Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

major fixes #455

Merged
merged 14 commits into from
May 31, 2024
Merged
333 changes: 333 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,333 @@
# Created by https://www.toptal.com/developers/gitignore/api/visualstudiocode,node,python
# Edit at https://www.toptal.com/developers/gitignore?templates=visualstudiocode,node,python

### Node ###
# Logs
logs
*.log
npm-debug.log*
yarn-debug.log*
yarn-error.log*
lerna-debug.log*
.pnpm-debug.log*

# Diagnostic reports (https://nodejs.org/api/report.html)
report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json

# Runtime data
pids
*.pid
*.seed
*.pid.lock

# Directory for instrumented libs generated by jscoverage/JSCover
lib-cov

# Coverage directory used by tools like istanbul
coverage
*.lcov

# nyc test coverage
.nyc_output

# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
.grunt

# Bower dependency directory (https://bower.io/)
bower_components

# node-waf configuration
.lock-wscript

# Compiled binary addons (https://nodejs.org/api/addons.html)
build/Release

# Dependency directories
node_modules/
jspm_packages/

# Snowpack dependency directory (https://snowpack.dev/)
web_modules/

# TypeScript cache
*.tsbuildinfo

# Optional npm cache directory
.npm

# Optional eslint cache
.eslintcache

# Optional stylelint cache
.stylelintcache

# Microbundle cache
.rpt2_cache/
.rts2_cache_cjs/
.rts2_cache_es/
.rts2_cache_umd/

# Optional REPL history
.node_repl_history

# Output of 'npm pack'
*.tgz

# Yarn Integrity file
.yarn-integrity

# dotenv environment variable files
.env
.env.development.local
.env.test.local
.env.production.local
.env.local

# parcel-bundler cache (https://parceljs.org/)
.cache
.parcel-cache

# Next.js build output
.next
out

# Nuxt.js build / generate output
.nuxt
dist

# Gatsby files
.cache/
# Comment in the public line in if your project uses Gatsby and not Next.js
# https://nextjs.org/blog/next-9-1#public-directory-support
# public

# vuepress build output
.vuepress/dist

# vuepress v2.x temp and cache directory
.temp

# Docusaurus cache and generated files
.docusaurus

# Serverless directories
.serverless/

# FuseBox cache
.fusebox/

# DynamoDB Local files
.dynamodb/

# TernJS port file
.tern-port

# Stores VSCode versions used for testing VSCode extensions
.vscode-test

# yarn v2
.yarn/cache
.yarn/unplugged
.yarn/build-state.yml
.yarn/install-state.gz
.pnp.*

### Node Patch ###
# Serverless Webpack directories
.webpack/

# Optional stylelint cache

# SvelteKit build / generate output
.svelte-kit

### Python ###
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class

# C extensions
*.so

# Distribution / packaging
.Python
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
share/python-wheels/
*.egg-info/
.installed.cfg
*.egg
MANIFEST

# PyInstaller
# Usually these files are written by a python script from a template
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec

# Installer logs
pip-log.txt
pip-delete-this-directory.txt

# Unit test / coverage reports
htmlcov/
.tox/
.nox/
.coverage
.coverage.*
nosetests.xml
coverage.xml
*.cover
*.py,cover
.hypothesis/
.pytest_cache/
cover/

# Translations
*.mo
*.pot

# Django stuff:
local_settings.py
db.sqlite3
db.sqlite3-journal

# Flask stuff:
instance/
.webassets-cache

# Scrapy stuff:
.scrapy

# Sphinx documentation
docs/_build/

# PyBuilder
.pybuilder/
target/

# Jupyter Notebook
.ipynb_checkpoints

# IPython
profile_default/
ipython_config.py

# pyenv
# For a library or package, you might want to ignore these files since the code is
# intended to run in multiple environments; otherwise, check them in:
# .python-version

# pipenv
# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
# However, in case of collaboration, if having platform-specific dependencies or dependencies
# having no cross-platform support, pipenv may install dependencies that don't work, or not
# install all needed dependencies.
#Pipfile.lock

# poetry
# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
# This is especially recommended for binary packages to ensure reproducibility, and is more
# commonly ignored for libraries.
# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
#poetry.lock

# pdm
# Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
#pdm.lock
# pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
# in version control.
# https://pdm.fming.dev/#use-with-ide
.pdm.toml

# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
__pypackages__/

# Celery stuff
celerybeat-schedule
celerybeat.pid

# SageMath parsed files
*.sage.py

# Environments
.venv
env/
venv/
ENV/
env.bak/
venv.bak/

# Spyder project settings
.spyderproject
.spyproject

# Rope project settings
.ropeproject

# mkdocs documentation
/site

# mypy
.mypy_cache/
.dmypy.json
dmypy.json

# Pyre type checker
.pyre/

# pytype static type analyzer
.pytype/

# Cython debug symbols
cython_debug/

# PyCharm
# JetBrains specific template is maintained in a separate JetBrains.gitignore that can
# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
# and can be added to the global gitignore or merged into this file. For a more nuclear
# option (not recommended) you can uncomment the following to ignore the entire idea folder.
#.idea/

### Python Patch ###
# Poetry local configuration file - https://python-poetry.org/docs/configuration/#local-configuration
poetry.toml

# ruff
.ruff_cache/

# LSP config files
pyrightconfig.json

### VisualStudioCode ###
.vscode/*
#!.vscode/settings.json
#!.vscode/tasks.json
#!.vscode/launch.json
#!.vscode/extensions.json
#!.vscode/*.code-snippets

# Local History for Visual Studio Code
.history/

# Built Visual Studio Code Extensions
*.vsix

### VisualStudioCode Patch ###
# Ignore all local history of files
.history
.ionide

# End of https://www.toptal.com/developers/gitignore/api/visualstudiocode,node,python

6 changes: 6 additions & 0 deletions connections/firefoxaccounts.js
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,12 @@ function firefoxAccountsConnection(accessToken, ctx, cb) {
user_id: id_token.sub,
picture: p.avatar,
preferredLanguage: p.locale,
// Mozilla accounts (formerly Firefox Accounts), allows mixed case characters in their email property
// I'm adding this comment here in case we want to actually enforce email case conformity in the future
// Although, it will need extensive testing to ensure we aren't breaking anything. In the meantime, we will
// need to account for the fact that this and other IdP connectors return email with mixed case.
// So until otherwise decided, we allow mixed case email.
// email: p.email.toLowerCase(),
email: p.email,
email_verified: true,
fxa_sub: id_token.sub,
Expand Down
6 changes: 4 additions & 2 deletions rules/Global-Function-Declarations.js
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ function globalFunctionDeclaration(user, context, callback) {
// This rule MUST be at the top of the rule list (FIRST) or other rules WILL FAIL
// with a NON RECOVERABLE error, and thus LOGIN WILL FAIL FOR USERS

// Since we do not use the /continue endpoint let's make sure we explictly fail with an ErrorUnauthorized
// Since we do not use the /continue endpoint let's make sure we explictly fail with an UnauthorizedError
// otherwise it is possible to continue the session even after a postError redirect is set.
if (context.protocol === "redirect-callback") {
return callback(new UnauthorizedError('The /continue endpoint is not allowed'), user, context);
Expand Down Expand Up @@ -35,8 +35,10 @@ function globalFunctionDeclaration(user, context, callback) {
);

skey = undefined; // auth0 compiler does not allow 'delete' so we undefine instead

var domain = context.tenant === "dev" ? "sso.allizom.org" : "sso.mozilla.com";
rcontext.redirect = {
url: `https://sso.mozilla.com/forbidden?error=${token}`
url: `https://${domain}/forbidden?error=${token}`
};

return rcontext;
Expand Down
16 changes: 11 additions & 5 deletions rules/force-ldap-logins-over-ldap.js
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,16 @@ function forceLDAPLoginsOverLDAP(user, context, callback) {
'jijaIzcZmFCDRtV74scMb9lI87MtYNTA', // mozillians.org Verification Client
];

// The domain strings in this array should always be declared here in lowercase
const MOZILLA_STAFF_DOMAINS = [
'mozilla.com', // Main corp domain
'mozillafoundation.org', // Main org domain
'getpocket.com', // Pocket domain
'thunderbird.net', // MZLA domain
'mozilla.com', // Main corp domain
'mozillafoundation.org', // Main org domain
'getpocket.com', // Pocket domain
'thunderbird.net', // MZLA domain
'readitlater.com',
'mozilla-japan.org',
'mozilla.ai',
'mozilla.vc'
];

// Sanity checks
Expand All @@ -31,7 +36,8 @@ function forceLDAPLoginsOverLDAP(user, context, callback) {
// 'ad' is LDAP - Force LDAP users to log with LDAP here
if (context.connectionStrategy !== 'ad') {
for (let domain of MOZILLA_STAFF_DOMAINS) {
dividehex marked this conversation as resolved.
Show resolved Hide resolved
if (user.email.endsWith(domain)) {
// we need to sanitize the email address to lowercase before matching so we can catch users with upper/mixed case email addresses
if (user.email.toLowerCase().endsWith(domain)) {
console.log(`Staff or LDAP user attempted to login with the wrong login method. We only allow ad (LDAP) for staff: ${user.email}`);
return callback(null, user, global.postError('staffmustuseldap', context));
}
Expand Down
Loading