diff --git a/changelog.d/3-bug-fixes/pr-2693 b/changelog.d/3-bug-fixes/pr-2693 new file mode 100644 index 0000000000..ccba02e288 --- /dev/null +++ b/changelog.d/3-bug-fixes/pr-2693 @@ -0,0 +1 @@ +The 2nd factor password challenge team feature is disabled for SSO users diff --git a/docs/src/how-to/install/team-feature-settings.md b/docs/src/how-to/install/team-feature-settings.md index 7db2c07429..21733829f9 100644 --- a/docs/src/how-to/install/team-feature-settings.md +++ b/docs/src/how-to/install/team-feature-settings.md @@ -31,6 +31,8 @@ galley: Note that the lock status is required but has no effect, as it is currently not supported for team admins to enable or disable `sndFactorPasswordChallenge`. We recommend to set the lock status to `locked`. +Currently the 2nd factor password challenge if enabled has no effect for SSO users. + ## Rate limiting of code generation requests The default delay between code generation requests is 5 minutes. This setting can be overridden in the Helm charts: diff --git a/services/brig/src/Brig/User/Auth.hs b/services/brig/src/Brig/User/Auth.hs index d85d778670..712da1d6b0 100644 --- a/services/brig/src/Brig/User/Auth.hs +++ b/services/brig/src/Brig/User/Auth.hs @@ -194,7 +194,8 @@ verifyCode mbCode action uid = do featureEnabled <- lift $ do mbFeatureEnabled <- Intra.getVerificationCodeEnabled `traverse` mbTeamId pure $ fromMaybe (Public.wsStatus (Public.defFeatureStatus @Public.SndFactorPasswordChallengeConfig) == Public.FeatureStatusEnabled) mbFeatureEnabled - when featureEnabled $ do + isSsoUser <- Data.isSamlUser uid + when (featureEnabled && not isSsoUser) $ do case (mbCode, mbEmail) of (Just code, Just email) -> do key <- Code.mkKey $ Code.ForEmail email diff --git a/services/brig/test/integration/API/Team.hs b/services/brig/test/integration/API/Team.hs index 1462a421a4..45b2ce69d2 100644 --- a/services/brig/test/integration/API/Team.hs +++ b/services/brig/test/integration/API/Team.hs @@ -24,6 +24,7 @@ where import qualified API.Search.Util as SearchUtil import API.Team.Util +import API.User.Util as Util hiding (listConnections) import Bilge hiding (accept, head, timeout) import qualified Bilge import Bilge.Assert @@ -57,6 +58,7 @@ import Web.Cookie (parseSetCookie, setCookieName) import Wire.API.Asset import Wire.API.Connection import Wire.API.Team hiding (newTeam) +import qualified Wire.API.Team.Feature as Public import Wire.API.Team.Invitation import Wire.API.Team.Member hiding (invitation, userId) import qualified Wire.API.Team.Member as Member @@ -65,6 +67,7 @@ import Wire.API.Team.Role import Wire.API.Team.Size import Wire.API.User import Wire.API.User.Auth +import Wire.API.User.Client (ClientType (PermanentClientType)) newtype TeamSizeLimit = TeamSizeLimit Word32 @@ -108,7 +111,8 @@ tests conf m n b c g aws = do testGroup "sso" $ [ test m "post /i/users - 201 internal-SSO" $ testCreateUserInternalSSO b g, test m "delete /i/users/:uid - 202 internal-SSO (ensure no orphan teams)" $ testDeleteUserSSO b g, - test m "get /i/teams/:tid/is-team-owner/:uid" $ testSSOIsTeamOwner b g + test m "get /i/teams/:tid/is-team-owner/:uid" $ testSSOIsTeamOwner b g, + test m "2FA disabled for SSO user" $ test2FaDisabledForSsoUser b g ], testGroup "size" $ [test m "get /i/teams/:tid/size" $ testTeamSize b] ] @@ -820,6 +824,21 @@ testDeleteUserSSO brig galley = do updatePermissions user3 tid (creator', Team.rolePermissions RoleMember) galley deleteUser creator' (Just defPassword) brig !!! const 200 === statusCode +test2FaDisabledForSsoUser :: Brig -> Galley -> Http () +test2FaDisabledForSsoUser brig galley = do + teamid <- snd <$> createUserWithTeam brig + setTeamFeatureLockStatus @Public.SndFactorPasswordChallengeConfig galley teamid Public.LockStatusUnlocked + setTeamSndFactorPasswordChallenge galley teamid Public.FeatureStatusEnabled + let ssoid = UserSSOId mkSimpleSampleUref + createUserResp <- + postUser "dummy" True False (Just ssoid) (Just teamid) brig responseJsonMaybe createUserResp + let verificationCode = Nothing + addClient brig uid (defNewClientWithVerificationCode verificationCode PermanentClientType [head somePrekeys] (head someLastPrekeys)) + !!! const 201 === statusCode + -- TODO: -- add sso service. (we'll need a name for that now.) -- brig needs to notify the sso service about deletions!