[SQSERVICE- 1509] 2FA in the context of sso

changelog.d/3-bug-fixes/pr-2693

@@ -0,0 +1 @@
+The 2nd factor password challenge team feature is disabled for SSO users

docs/src/how-to/install/team-feature-settings.md

@@ -31,6 +31,8 @@ galley:
 
 Note that the lock status is required but has no effect, as it is currently not supported for team admins to enable or disable `sndFactorPasswordChallenge`. We recommend to set the lock status to `locked`.
 
+Currently the 2nd factor password challenge if enabled has no effect for SSO users.
+
 ## Rate limiting of code generation requests
 
 The default delay between code generation requests is 5 minutes. This setting can be overridden in the Helm charts:

services/brig/src/Brig/User/Auth.hs

@@ -194,7 +194,8 @@ verifyCode mbCode action uid = do
   featureEnabled <- lift $ do
     mbFeatureEnabled <- Intra.getVerificationCodeEnabled `traverse` mbTeamId
     pure $ fromMaybe (Public.wsStatus (Public.defFeatureStatus @Public.SndFactorPasswordChallengeConfig) == Public.FeatureStatusEnabled) mbFeatureEnabled
-  when featureEnabled $ do
+  isSsoUser <- Data.isSamlUser uid
+  when (featureEnabled && not isSsoUser) $ do
     case (mbCode, mbEmail) of
       (Just code, Just email) -> do
         key <- Code.mkKey $ Code.ForEmail email

services/brig/test/integration/API/Team.hs

@@ -24,6 +24,7 @@ where
 
 import qualified API.Search.Util as SearchUtil
 import API.Team.Util
+import API.User.Util as Util hiding (listConnections)
 import Bilge hiding (accept, head, timeout)
 import qualified Bilge
 import Bilge.Assert
@@ -57,6 +58,7 @@ import Web.Cookie (parseSetCookie, setCookieName)
 import Wire.API.Asset
 import Wire.API.Connection
 import Wire.API.Team hiding (newTeam)
+import qualified Wire.API.Team.Feature as Public
 import Wire.API.Team.Invitation
 import Wire.API.Team.Member hiding (invitation, userId)
 import qualified Wire.API.Team.Member as Member
@@ -65,6 +67,7 @@ import Wire.API.Team.Role
 import Wire.API.Team.Size
 import Wire.API.User
 import Wire.API.User.Auth
+import Wire.API.User.Client (ClientType (PermanentClientType))
 
 newtype TeamSizeLimit = TeamSizeLimit Word32
 
@@ -108,7 +111,8 @@ tests conf m n b c g aws = do
         testGroup "sso" $
           [ test m "post /i/users  - 201 internal-SSO" $ testCreateUserInternalSSO b g,
             test m "delete /i/users/:uid - 202 internal-SSO (ensure no orphan teams)" $ testDeleteUserSSO b g,
-            test m "get /i/teams/:tid/is-team-owner/:uid" $ testSSOIsTeamOwner b g
+            test m "get /i/teams/:tid/is-team-owner/:uid" $ testSSOIsTeamOwner b g,
+            test m "2FA disabled for SSO user" $ test2FaDisabledForSsoUser b g
           ],
         testGroup "size" $ [test m "get /i/teams/:tid/size" $ testTeamSize b]
       ]
@@ -820,6 +824,21 @@ testDeleteUserSSO brig galley = do
   updatePermissions user3 tid (creator', Team.rolePermissions RoleMember) galley
   deleteUser creator' (Just defPassword) brig !!! const 200 === statusCode
 
+test2FaDisabledForSsoUser :: Brig -> Galley -> Http ()
+test2FaDisabledForSsoUser brig galley = do
+  teamid <- snd <$> createUserWithTeam brig
+  setTeamFeatureLockStatus @Public.SndFactorPasswordChallengeConfig galley teamid Public.LockStatusUnlocked
+  setTeamSndFactorPasswordChallenge galley teamid Public.FeatureStatusEnabled
+  let ssoid = UserSSOId mkSimpleSampleUref
+  createUserResp <-
+    postUser "dummy" True False (Just ssoid) (Just teamid) brig <!! do
+      const 201 === statusCode
+      const (Just ssoid) === (userSSOId . selfUser <=< responseJsonMaybe)
+  let Just uid = userId <$> responseJsonMaybe createUserResp
+  let verificationCode = Nothing
+  addClient brig uid (defNewClientWithVerificationCode verificationCode PermanentClientType [head somePrekeys] (head someLastPrekeys))
+    !!! const 201 === statusCode
+
 -- TODO:
 -- add sso service.  (we'll need a name for that now.)
 -- brig needs to notify the sso service about deletions!