From 5147ff20b8b9f1c23a992e77613693f466e58e9f Mon Sep 17 00:00:00 2001 From: Mike Fiedler Date: Fri, 5 Jan 2024 10:06:16 -0500 Subject: [PATCH] chore: remove 2fa conditionals (#15142) --- tests/unit/accounts/test_security_policy.py | 30 -------------- warehouse/accounts/security_policy.py | 46 +++++++++------------ warehouse/admin/flags.py | 1 - 3 files changed, 19 insertions(+), 58 deletions(-) diff --git a/tests/unit/accounts/test_security_policy.py b/tests/unit/accounts/test_security_policy.py index 1e55dcbba597..5bbbdd314ebd 100644 --- a/tests/unit/accounts/test_security_policy.py +++ b/tests/unit/accounts/test_security_policy.py @@ -21,7 +21,6 @@ from warehouse.accounts import security_policy from warehouse.accounts.interfaces import IUserService -from warehouse.admin.flags import AdminFlagValue from warehouse.utils.security_policy import AuthenticationMethod @@ -602,32 +601,10 @@ def test_permits_with_unverified_email(self, monkeypatch, policy_class): policy = policy_class() assert not policy.permits(request, context, "myperm") - # TODO: remove this test when we remove the conditional - def test_permits_manage_projects_without_2fa_for_older_users( - self, monkeypatch, policy_class - ): - monkeypatch.setattr(security_policy, "User", pretend.stub) - - request = pretend.stub( - flags=pretend.stub(enabled=lambda flag: False), - identity=pretend.stub( - __principals__=lambda: ["user:5"], - has_primary_verified_email=True, - has_two_factor=False, - date_joined=datetime(2019, 1, 1), - ), - matched_route=pretend.stub(name="manage.projects"), - ) - context = pretend.stub(__acl__=[(Allow, "user:5", "myperm")]) - - policy = policy_class() - assert policy.permits(request, context, "myperm") - def test_permits_manage_projects_with_2fa(self, monkeypatch, policy_class): monkeypatch.setattr(security_policy, "User", pretend.stub) request = pretend.stub( - flags=pretend.stub(enabled=pretend.call_recorder(lambda *a: True)), identity=pretend.stub( __principals__=lambda: ["user:5"], has_primary_verified_email=True, @@ -640,9 +617,6 @@ def test_permits_manage_projects_with_2fa(self, monkeypatch, policy_class): policy = policy_class() assert policy.permits(request, context, "myperm") - assert request.flags.enabled.calls == [ - pretend.call(AdminFlagValue.TWOFA_REQUIRED_EVERYWHERE) - ] def test_deny_manage_projects_without_2fa(self, monkeypatch, policy_class): monkeypatch.setattr(security_policy, "User", pretend.stub) @@ -697,7 +671,6 @@ def test_permits_2fa_routes_without_2fa( monkeypatch.setattr(security_policy, "User", pretend.stub) request = pretend.stub( - flags=pretend.stub(enabled=pretend.call_recorder(lambda *a: False)), identity=pretend.stub( __principals__=lambda: ["user:5"], has_primary_verified_email=True, @@ -711,6 +684,3 @@ def test_permits_2fa_routes_without_2fa( policy = policy_class() assert policy.permits(request, context, "myperm") - assert request.flags.enabled.calls == [ - pretend.call(AdminFlagValue.TWOFA_REQUIRED_EVERYWHERE) - ] diff --git a/warehouse/accounts/security_policy.py b/warehouse/accounts/security_policy.py index f1496c7b5b0a..144bede4a386 100644 --- a/warehouse/accounts/security_policy.py +++ b/warehouse/accounts/security_policy.py @@ -24,7 +24,6 @@ from warehouse.accounts.interfaces import IPasswordBreachedService, IUserService from warehouse.accounts.models import DisableReason, User -from warehouse.admin.flags import AdminFlagValue from warehouse.cache.http import add_vary_callback from warehouse.email import send_password_compromised_email_hibp from warehouse.errors import ( @@ -293,33 +292,26 @@ def _check_for_mfa(request, context) -> WarehouseDenied | None: "manage.account.webauthn-provision", ] - # If flag is active, require 2FA for management and upload. - if request.flags.enabled(AdminFlagValue.TWOFA_REQUIRED_EVERYWHERE) or ( - # Start enforcement from 2023-08-08, but we should remove this check - # at the end of 2023. - request.identity.date_joined - and request.identity.date_joined > datetime.datetime(2023, 8, 8) + if ( + request.matched_route.name.startswith("manage") + and request.matched_route.name != "manage.account" + and not any( + request.matched_route.name.startswith(route) for route in _exempt_routes + ) + and not request.identity.has_two_factor ): - if ( - request.matched_route.name.startswith("manage") - and request.matched_route.name != "manage.account" - and not any( - request.matched_route.name.startswith(route) for route in _exempt_routes - ) - and not request.identity.has_two_factor - ): - return WarehouseDenied( - "You must enable two factor authentication to manage other settings", - reason="manage_2fa_required", - ) + return WarehouseDenied( + "You must enable two factor authentication to manage other settings", + reason="manage_2fa_required", + ) - if ( - request.matched_route.name == "forklift.legacy.file_upload" - and not request.identity.has_two_factor - ): - return WarehouseDenied( - "You must enable two factor authentication to upload", - reason="upload_2fa_required", - ) + if ( + request.matched_route.name == "forklift.legacy.file_upload" + and not request.identity.has_two_factor + ): + return WarehouseDenied( + "You must enable two factor authentication to upload", + reason="upload_2fa_required", + ) return None diff --git a/warehouse/admin/flags.py b/warehouse/admin/flags.py index cebf9f979c9c..17e39fb2e600 100644 --- a/warehouse/admin/flags.py +++ b/warehouse/admin/flags.py @@ -28,7 +28,6 @@ class AdminFlagValue(enum.Enum): DISALLOW_GITHUB_OIDC = "disallow-github-oidc" DISALLOW_GOOGLE_OIDC = "disallow-google-oidc" READ_ONLY = "read-only" - TWOFA_REQUIRED_EVERYWHERE = "2fa-required" class AdminFlag(db.ModelBase):