Before Striker can modify data for existing LDAP accounts (password, ssh keys, etc) it must check for 2FA on the account and enforce token checks for 2FA enabled accounts. At the very least it must tell users with 2FA enabled that they cannot use Striker.
See also:
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | bd808 | T144711 Allow management of LDAP SSH keys | |||
| Resolved | bd808 | T144712 Check for 2FA protection and enforce validation of 2FA tokens | |||
| Resolved | bd808 | T153487 Add user group to wikitech granting the oathauth-api-all right |
There are multiple possible paths to get this functionality as noted in the description. The best solution would be some internal network service (T120484 or an off-the-shelf solution like https://www.linotp.org). Implementing a new general purpose HTOP service is a bit more work than I would like to bite off just to allow Striker to manage things about a user's LDAP account like the password and ssh public keys.
When horizon needed this protection the implementation was to interact directly with the underlying database that stores the HTOP secrets for wikitech. This is problematic for a number of reasons that I won't enumerate here. The short answer is that its not a good idea to use a mysql table as a common API. My idea for storing the secrets in LDAP (T136350) is really not much better. It moves the data to a location that is already common to wikitech, horizon, and striker but it doesn't solve other problems of multiple HTOP implementations using the same secrets.
I think I have an idea for a 3rd solution that is between a stand alone service and shared secret access. A new Action API endpoint could be added to MediaWiki-extensions-OATHAuth that allowed a trusted user to:
These actions would need to be protected with a new permission to restrict use to highly trusted accounts. There should also be rate limiting on the validation action to limit the number of tokens that can be tried for a given MediaWiki user account per unit time.
Change 313548 had a related patch set uploaded (by BryanDavis):
Add a query meta api option to check for OATH
Change 313549 had a related patch set uploaded (by BryanDavis):
Add an api action to validate an OATH token
Change 314221 had a related patch set uploaded (by BryanDavis):
OATHAuth: Grant oathauth-api to sysop
Change 317375 had a related patch set uploaded (by BryanDavis):
striker: Add ldapauthwiki OAuth config for oath
Change 324637 had a related patch set uploaded (by BryanDavis):
Add support for authenticated Action API use
Change 327786 had a related patch set uploaded (by BryanDavis):
Check and enforce OATH account protection
@dpatrick, @Bawolff, @Reedy: It would be nice to get a quick look at the logic in https://gerrit.wikimedia.org/r/327786 from the Security-Team folks.
There are probably several additional things that could be done in follow-up commits to add more protections for 2FA users:
I think for now though this protection is as secure as the existing Wikitech 2FA usage.
Change 333095 had a related patch set uploaded (by BryanDavis):
Bump static and striker submodules