Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-42577

Reset-Pass > no longer checks invalid account types (regression)

    Details

    • 19 status:
      Please Merge
    • 12 status:
      Please Merge
    • Property addition/change required:
      Yes
    • Test Plan:
      Hide
      1. ensure the "resetPass.invalidEmailDomains" is set and defines at least one invalid domain (ex: sakaiproject.org")
      2. attempt to generate a reset password email for an email address for one of the domains listed in the above property
        • verify you see appropriate default messaging about invalid domain
      3. set a custom message for Reset Password's invalid domain feedback message:
        1. as admin, go to Sites -> search for "gateway", select the gateway site (!gateway)
        2. scroll to the bottom and click "Add/Edit pages"
        3. select the page which has the title "Reset Password"
        4. click the "Tools" button
        5. click the tool ID
        6. scroll to the bottom and click the "Properties" button
        7. add a new property with the name = "wrongtype", and some custom message of your choice
        8. click "Save"
        9. logout
      4. go back to Reset Password and again try to generate a reset password email for an email address for one of the domains listed in the sakai.property
        • verify you see the custom message you set in the previous steps
      5. generate a password reset email for a valid account email you have access to, and which is not provided by the "invalid domain(s)"
        • verify you receive the email and can follow the directions to successfully reset the password for the respective account
      Show
      ensure the "resetPass.invalidEmailDomains" is set and defines at least one invalid domain (ex: sakaiproject.org") attempt to generate a reset password email for an email address for one of the domains listed in the above property verify you see appropriate default messaging about invalid domain set a custom message for Reset Password's invalid domain feedback message: as admin, go to Sites -> search for "gateway", select the gateway site (!gateway) scroll to the bottom and click "Add/Edit pages" select the page which has the title "Reset Password" click the "Tools" button click the tool ID scroll to the bottom and click the "Properties" button add a new property with the name = "wrongtype", and some custom message of your choice click "Save" logout go back to Reset Password and again try to generate a reset password email for an email address for one of the domains listed in the sakai.property verify you see the custom message you set in the previous steps generate a password reset email for a valid account email you have access to, and which is not provided by the "invalid domain(s)" verify you receive the email and can follow the directions to successfully reset the password for the respective account

      Description

      SAK-42256 refactored reset-pass so that it would not leak information to the user about whether or not an account exists with the given email address.

      However, we didn't notice that as a result of this work there is now a regression in that it doesn't report/validate on a sakai.property to reject attempts for certain account types. Unfortunately, we can't just restore this original functionality because that would be defeating the purpose of hardening the system to not expose undue information to a potential attacker.

      To address this regression, we actually need to change the original implementation to be based off a sakai.property like invalidEmailInIdAccountString, which lists domains which are not allowed to use services like New Account, rather than a list of allowed user types (which forces us to resolve User objects in the back end to identify the user type, and reporting on this finding divulges information about if the account exists or not).

      In this way, the domain can be checked before trying to resolve the User object, we can display some messaging about the domain being invalid or not allowed, and we don't leak any information about if the account exists or not (either via messaging, or by code analysis).

      This is a significant change in behvaiour, and will necessitate removing old sakai.properties ("resetPass.resetAllRoles", "accountValidator.accountTypes.accept", and "resetRoles" which is the legacy version of the former), and introducing a new property to duplicate the "invalidEmailInIdAccountString" for Reset Password, so that institutions can define two separate lists of allowed domains, one for New Account and one for Reset Password.

      Properties removed

      • resetRoles
      • resetPass.resetAllRoles

      Properties added

      • resetPass.invalidEmailDomains

        Gliffy Diagrams

          Zeplin

            Attachments

              Issue Links

                Activity

                  People

                  Assignee:
                  bjones86 Brian Jones
                  Reporter:
                  bjones86 Brian Jones
                  Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                    Dates

                    Created:
                    Updated:
                    Resolved:

                      Git Integration