register MFA for their account, so it's still a valuable enhancement.
Extension points sound like a great enhancement for a separate PR. :p I'm trying to get the existing feature enhancement over the line, so any added scope beyond what was already requested in existing comments in this PR is explicitly out of scope. |
GuySartorelli
force-pushed
the
feature/restrict-to-group
branch
2 times, most recently
from
4d7c5a2
to
73531c0
Compare
GuySartorelli
force-pushed
the
feature/restrict-to-group
branch
from
73531c0
to
18bed87
Compare
|
@GuySartorelli Merge conflict |
If a user has already registered for MFA, enforce use of it even if they are not in an MFA group Co-authored-by: Guy Marriott <guy.the.person@gmail.com>
GuySartorelli
force-pushed
the
feature/restrict-to-group
branch
from
18bed87
to
50578bb
Compare
|
Conflict resolved |
@GuySartorelli Could you confirm what the user experience is for people not in a required group?
|
If a group (or groups) is selected and the user is not in that group, the user will not be prompted to use MFA at all unless they had already previously registered an MFA method for their account.
No, I don't think so. This is as discussed in the comments above - there was a lot of discussion about how this should behave, and the consensus ended up being that if a group is selected, only members in that group should have any interaction with MFA (unless they already registered an MFA method for their account). |
|
Sorry slightly I meant a slightly different thing (although may this is how you interpreted it) - the FIRST time a new user logs in BEFORE they had a chance to sign up for MFA they get this prompt:
I suppose if you're saying that they CANNOT signup for MFA in their profile then logically they won't get this prompt I'm guess I'm OK with them not being prompted to sign-up for MFA (though I'd still prefer it) though I really dislike them NOT being able to enable MFA via their profile at all - you should at least have the option to secure your own account. If I understand this correctly and this is how this work in this PR, given the discussion/consensus was 3 years ago I think at very least we should pop this one in the backlog for refinement and have a discussion to confirm this is the behavior we want |
That's correct, yes.
I'm working based off the decisions and consensus that was made on this issue already, which is that if a group is added, members who are not in that group cannot sign up for MFA at all. If they can sign up by modifying their profile, then I am strongly of the opinion that they should be given the (optional, if they're not in the group) prompt to register MFA when they log in. And in that case, we go back to the design that was suggested in #409 (comment) and which was later rejected.
I guess so. I'll put it back in the backlog. I was kinda hoping to get this one over the line but sounds like people will have to wait a while yet for this functionality to be added in any capacity. |
|
I'm marking this as DRAFT in the meantime, pending yet another discussion about how this should behave. |
FWIW I felt like the consensus is that individuals should not have the ability to register MFA removed. This PR should only affect who is required to have MFA on their account, and not affect who can even set it up at all. To me, anything but this make very little sense to me as the default behaviour of this module. If you want to have MFA, but not make it available to some users, you can extend the module for your weird business logic yourself. However, I don't agree that we should force the "do you want MFA" prompt on users as default behaviour. |
#398
AC: CMS admin can set which groups will have MFA enabled.
AC: If no groups are selected, MFA is enabled for all users
AC: MFA workflow is enabled for Members who belong to at least one of the selected groups
AC: MFA workflow is bypassed if the Member does not belong to any of the selected groups.
Further discussion is required around the expected behaviour if a user was part of a selected group and has set up MFA but is no longer a member of any of the selected groups.It has been agreed that if a user has already registered for MFA, they should continue logging in with MFA even if the rules change to only enable MFA for a group they are not a part of. This would cover a situation where a users access is downgraded or an entire group is removed from the list of MFA enabled groups.