Skip to content

chore: remove 2fa conditionals #15142

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jan 5, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 0 additions & 30 deletions tests/unit/accounts/test_security_policy.py
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@

from warehouse.accounts import security_policy
from warehouse.accounts.interfaces import IUserService
from warehouse.admin.flags import AdminFlagValue
from warehouse.utils.security_policy import AuthenticationMethod


Expand Down Expand Up @@ -602,32 +601,10 @@ def test_permits_with_unverified_email(self, monkeypatch, policy_class):
policy = policy_class()
assert not policy.permits(request, context, "myperm")

# TODO: remove this test when we remove the conditional
def test_permits_manage_projects_without_2fa_for_older_users(
self, monkeypatch, policy_class
):
monkeypatch.setattr(security_policy, "User", pretend.stub)

request = pretend.stub(
flags=pretend.stub(enabled=lambda flag: False),
identity=pretend.stub(
__principals__=lambda: ["user:5"],
has_primary_verified_email=True,
has_two_factor=False,
date_joined=datetime(2019, 1, 1),
),
matched_route=pretend.stub(name="manage.projects"),
)
context = pretend.stub(__acl__=[(Allow, "user:5", "myperm")])

policy = policy_class()
assert policy.permits(request, context, "myperm")

def test_permits_manage_projects_with_2fa(self, monkeypatch, policy_class):
monkeypatch.setattr(security_policy, "User", pretend.stub)

request = pretend.stub(
flags=pretend.stub(enabled=pretend.call_recorder(lambda *a: True)),
identity=pretend.stub(
__principals__=lambda: ["user:5"],
has_primary_verified_email=True,
Expand All @@ -640,9 +617,6 @@ def test_permits_manage_projects_with_2fa(self, monkeypatch, policy_class):

policy = policy_class()
assert policy.permits(request, context, "myperm")
assert request.flags.enabled.calls == [
pretend.call(AdminFlagValue.TWOFA_REQUIRED_EVERYWHERE)
]

def test_deny_manage_projects_without_2fa(self, monkeypatch, policy_class):
monkeypatch.setattr(security_policy, "User", pretend.stub)
Expand Down Expand Up @@ -697,7 +671,6 @@ def test_permits_2fa_routes_without_2fa(
monkeypatch.setattr(security_policy, "User", pretend.stub)

request = pretend.stub(
flags=pretend.stub(enabled=pretend.call_recorder(lambda *a: False)),
identity=pretend.stub(
__principals__=lambda: ["user:5"],
has_primary_verified_email=True,
Expand All @@ -711,6 +684,3 @@ def test_permits_2fa_routes_without_2fa(

policy = policy_class()
assert policy.permits(request, context, "myperm")
assert request.flags.enabled.calls == [
pretend.call(AdminFlagValue.TWOFA_REQUIRED_EVERYWHERE)
]
46 changes: 19 additions & 27 deletions warehouse/accounts/security_policy.py
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@

from warehouse.accounts.interfaces import IPasswordBreachedService, IUserService
from warehouse.accounts.models import DisableReason, User
from warehouse.admin.flags import AdminFlagValue
from warehouse.cache.http import add_vary_callback
from warehouse.email import send_password_compromised_email_hibp
from warehouse.errors import (
Expand Down Expand Up @@ -293,33 +292,26 @@ def _check_for_mfa(request, context) -> WarehouseDenied | None:
"manage.account.webauthn-provision",
]

# If flag is active, require 2FA for management and upload.
if request.flags.enabled(AdminFlagValue.TWOFA_REQUIRED_EVERYWHERE) or (
# Start enforcement from 2023-08-08, but we should remove this check
# at the end of 2023.
request.identity.date_joined
and request.identity.date_joined > datetime.datetime(2023, 8, 8)
if (
request.matched_route.name.startswith("manage")
and request.matched_route.name != "manage.account"
and not any(
request.matched_route.name.startswith(route) for route in _exempt_routes
)
and not request.identity.has_two_factor
):
if (
request.matched_route.name.startswith("manage")
and request.matched_route.name != "manage.account"
and not any(
request.matched_route.name.startswith(route) for route in _exempt_routes
)
and not request.identity.has_two_factor
):
return WarehouseDenied(
"You must enable two factor authentication to manage other settings",
reason="manage_2fa_required",
)
return WarehouseDenied(
"You must enable two factor authentication to manage other settings",
reason="manage_2fa_required",
)

if (
request.matched_route.name == "forklift.legacy.file_upload"
and not request.identity.has_two_factor
):
return WarehouseDenied(
"You must enable two factor authentication to upload",
reason="upload_2fa_required",
)
if (
request.matched_route.name == "forklift.legacy.file_upload"
and not request.identity.has_two_factor
):
return WarehouseDenied(
"You must enable two factor authentication to upload",
reason="upload_2fa_required",
)

return None
1 change: 0 additions & 1 deletion warehouse/admin/flags.py
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@ class AdminFlagValue(enum.Enum):
DISALLOW_GITHUB_OIDC = "disallow-github-oidc"
DISALLOW_GOOGLE_OIDC = "disallow-google-oidc"
READ_ONLY = "read-only"
TWOFA_REQUIRED_EVERYWHERE = "2fa-required"


class AdminFlag(db.ModelBase):
Expand Down