diff options
| author | Dylan William Hardison <dylan@hardison.net> | 2017-09-15 22:13:18 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-09-15 22:13:18 +0200 |
| commit | 78ad8c0d088aa95ec1bd7eadea45ffdba05d907e (patch) | |
| tree | 7a218af5d9a553a51b8ddc9a9d609772603fd615 /Bugzilla.pm | |
| parent | e9adcde4648b54db8d40f314ca938dca5080bb9c (diff) | |
| download | bugzilla-78ad8c0d088aa95ec1bd7eadea45ffdba05d907e.tar.gz bugzilla-78ad8c0d088aa95ec1bd7eadea45ffdba05d907e.tar.xz | |
Bug 1364233 - Add setting to force a group to require MFA and restrict users in that group who have not enabled MFA
Diffstat (limited to 'Bugzilla.pm')
| -rw-r--r-- | Bugzilla.pm | 40 |
1 files changed, 34 insertions, 6 deletions
diff --git a/Bugzilla.pm b/Bugzilla.pm index 0ffd63e04..2e105e0f5 100644 --- a/Bugzilla.pm +++ b/Bugzilla.pm @@ -383,21 +383,49 @@ sub login { # At this point, we now know if a real person is logged in. # Check if a password reset is required - if ($authenticated_user->password_change_required) { + my $cgi = Bugzilla->cgi; + if ( $authenticated_user->password_change_required ) { + # We cannot show the password reset UI for API calls, so treat those as # a disabled account. - if (i_am_webservice()) { - ThrowUserError("account_disabled", { disabled_reason => $authenticated_user->password_change_reason }); + if ( i_am_webservice() ) { + ThrowUserError( "account_disabled", { disabled_reason => $authenticated_user->password_change_reason } ); } # only allow the reset-password and token pages to handle requests # (tokens handles the 'forgot password' process) # otherwise redirect user to the reset-password page. - if ($ENV{SCRIPT_NAME} !~ m#/(?:reset_password|token)\.cgi$#) { - print Bugzilla->cgi->redirect('reset_password.cgi'); + if ( $ENV{SCRIPT_NAME} !~ m#/(?:reset_password|token)\.cgi$# ) { + print $cgi->redirect('reset_password.cgi'); exit; } } + elsif ( !i_am_webservice() && $authenticated_user->in_mfa_group && !$authenticated_user->mfa ) { + + # decide if the user needs a warning or to be blocked. + my $date = $authenticated_user->mfa_required_date('UTC'); + my $grace_period = Bugzilla->params->{mfa_group_grace_period}; + my $expired = defined $date && $date < DateTime->now; + my $on_mfa_page = $cgi->script_name eq '/userprefs.cgi' && $cgi->param('tab') eq 'mfa'; + + Bugzilla->request_cache->{mfa_warning} = 1; + Bugzilla->request_cache->{mfa_grace_period_expired} = $expired; + Bugzilla->request_cache->{on_mfa_page} = $on_mfa_page; + + if ( $grace_period == 0 || $expired) { + if (!$on_mfa_page) { + print Bugzilla->cgi->redirect("userprefs.cgi?tab=mfa"); + exit; + } + } + else { + my $dbh = Bugzilla->dbh_main; + my $date = $dbh->sql_date_math( 'NOW()', '+', '?', 'DAY' ); + my ($mfa_required_date) = $dbh->selectrow_array( "SELECT $date", undef, $grace_period ); + $authenticated_user->set_mfa_required_date($mfa_required_date); + $authenticated_user->update(); + } + } # We must now check to see if an sudo session is in progress. # For a session to be in progress, the following must be true: @@ -1222,4 +1250,4 @@ information. =back -=back +=back
\ No newline at end of file |