Remove: deprecated native MFA feature #2717
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/186996979 The labels on this github issue will be updated when the story is started. |
peterhaochen47
added a commit
to cloudfoundry/uaa-release
that referenced
this pull request
Feb 7, 2024
- the MFA feature has long been deprecated and will soon be removed in the next release, see: cloudfoundry/uaa#2717 - see breaking change planning: #739 [#186854489]
|
@peterhaochen47 I think you can remove |
peterhaochen47
added a commit
to cloudfoundry/uaa-release
that referenced
this pull request
Feb 7, 2024
- the MFA feature has long been deprecated and will soon be removed in the next release, see: cloudfoundry/uaa#2717 - see breaking change planning: #739 [#186854489]
peterhaochen47
force-pushed
the
pr/develop/remove-mfa-186854489
branch
from
efb7c59
to
9e43344
Compare
hsinn0
approved these changes
Feb 8, 2024
strehle
approved these changes
Feb 8, 2024
...main/java/org/cloudfoundry/identity/uaa/audit/JdbcUnsuccessfulLoginCountingAuditService.java
Outdated
Show resolved
Hide resolved
peterhaochen47
force-pushed
the
pr/develop/remove-mfa-186854489
branch
from
cd6a805
to
60f3d1b
Compare
- Context about its deprecation:
- This feature is under-utilized, and requires further
maintenance for which our team lacks the resource. (For
example, this feature is potentially vulnerable because
a secure Content-Security-Policy cannot be applied to its
pages without breaking them.) The feature has also been
marked as "not ready for production" for a few years now.
So we opt to remove the feature and instead recommend
using the external IDPs's own MFA features. See more context
in #2196.
- This commit removes all MFA-specific codes, except for
the following, on which we will make follow-up commits:
- README's deprecation notice
- database operations
- Content-Security-Policy's exemption toward MFA endpoint (https://github.com/cloudfoundry/uaa/blob/72565fb56cd1f90af499119d32c891937f3c5a76/server/src/main/java/org/cloudfoundry/identity/uaa/security/web/ContentSecurityPolicyFilter.java#L29)
- breaking changes planning: cloudfoundry/uaa-release#739
- Further notes about specific changes in tests:
- For PasscodeMockMvcTests.testLoginUsingPasscodeWithUnknownToken(), the assertion
on response code is changed from 401 to 403. This is because 403 was the original
asserted value before MFA was added (see: 92abee6).
The 403 response also makes sense in the context of the test (authentication
present but has insufficient access).
[#186854489]
- the MFA feature has been removed, hence adding DB migrations to drop the feature's related DB tables. - also clean up README and tests [#186854489]
- the MFA feature has been removed (aka the "/login/mfa/" endpoint) hence the code that creates an exemption for the MFA endpoint when enforcing "Content-Security-Policy" is no longer needed [#186854489]
- the MFA feature has been removed, so no longer need the deprecation notice [#186854489]
- the beans are for MFA feature, which has been removed [#186854489]
- use a more standard way to intialize a list, instead of using com.beust.jcommander.internal.Lists.newArrayList - motivation: this com.beust.jcommander.internal.Lists.newArrayList dep was added to our dependencies indirectly via another dependency I'm trying to remove [#186854489]
- these deps are for MFA feature (which has been removed) - also: before, the code was using org.apache.httpcomponents:httpclient but getting it indirectly via the MFA-related deps (which this commit aims to remove); hence, now need to directly declare org.apache.httpcomponents:httpclient as a dependency. [#186854489]
- by merging cases
peterhaochen47
force-pushed
the
pr/develop/remove-mfa-186854489
branch
from
60f3d1b
to
1181e06
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[#186854489]