[GIT] Evergreen ILS branch main updated. b145aaa6229bc6429b77d458ff512e07c84b8a55

21 Mar 2025

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".

The branch, main has been updated
       via  b145aaa6229bc6429b77d458ff512e07c84b8a55 (commit)
      from  83c3f55887e01b2405a2d8bda22140d7beab79f8 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit b145aaa6229bc6429b77d458ff512e07c84b8a55
Author: Mike Rylander <mrylander@gmail.com>
Date:   Fri Jan 3 15:12:59 2025 -0500

    LP#2080572: Support secondary permission groups for MFA configuration
    
    This adds a new configuration file setting for the open-ils.auth_mfa
    OpenSRF application, called honor_secondary_groups, which causes the
    Multi-Factor Authentication system to consider all permission groups to
    which a user belongs when deciding if MFA is available or required, and
    which factors are configurable for that user.  The previous behavior was
    to consider only the Profile Group of the user when determining MFA
    configuration.
    
    The strictest interpretation of available and required are used, so that
    if one group the user belongs to requires MFA, it is required for the
    user.
    
    The full set of factors enabled for all groups that the user belongs to
    are presented for use by the user.
    
    Release-note: A new `opensrf.xml` config file option, `honor_secondary_groups`,
    allows secondary group membership to add MFA configuration to a user, in
    addition to the main profile group. This option defaults to "false", i.e.,
    secondary permission groups are not considered. If the option is turned
    on, if any permission group associated with the user, including the profile,
    requires MFA, MFA will be required of the user.
    
    Signed-off-by: Mike Rylander <mrylander@gmail.com>
    Signed-off-by: Elizabeth Davis <elizabeth.davis@sparkpa.org>
    Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>

diff --git a/Open-ILS/examples/opensrf.xml.example b/Open-ILS/examples/opensrf.xml.example
index ec87c9804d..74b5532513 100644
--- a/Open-ILS/examples/opensrf.xml.example
+++ b/Open-ILS/examples/opensrf.xml.example
@@ -540,6 +540,8 @@ vim:et:ts=4:sw=4:
                 <app_settings>
                     <!-- 'enabled' is the master switch; set to 'true' to enable MFA -->
                     <enabled>false</enabled>
+                    <!-- set 'honor_secondary_groups' to to 'true' allow secondary group membership to act in the same way as profile group for MFA availability and factor list -->
+                    <honor_secondary_groups>false</honor_secondary_groups>
                     <factors>
                         <totp>
                             <enabled>true</enabled>
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/MultiFactorAuth.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/MultiFactorAuth.pm
index 670dd9a88f..dd8d2c621e 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/MultiFactorAuth.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/MultiFactorAuth.pm
@@ -56,13 +56,16 @@ my $factor_configs;
 
 our $cache;
 our $enabled = 'false';
+our $secondary = 'false';
 
 sub initialize {
     my $conf = OpenSRF::Utils::SettingsClient->new;
 
     my $settings = $conf->config_value( qw/apps open-ils.auth_mfa app_settings/ );
     $enabled = $$settings{enabled};
+    $secondary = $$settings{honor_secondary_groups};
     $logger->info("MFA enable: $enabled");
+    $logger->info("MFA honors secondary group membership: $secondary");
 
     $factor_configs = $$settings{factors};
     $factor_configs = {} if ref($factor_configs) ne 'HASH';
@@ -193,6 +196,11 @@ sub enabled {
     return 1;
 }
 
+sub secondary {
+    return 0 unless $secondary eq 'true';
+    return 1;
+}
+
 __PACKAGE__->register_method(
     method    => "enabled_factor_list",
     api_name  => "open-ils.auth_mfa.enabled_factors",
@@ -331,10 +339,13 @@ sub factors_for_token {
     return undef unless $usr; # no session, no MFA
 
     $logger->info("MFA user id: ". $usr->id);
-    my $grp = $e->retrieve_permission_grp_tree($usr->profile); 
+    my $grp_id_list = [$usr->profile];
+    if (secondary()) {
+        push @$grp_id_list, map {$_->grp} @{$e->search_permission_usr_grp_map({usr => $usr->id})};
+    }
 
     # check group factor list against enabled factors, return 0 if no overlap
-    my $grp_ancestors = $U->get_grp_ancestors($usr->profile);
+    my $grp_ancestors = [ uniq map { @$_ } map { $U->get_grp_ancestors($_) } @$grp_id_list ];
     $logger->info("MFA user groups: ". join(' ', @$grp_ancestors));
 
     my $group_factors = $e->search_permission_group_mfa_factor_map({
@@ -476,8 +487,13 @@ sub proceed_for_token {
     return 0 unless $usr; # no session, no MFA
 
     # If MFA is not allowed for the group, say so
-    my $grp = $e->retrieve_permission_grp_tree($usr->profile); 
-    return 0 unless $U->is_true($grp->mfa_allowed);
+    my $grp_id_list = [$usr->profile];
+    if (secondary()) {
+        push @$grp_id_list, map {$_->grp} @{$e->search_permission_usr_grp_map({usr => $usr->id})};
+    }
+
+    my $grps = $e->search_permission_grp_tree({id => $grp_id_list});
+    return 0 unless grep { $U->is_true($_->mfa_allowed) } @$grps;
 
     # check exception list, return 0 if excepted
     return 0 if user_has_exceptions($usr->id);
@@ -485,7 +501,7 @@ sub proceed_for_token {
     # The difference between "required" and "allowed" modes is the recent-activity check,
     # which only matters to "required" mode. If they have recent MFA activity recorded, it
     # is not required.
-    if ($U->is_true($grp->mfa_required) and $self->api_name =~ /required/) {
+    if ( $self->api_name =~ /required/ and grep { $U->is_true($_->mfa_required) } @$grps) {
         # check recent mfa user activity, return 0 if activity age < interval
         # IOW, it's not required /right this moment/.
 
@@ -508,7 +524,7 @@ sub proceed_for_token {
         return 0 if ($usr_activity and scalar(@$usr_activity));
     }
 
-    return $U->is_true($grp->mfa_required) if ($self->api_name =~ /required/);
+    return scalar(grep { $U->is_true($_->mfa_required) } @$grps) if ($self->api_name =~ /required/);
 
     # no activity, so MFA is both allowed and required
     return 1;

-----------------------------------------------------------------------

Summary of changes:
 Open-ILS/examples/opensrf.xml.example              |  2 ++
 .../lib/OpenILS/Application/MultiFactorAuth.pm     | 28 +++++++++++++++++-----
 2 files changed, 24 insertions(+), 6 deletions(-)


hooks/post-receive
-- 
Evergreen ILS

    

Git User

tags

participants (1)