Skip to content

Commit

Permalink
Merge pull request #3844 from open-formulieren/issue/3049-replace-2fa…
Browse files Browse the repository at this point in the history
…-library

Replace 2fa solution
  • Loading branch information
sergei-maertens authored Feb 7, 2024
2 parents fa9daad + 34491b3 commit 9223c82
Show file tree
Hide file tree
Showing 63 changed files with 375 additions and 265 deletions.
3 changes: 0 additions & 3 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -265,9 +265,6 @@ jobs:
DB_USER: postgres
DB_PASSWORD: ''
E2E_DRIVER: ${{ matrix.browser }}
# with 2FA enabled, *for some reason* this doesn't work on CI -> can't find
# the inputs
TWO_FACTOR_PATCH_ADMIN: 'no'
SDK_RELEASE: ${{ steps.sdk-tag.outputs.sdk_tag }}

docs:
Expand Down
5 changes: 5 additions & 0 deletions CHANGELOG.rst
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,11 @@ the time of writing, such a version has not been released yet.
.. todo:: At release time (2.6.0), check if we need to gate this functionality behind a
feature flag to prevent issues.

The ``TWO_FACTOR_FORCE_OTP_ADMIN`` and ``TWO_FACTOR_PATCH_ADMIN`` environment variables
are removed. Disabling MFA in the admin is no longer possible. Note that the OIDC
login backends do not require (additional) MFA in the admin and we've added support for
hardware tokens (like the YubiKey) which make MFA less of a nuisance.

2.5.2 (2024-02-06)
==================

Expand Down
2 changes: 0 additions & 2 deletions docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -70,8 +70,6 @@ services:
- CELERY_RESULT_BACKEND=redis://redis:6379/0
- CELERY_LOGLEVEL=DEBUG
- OPENFORMS_LOCATION_CLIENT=${OPENFORMS_LOCATION_CLIENT:-openforms.contrib.bag.client.BAGClient}
- TWO_FACTOR_FORCE_OTP_ADMIN=0
- TWO_FACTOR_PATCH_ADMIN=0
- CORS_ALLOW_ALL_ORIGINS=${CORS_ALLOW_ALL_ORIGINS:-true}
- EMAIL_HOST=smtp
# Needed for Celery Flower to match the TIME_ZONE configured in the
Expand Down
7 changes: 1 addition & 6 deletions docs/developers/backend/tests.rst
Original file line number Diff line number Diff line change
Expand Up @@ -83,12 +83,7 @@ After installing the dependencies, install the browsers locally:

.. code-block:: bash
TWO_FACTOR_PATCH_ADMIN=no python src/manage.py test src --tag=e2e
.. note:: When the admin is monkeypatched to enable 2FA behaviour, it's been observed
that the end to end tests fail to run/complete properly. Disabling this via your
local settings or the environment variable ``TWO_FACTOR_PATCH_ADMIN=no`` mitigates
this.
python src/manage.py test src --tag=e2e
**Configuration**

Expand Down
6 changes: 0 additions & 6 deletions docs/installation/config.rst
Original file line number Diff line number Diff line change
Expand Up @@ -316,12 +316,6 @@ Other settings
`upstream documentation <https://www.django-rest-framework.org/api-guide/settings/#num_proxies>`_
for more context. Defaults to ``1``.

* ``TWO_FACTOR_FORCE_OTP_ADMIN``: Enforce 2 Factor Authentication in the admin or not.
Default ``True``. You'll probably want to disable this when using OIDC.

* ``TWO_FACTOR_PATCH_ADMIN``: Whether to use the 2 Factor Authentication login flow for
the admin or not. Default ``True``. You'll probably want to disable this when using OIDC.

* ``FORMS_EXPORT_REMOVED_AFTER_DAYS``: The number of days after which zip files of exported forms should be deleted.
Defaults to 7 days.

Expand Down
16 changes: 5 additions & 11 deletions docs/installation/security.rst
Original file line number Diff line number Diff line change
Expand Up @@ -191,17 +191,11 @@ The internal URLs are:
Two-factor auth
===============

By default, the admin interface requires two-factor authentication using OTP. We only
encourage disabling this when you are using single-sign-on via OIDC instead of username
+ password authentication.

The recommended settings are:

.. code-block:: bash
TWO_FACTOR_FORCE_OTP_ADMIN=True
TWO_FACTOR_PATCH_ADMIN=True
The admin interface requires two-factor authentication using OTP (using Microsoft or
Google's Authenticator app) or hardware tokens such as YubiKeys. If you use a single
sign on solution (e.g. Keycloak OIDC, Azure AD OIDC...), it is assumed that the second
factor is enforced on those products and staff users do not need to provide an
additional second factor in Open Forms.

.. _installation_config_webserver:

Expand Down
5 changes: 3 additions & 2 deletions dotenv.example
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,6 @@ DB_USER=open-forms
DB_PASSWORD=""
DB_HOST=""

TWO_FACTOR_PATCH_ADMIN=no
TWO_FACTOR_FORCE_OTP_ADMIN=no
# LANGUAGE_CODE=nl
#CORS_ALLOW_ALL_ORIGINS=yes
# CORS_ALLOWED_ORIGINS=http://localhost:3000,http://localhost:8000
Expand All @@ -32,3 +30,6 @@ TWO_FACTOR_FORCE_OTP_ADMIN=no
# Recording Suwinet VCR cassettes
# SUWINET_CLIENT_KEY=/path/to/privatekey.pem
# SUWINET_BASE_URL=https://url/of/gateway/suwiml

# Applies to dev settings module only!
DISABLE_2FA=yes
3 changes: 1 addition & 2 deletions requirements/base.in
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@ html5lib
--no-binary lxml
lxml
O365 # microsoft graph
phonenumbers
Pillow # handle images
portalocker[redis]
psycopg2 # database driver
Expand Down Expand Up @@ -62,7 +61,7 @@ django-tinymce
django-treebeard
django-yubin
mozilla-django-oidc-db
maykin-django-two-factor-auth[phonenumbers]
maykin-2fa
django-timeline-logger
django-csp
django-csp-reports
Expand Down
31 changes: 20 additions & 11 deletions requirements/base.txt
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ ape-pie==0.1.0
# zgw-consumers
asgiref==3.5.0
# via django
asn1crypto==1.5.1
# via webauthn
async-timeout==4.0.2
# via redis
attrs==20.3.0
Expand All @@ -35,6 +37,8 @@ boltons==21.0.0
# glom
brotli==1.1.0
# via fonttools
cbor2==5.6.1
# via webauthn
celery==5.2.7
# via
# -r requirements/base.in
Expand Down Expand Up @@ -78,6 +82,7 @@ cryptography==42.0.2
# josepy
# mozilla-django-oidc
# pyopenssl
# webauthn
cssselect2==0.7.0
# via weasyprint
defusedxml==0.7.1
Expand Down Expand Up @@ -116,13 +121,14 @@ django==3.2.24
# django-solo
# django-timeline-logger
# django-treebeard
# django-two-factor-auth
# djangorestframework
# drf-jsonschema-serializer
# drf-nested-routers
# drf-polymorphic
# drf-spectacular
# mail-cleaner
# maykin-django-two-factor-auth
# maykin-2fa
# mozilla-django-oidc
# mozilla-django-oidc-db
# sentry-sdk
Expand Down Expand Up @@ -159,7 +165,7 @@ django-digid-eherkenning==0.10.0
django-filter==23.2
# via -r requirements/base.in
django-formtools==2.3
# via maykin-django-two-factor-auth
# via django-two-factor-auth
django-hijack==3.4.1
# via -r requirements/base.in
django-ipware==5.0.0
Expand All @@ -176,10 +182,10 @@ django-ordered-model==3.6
# via
# -r requirements/base.in
# django-admin-index
django-otp==1.0.6
# via maykin-django-two-factor-auth
django-otp==1.3.0
# via django-two-factor-auth
django-phonenumber-field==5.2.0
# via maykin-django-two-factor-auth
# via django-two-factor-auth
django-privates==1.5.0
# via
# -r requirements/base.in
Expand Down Expand Up @@ -211,6 +217,8 @@ django-tinymce==3.6.1
# via -r requirements/base.in
django-treebeard==4.7
# via -r requirements/base.in
django-two-factor-auth[phonenumberslite,webauthn]==1.16.0
# via maykin-2fa
django-yubin==2.0.2
# via -r requirements/base.in
djangorestframework==3.14.0
Expand Down Expand Up @@ -303,7 +311,7 @@ mail-cleaner==1.2.0
# via -r requirements/base.in
mail-parser==3.15.0
# via django-yubin
maykin-django-two-factor-auth[phonenumbers]==2.0.4
maykin-2fa==1.0.0
# via -r requirements/base.in
maykin-json-logic-py==0.13.0
# via -r requirements/base.in
Expand Down Expand Up @@ -331,10 +339,8 @@ packaging==23.1
# via prance
pathable==0.4.3
# via jsonschema-spec
phonenumbers==8.12.29
# via
# -r requirements/base.in
# maykin-django-two-factor-auth
phonenumberslite==8.13.29
# via django-two-factor-auth
pillow==10.2.0
# via
# -r requirements/base.in
Expand Down Expand Up @@ -363,6 +369,7 @@ pyopenssl==24.0.0
# django-simple-certmanager
# josepy
# maykin-python3-saml
# webauthn
# zgw-consumers
pyphen==0.10.0
# via weasyprint
Expand Down Expand Up @@ -396,7 +403,7 @@ pyyaml==6.0.1
# gemma-zds-client
# jsonschema-spec
qrcode==6.1
# via maykin-django-two-factor-auth
# via django-two-factor-auth
redis==4.5.4
# via
# celery-once
Expand Down Expand Up @@ -494,6 +501,8 @@ wcwidth==0.2.5
# via prompt-toolkit
weasyprint==60.1
# via -r requirements/base.in
webauthn==2.0.0
# via django-two-factor-auth
webencodings==0.5.1
# via
# bleach
Expand Down
43 changes: 33 additions & 10 deletions requirements/ci.txt
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,11 @@ asgiref==3.5.0
# -c requirements/base.txt
# -r requirements/base.txt
# django
asn1crypto==1.5.1
# via
# -c requirements/base.txt
# -r requirements/base.txt
# webauthn
async-timeout==4.0.2
# via
# -c requirements/base.txt
Expand Down Expand Up @@ -67,6 +72,11 @@ brotli==1.1.0
# -c requirements/base.txt
# -r requirements/base.txt
# fonttools
cbor2==5.6.1
# via
# -c requirements/base.txt
# -r requirements/base.txt
# webauthn
celery==5.2.7
# via
# -c requirements/base.txt
Expand Down Expand Up @@ -143,6 +153,7 @@ cryptography==42.0.2
# josepy
# mozilla-django-oidc
# pyopenssl
# webauthn
cssselect==1.1.0
# via pyquery
cssselect2==0.7.0
Expand Down Expand Up @@ -189,13 +200,14 @@ django==3.2.24
# django-solo
# django-timeline-logger
# django-treebeard
# django-two-factor-auth
# djangorestframework
# drf-jsonschema-serializer
# drf-nested-routers
# drf-polymorphic
# drf-spectacular
# mail-cleaner
# maykin-django-two-factor-auth
# maykin-2fa
# mozilla-django-oidc
# mozilla-django-oidc-db
# sentry-sdk
Expand Down Expand Up @@ -264,7 +276,7 @@ django-formtools==2.3
# via
# -c requirements/base.txt
# -r requirements/base.txt
# maykin-django-two-factor-auth
# django-two-factor-auth
django-hijack==3.4.1
# via
# -c requirements/base.txt
Expand Down Expand Up @@ -294,16 +306,16 @@ django-ordered-model==3.6
# -c requirements/base.txt
# -r requirements/base.txt
# django-admin-index
django-otp==1.0.6
django-otp==1.3.0
# via
# -c requirements/base.txt
# -r requirements/base.txt
# maykin-django-two-factor-auth
# django-two-factor-auth
django-phonenumber-field==5.2.0
# via
# -c requirements/base.txt
# -r requirements/base.txt
# maykin-django-two-factor-auth
# django-two-factor-auth
django-privates==1.5.0
# via
# -c requirements/base.txt
Expand Down Expand Up @@ -356,6 +368,12 @@ django-treebeard==4.7
# via
# -c requirements/base.txt
# -r requirements/base.txt
django-two-factor-auth[phonenumberslite,webauthn]==1.16.0
# via
# -c requirements/base.txt
# -r requirements/base.txt
# django-two-factor-auth
# maykin-2fa
django-webtest==1.9.7
# via -r requirements/test-tools.in
django-yubin==2.0.2
Expand Down Expand Up @@ -559,11 +577,10 @@ markdown==3.3.4
# via sphinx-markdown-tables
markupsafe==2.1.2
# via jinja2
maykin-django-two-factor-auth[phonenumbers]==2.0.4
maykin-2fa==1.0.0
# via
# -c requirements/base.txt
# -r requirements/base.txt
# maykin-django-two-factor-auth
maykin-json-logic-py==0.13.0
# via
# -c requirements/base.txt
Expand Down Expand Up @@ -638,11 +655,11 @@ pathspec==0.9.0
# via black
pep8==1.7.1
# via -r requirements/test-tools.in
phonenumbers==8.12.29
phonenumberslite==8.13.29
# via
# -c requirements/base.txt
# -r requirements/base.txt
# maykin-django-two-factor-auth
# django-two-factor-auth
pillow==10.2.0
# via
# -c requirements/base.txt
Expand Down Expand Up @@ -715,6 +732,7 @@ pyopenssl==24.0.0
# django-simple-certmanager
# josepy
# maykin-python3-saml
# webauthn
# zgw-consumers
pyphen==0.10.0
# via
Expand Down Expand Up @@ -779,7 +797,7 @@ qrcode==6.1
# via
# -c requirements/base.txt
# -r requirements/base.txt
# maykin-django-two-factor-auth
# django-two-factor-auth
recommonmark==0.7.1
# via -r requirements/docs.in
redis==4.5.4
Expand Down Expand Up @@ -1006,6 +1024,11 @@ weasyprint==60.1
# via
# -c requirements/base.txt
# -r requirements/base.txt
webauthn==2.0.0
# via
# -c requirements/base.txt
# -r requirements/base.txt
# django-two-factor-auth
webencodings==0.5.1
# via
# -c requirements/base.txt
Expand Down
Loading

0 comments on commit 9223c82

Please sign in to comment.