Page MenuHomePhabricator
Create Task
Maniphest T150562

Be able to force OATHAuth for certain user groups
Closed, ResolvedPublic
Actions

Assigned To
Legoktm
Authored By
Reedy
Nov 12 2016, 1:25 AM
Tags
Referenced Files
None
Subscribers
AfroThundr3007730
Agabi10
Aklapper
Amorymeltzer
BethNaught
Count_Count
Dan.mulholland
View All 43 Subscribers
Tokens
"Pterodactyl" token, awarded by FriedrickMILBarbarossa."Love" token, awarded by Ejegg."Love" token, awarded by Pcoombe."Love" token, awarded by Ladsgroup."Love" token, awarded by Steinsplitter."Love" token, awarded by Framawiki.

Description

We need a way, for certain wikis to force certain users to use OATHAuth.

There are two (somewhat complimentary) possible approaches:

  • Refactor OATHAuth to use AuthManager for enabling/disabling (T137471), then write a SecondaryAuthenticationProvider that asks for 2FA to be set up after a successful login. (ResetPasswordSecondaryAuthenticationProvider is an example.) This is good when we want to completely lock users out of the wiki until they have set up 2FA but is less effective for already logged-in users who get promoted into a new user group (although the system could log them out when the promotion happens if they do not have 2FA set up).
  • Use the UserGetRights hook to disable sensitive permissions until 2FA is set up, and find some way to communicate to the user what is going on. This is good when we only want to require users with access to a certain permission to use 2FA, but the communication part seems messy (see T180888: All permission checks should be able to return a custom error message).

Details

SubjectRepoBranchLines +/-
Require OATHAuth for membership in specified user groupsmediawiki/extensions/OATHAuthREL1_36+113 -6
Require OATHAuth for membership in specified user groupsmediawiki/extensions/OATHAuthREL1_35+113 -6
Require OATHAuth for membership in specified user groupsmediawiki/extensions/OATHAuthREL1_37+113 -6
Require OATHAuth for membership in specified user groupsmediawiki/extensions/OATHAuthmaster+113 -6
Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
jrbs subscribed.May 9 2018, 1:42 AM
MGChecker subscribed.Jun 13 2018, 10:18 PM
Reedy mentioned this in T197501: Make users without 2FA setup not have checkuser right regardless of their groups.Jun 15 2018, 10:57 PM
JEumerus subscribed.Jun 16 2018, 9:14 AM
MarcoAurelio added a project: Stewards-and-global-tools.Jun 17 2018, 11:12 AM
MarcoAurelio subscribed.
jrbs added a project: Trust-and-Safety.Jun 17 2018, 9:39 PM

Adding T&S since resetting these is presently a responsibility we've been taking on.

jrbs moved this task from Backlog to Support on the Trust-and-Safety board.Jun 17 2018, 9:39 PM
jrbs moved this task from Support to Radar on the Trust-and-Safety board.
Reedy mentioned this in T199118: Degrade/temporarily remove user rights/groups if 2FA isn't enabled.Jul 9 2018, 3:08 PM
Teles subscribed.Jul 10 2018, 6:52 PM
Strainu subscribed.Jul 11 2018, 8:13 AM
BethNaught subscribed.Jul 11 2018, 9:15 AM
Amorymeltzer subscribed.Jul 11 2018, 2:03 PM
zhuyifei1999 subscribed.Jul 12 2018, 1:42 PM
Framawiki awarded a token.Jul 12 2018, 5:56 PM
Framawiki added a project: acl*security.
Framawiki subscribed.
Reedy added a parent task: T197501: Make users without 2FA setup not have checkuser right regardless of their groups.Aug 3 2018, 11:50 PM
MR70 subscribed.Aug 11 2018, 10:41 AM

https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/OATHAuth/+/452020/

gerritbot subscribed.Aug 11 2018, 11:17 PM

Change 452020 had a related patch set uploaded (by MR70; owner: MR70):
[mediawiki/extensions/OATHAuth@master] Permissions of a specific groups should be removed if Two-Factor-Auth isn't enabled for a user

https://gerrit.wikimedia.org/r/452020

gerritbot added a project: Patch-For-Review.Aug 11 2018, 11:17 PM
MarcoAurelio mentioned this in T202244: CentralNotice provides a means for non interface-admins to bypass new CSS/JS restrictions.Aug 20 2018, 3:28 PM
Steinsplitter awarded a token.Aug 20 2018, 3:30 PM
RP88 subscribed.Aug 20 2018, 4:59 PM
AfroThundr3007730 subscribed.Aug 20 2018, 10:26 PM
JohanahoJ subscribed.Aug 25 2018, 2:43 PM
Ladsgroup awarded a token.Sep 2 2018, 4:39 PM
Pcoombe awarded a token.Oct 26 2018, 5:45 PM
Ejegg awarded a token.Oct 26 2018, 11:39 PM
Reedy added a parent task: Restricted Task.Oct 27 2018, 8:56 AM
Jseddon added a subscriber: DStrine.Oct 27 2018, 4:42 PM
DStrine changed the visibility from "Public (No Login Required)" to "WMF-NDA (Project)".Oct 30 2018, 4:46 PM
Reedy added a comment.Oct 30 2018, 5:05 PM

@DStrine Why have you made the visibility restricted to WMF-NDA? I really cannot see any good reason for that

DStrine added a comment.Oct 30 2018, 5:12 PM

@Reedy it was previously set at a very restricted visibility setting. Are you suggesting restoring that?

Reedy added a comment.Oct 30 2018, 5:13 PM

DStrine changed the visibility from "Public (No Login Required)" to "WMF-NDA (Project)".

No it wasn't?

Reedy changed the visibility from "WMF-NDA (Project)" to "Public (No Login Required)".Oct 30 2018, 5:13 PM

After changing it back, I can view this task in incognito mode. We can't get much more open than that

DStrine added a comment.Oct 30 2018, 5:15 PM

It previously had the *custom policy at the top and was not visible my several WMF managers.

Krenair added a comment.Oct 30 2018, 6:39 PM

According to Phabricator it was Public, then you hid it:

DStrine changed the visibility from "Public (No Login Required)" to "WMF-NDA (Project)".Tue, Oct 30, 16:46

MGChecker added a comment.Oct 30 2018, 6:51 PM

This task blocks multiple ones with restricted visibility, maybe this was causing confusion?

Meno25 subscribed.Dec 9 2018, 3:55 AM
Tgr updated the task description. (Show Details)Dec 10 2018, 7:16 AM
Xiplus subscribed.Dec 18 2018, 6:54 AM
Xaosflux mentioned this in T209749: Allow privileged accounts to determine if an account has enrolled in 2FA.Jan 29 2019, 11:37 PM
RhinosF1 subscribed.Mar 24 2019, 5:20 PM
Reedy mentioned this in T218215: SO878 Step 4: Bind permissions to 2FA.Mar 26 2019, 6:02 PM
Dan.mulholland subscribed.May 8 2019, 3:59 AM
Reedy removed a project: Patch-For-Review.Sep 3 2019, 11:15 AM
chasemp triaged this task as Medium priority.Dec 9 2019, 5:21 PM
Count_Count subscribed.Jan 16 2020, 12:10 PM
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:07 PM
Urbanecm subscribed.Apr 22 2020, 10:09 AM

The code seems to already have support for this. Can't we add rights with 2FA mandated to OATHExclusiveRights then?

DannyS712 subscribed.Apr 22 2020, 10:32 AM
Reedy added a comment.Apr 22 2020, 12:56 PM
In T150562#6078001, @Urbanecm wrote:

The code seems to already have support for this. Can't we add rights with 2FA mandated to OATHExclusiveRights then?

It's not exactly the same. It's T199118: Degrade/temporarily remove user rights/groups if 2FA isn't enabled that was done, which is a similar, but different way to implement the same thing

It removes (temporarily( the rights if you don't have 2FA, but doesn't actually force you to enable it

Urbanecm added a comment.Apr 22 2020, 12:58 PM

On the other hand, if you're officially an interface admin, but don't have 2FA, as a result, you just can't do what IAs normally can. It does force you to enroll to 2FA if you want to enjoy the perks.

Tgr added a comment.Apr 22 2020, 1:55 PM

Well, suppressing rights is named in the task description as one of the possible ways to implement this task (although it's possible to do both ways at once, they are not exclusive). What's more problematic is

  1. Communication - apart from the message not being super useful (it should tell you where to go / what to do), it's not necessarily displayed (e.g. when the caller uses userCan). There should probably be some warning on the preferences page.
  2. Completeness - the UserGetRights hook is not implemented, so this only affects title-based permission checks, not userHasRight. How confident are we that the latter is never used for sensitive special page or log page access?
  3. Persistence - it's stored in the session; how long does that live? (I don't think it survives a browser restart.) How does it work for CentralAuth-based sessions? (Not at all, I'd guess.) Also, how does it work with things like OAuth or bot passwords? (Again, I don't think it works at all.)
Tks4Fish subscribed.Apr 26 2020, 6:16 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:02 PM
Urbanecm mentioned this in T273294: Make OATHExclusiveRights more reliable.Jan 29 2021, 3:24 PM
FriedrickMILBarbarossa subscribed.Apr 29 2021, 11:42 AM
FriedrickMILBarbarossa awarded a token.May 14 2021, 3:54 AM
Universal_Omega subscribed.Dec 5 2021, 5:49 AM
Zabe subscribed.Dec 6 2021, 6:11 PM
Legoktm mentioned this in T32018: Require some user groups to have a periodically confirmed valid email address.Dec 11 2021, 7:29 PM
gerritbot added a comment.Feb 14 2022, 7:15 AM

Change 762385 had a related patch set uploaded (by Legoktm; author: Legoktm):

[mediawiki/extensions/OATHAuth@master] Require OATHAuth for membership in specified user groups

https://gerrit.wikimedia.org/r/762385

gerritbot added a project: Patch-For-Review.Feb 14 2022, 7:15 AM
RP88 added a comment.EditedFeb 14 2022, 8:15 AM

With the recent patch, I am curious about the following scenario:

  1. the oathauth-enable user right is only available to users in particular groups,
  2. all of those groups are listed in $wgOATHRequiredForGroups, and
  3. a user in one of these groups does not have 2FA enabled.

Will that user be stuck unable to enable 2FA because the oathauth-enable user right is only available via a group that is disabled because they don't have 2FA enabled?

Legoktm subscribed.Feb 14 2022, 8:22 AM

That is a good point that I didn't think of, it'll definitely be an issue. Probably we need to still grant the oathauth-enable userright if a group membership is disabled for this reason.

Legoktm added a comment.Feb 14 2022, 8:50 AM

PS4-5 fixes this by granting oathauth-enable whenever a user is in that situation. It doesn't actually check that one of the disabled groups granted it, but I think it is reasonable to expect that if a group is in $wgOATHRequiredForGroups, and a user is in that group, that they should be able to enable 2FA.

Legoktm claimed this task.Feb 14 2022, 8:51 AM
Urbanecm added a comment.Feb 14 2022, 10:22 AM

Thanks @Legoktm for working on this. One of the issues I see today in the "suppress group membership if 2FA is not enabled" is that it doesn't really make the account less privileged than they were before. Imagine I'm an interface administrator (a group that has mandatory 2FA), without having my 2FA enabled. This means I can't currently edit the site JS/CSS. However, any moment I want to edit site JS/CSS, I can just go ahead and enroll myself. An attacker can do the same thing, after acquiring access to my account.

Granted, since enrolling into 2FA requires a reauth, it means an attacker either needs to find a vulnerability in the reauth process that lets them to bypass it, or needs to know my password (to do the reauth dance). Purely having my cookies wouldn't give the attacker interface-admin access. However, accounts with 2FA enabled will work in the exact same way: just having my cookie jar will let you to do almost anything my account can do.

I recognize this is a disadvantage present in other forms of the same capability, and is not really an issue in @Legoktm's patch (which only prompted me to write this comment). For that reason, I don't have an issue with the patch getting merged as-is. However, before we enable the new feature in Wikimedia wikis, maybe we should discuss the aspect I described above?

Legoktm added a comment.Feb 15 2022, 3:18 AM
In T150562#7706998, @Urbanecm wrote:

Thanks @Legoktm for working on this. One of the issues I see today in the "suppress group membership if 2FA is not enabled" is that it doesn't really make the account less privileged than they were before. Imagine I'm an interface administrator (a group that has mandatory 2FA), without having my 2FA enabled. This means I can't currently edit the site JS/CSS. However, any moment I want to edit site JS/CSS, I can just go ahead and enroll myself. An attacker can do the same thing, after acquiring access to my account.

Yep, from an attacker's standpoint I don't think this *significantly* improves things security-wise. IMO the main issue right now is that there are legitimate reasons for a privileged account to temporarily have 2FA disabled, like if you're switching phones. Until we support having multiple 2FA methods being enabled at once (maybe the next project to work on ;)) we have to allow privileged users to remove their 2FA. What this will improve is that users will be constantly reminded that they need to re-enable 2FA because they can't do the actions they want to without doing that! I expect this will reduce the number of accounts that forget to re-enable 2FA and similar. Maybe in the future we don't allow granting privileged groups at all if you don't have 2FA, and if you disable your 2FA, your groups are automatically stripped and must be regranted? I haven't fully thought out the attack scenarios or UX for that yet. Either way, we're pretty far away.

Granted, since enrolling into 2FA requires a reauth, it means an attacker either needs to find a vulnerability in the reauth process that lets them to bypass it, or needs to know my password (to do the reauth dance). Purely having my cookies wouldn't give the attacker interface-admin access. However, accounts with 2FA enabled will work in the exact same way: just having my cookie jar will let you to do almost anything my account can do.

I think stealing cookies/sessions is an entirely separate threat that 2FA really doesn't protect against. There's another ticket somewhere about being able to list individual sessions and log them out as desired. In the meantime we're stuck with CA logging out every session when you log out in one place.

I recognize this is a disadvantage present in other forms of the same capability, and is not really an issue in @Legoktm's patch (which only prompted me to write this comment). For that reason, I don't have an issue with the patch getting merged as-is. However, before we enable the new feature in Wikimedia wikis, maybe we should discuss the aspect I described above?

Let me know if I didn't address your concerns fully. Mostly I think this should be seen as an incremental improvement, and not a solid wall that will entirely prevent privileged account compromises.

Legoktm added a comment.Feb 15 2022, 3:23 AM

Two other points of my patch that might merit some discussion:

  • The API will leak whether someone has had groups disabled, and therefore doesn't have 2FA enabled. Do we need to close that before doing this?
  • Are we sure we want to do this at the group level and not rights level? Groups is IMO easier to communicate to users and how the policy is implemented, but then we will need a separate implementation for CA's global groups.
gerritbot added a comment.Feb 17 2022, 7:41 AM

Change 762385 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Require OATHAuth for membership in specified user groups

https://gerrit.wikimedia.org/r/762385

ReleaseTaggerBot added a project: MW-1.38-notes (1.38.0-wmf.23; 2022-02-21).Feb 17 2022, 8:00 AM
gerritbot added a comment.Feb 17 2022, 1:24 PM

Change 763295 had a related patch set uploaded (by Reedy; author: Legoktm):

[mediawiki/extensions/OATHAuth@REL1_37] Require OATHAuth for membership in specified user groups

https://gerrit.wikimedia.org/r/763295

gerritbot added a comment.Feb 17 2022, 1:24 PM

Change 763296 had a related patch set uploaded (by Reedy; author: Legoktm):

[mediawiki/extensions/OATHAuth@REL1_36] Require OATHAuth for membership in specified user groups

https://gerrit.wikimedia.org/r/763296

gerritbot added a comment.Feb 17 2022, 1:24 PM

Change 763297 had a related patch set uploaded (by Reedy; author: Legoktm):

[mediawiki/extensions/OATHAuth@REL1_35] Require OATHAuth for membership in specified user groups

https://gerrit.wikimedia.org/r/763297

gerritbot added a comment.Feb 17 2022, 2:17 PM

Change 763295 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_37] Require OATHAuth for membership in specified user groups

https://gerrit.wikimedia.org/r/763295

gerritbot added a comment.Feb 17 2022, 2:17 PM

Change 763297 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_35] Require OATHAuth for membership in specified user groups

https://gerrit.wikimedia.org/r/763297

gerritbot added a comment.Feb 17 2022, 2:18 PM

Change 763296 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_36] Require OATHAuth for membership in specified user groups

https://gerrit.wikimedia.org/r/763296

Legoktm closed this task as Resolved.Feb 18 2022, 7:17 AM
Meno25 removed a project: Patch-For-Review.Mar 14 2022, 8:51 AM
Reedy added a comment.Feb 1 2023, 4:36 PM

$wgOATHRequiredForGroups hasn't been documented on https://www.mediawiki.org/wiki/Extension:OATHAuth

Reedy mentioned this in T326912: Parser function for checking if OATHAuth is enabled.Feb 1 2023, 4:37 PM
Meno25 unsubscribed.Feb 3 2023, 4:56 PM
Johannnes89 subscribed.Mar 11 2024, 6:59 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits