Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Short-term admin accounts #22833

Closed
piotrekkaminski opened this issue May 11, 2019 · 4 comments
Closed

Short-term admin accounts #22833

piotrekkaminski opened this issue May 11, 2019 · 4 comments
Assignees
@lfolco
Labels
Component: Admin Component: Security Component: User feature request Fixed in 2.4.x The issue has been fixed in 2.4-develop branch Issue: Format is valid Gate 1 Passed. Automatic verification of issue format passed

Comments

@piotrekkaminski
Copy link
Contributor

piotrekkaminski commented May 11, 2019
edited
Loading

Description (*)

Merchants often create admin accounts for allowing extension vendors to support their extensions remotely. Such admin accounts often have simple, easy to guess passwords - and they are never removed even when no longer used.

Expected behavior (*)

Ability to define how long given account is enabled. The account will be disabled after the specified time passes. There should be ability to reopen the account for another time frame or make it permanent. Additionally, system should propose high complexity password during account creation to encourage using strong passwords.

Benefits

Given that majority of attacks on Magento installations include getting admin access and installing JavaScript malware, all features allowing to limit the admin accounts could help protect systems.

Additional information
@magento-engcom-team magento-engcom-team added the Issue: Format is valid Gate 1 Passed. Automatic verification of issue format passed label May 11, 2019
@magento magento deleted a comment from m2-assistant bot May 11, 2019
@lfolco lfolco self-assigned this May 11, 2019
@m2-assistant
Copy link

m2-assistant bot commented May 11, 2019
edited by lfolco
Loading

Hi @lfolco. Thank you for working on this issue.
In order to make sure that issue has enough information and ready for development, please read and check the following instruction: 👇

  • 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).

    DetailsIf the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.

  • 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.

  • 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

  • 4. Verify that the issue is reproducible on 2.3-develop branch

    Details- Add the comment @magento-engcom-team give me 2.3-develop instance to deploy test instance on Magento infrastructure.
    - If the issue is reproducible on 2.3-develop branch, please, add the label Reproduced on 2.3.x.
    - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!

  • 5. Verify that the issue is reproducible on 2.2-develop branch.
    Details- Add the comment @magento-engcom-team give me 2.2-develop instance to deploy test instance on Magento infrastructure.
    - If the issue is reproducible on 2.2-develop branch, please add the label Reproduced on 2.2.x

@m2-assistant
Copy link

m2-assistant bot commented May 11, 2019

Hi @avstudnitz. Thank you for working on this issue.
In order to make sure that issue has enough information and ready for development, please read and check the following instruction: 👇

  • 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).

    DetailsIf the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.

  • 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.

  • 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

  • 4. Verify that the issue is reproducible on 2.3-develop branch

    Details- Add the comment @magento-engcom-team give me 2.3-develop instance to deploy test instance on Magento infrastructure.
    - If the issue is reproducible on 2.3-develop branch, please, add the label Reproduced on 2.3.x.
    - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!

  • 5. Verify that the issue is reproducible on 2.2-develop branch.
    Details- Add the comment @magento-engcom-team give me 2.2-develop instance to deploy test instance on Magento infrastructure.
    - If the issue is reproducible on 2.2-develop branch, please add the label Reproduced on 2.2.x

lfolco added a commit to lfolco/magento2 that referenced this issue May 11, 2019
@lfolco
add whitelist for expires_at on user table (magento#22833)
b17c54d
lfolco added a commit to lfolco/magento2 that referenced this issue May 11, 2019
@lfolco
add getters/setters for expires_at (magento#22833)
c0c6825
lfolco added a commit to lfolco/magento2 that referenced this issue May 11, 2019
@lfolco
adding validation rules (magento#22833)
6e2043e
lfolco added a commit to lfolco/magento2 that referenced this issue May 12, 2019
@lfolco
finish validation; add tests (magento#22833)
9136564
lfolco added a commit to lfolco/magento2 that referenced this issue May 12, 2019
@lfolco
add cronjob, finish tests (magento#22833)
37c9d12
@lfolco lfolco mentioned this issue May 12, 2019
Merged
4 tasks
@jfrontain jfrontain mentioned this issue May 12, 2019
Closed
lfolco added a commit to lfolco/magento2 that referenced this issue May 18, 2019
@lfolco
update tests to check for active session (magento#22833)
8b5bec6
@lfolco
Copy link
Contributor

lfolco commented May 19, 2019

Question about password complexity: should that be included in this issue or should it be moved into a separate issue? The two issues are related but are distinct functionality.

lfolco added a commit to lfolco/magento2 that referenced this issue May 19, 2019
@lfolco
Invalidate user sessions and handle expired users on login (magento#2…
0b78cbb 
…2833)
lfolco added a commit to lfolco/magento2 that referenced this issue May 19, 2019
@lfolco
Fix test for AdminSessionsManager calling getUser (magento#22833)
976076f
lfolco added a commit to lfolco/magento2 that referenced this issue May 19, 2019
@lfolco
handle calling getUser in test (magento#22833)
db95a0d
lfolco added a commit to lfolco/magento2 that referenced this issue May 20, 2019
@lfolco
handle possibility of 1 or more in user collection test (magento#22833)
cf66338
lfolco added a commit to lfolco/magento2 that referenced this issue May 22, 2019
@lfolco
clean up code style issues (magento#22833)
c552e5f
lfolco added a commit to lfolco/magento2 that referenced this issue Jun 1, 2019
@lfolco
clean up code style issues (magento#22833)
d5855ba
lfolco added a commit to lfolco/magento2 that referenced this issue Jun 1, 2019
@lfolco
clean up code style issues (magento#22833)
439f565
lfolco added a commit to lfolco/magento2 that referenced this issue Jun 21, 2019
@lfolco
move changes out of user and into security (magento#22833: Short-term…
ae08dad 
… admin accounts)
lfolco added a commit to lfolco/magento2 that referenced this issue Jun 21, 2019
@lfolco
move changes out of user and into security (magento#22833: Short-term…
ad4628b 
…admin accounts)
lfolco added a commit to lfolco/magento2 that referenced this issue Jun 21, 2019
@lfolco
move changes out of user and into security (magento#22833: Short-term…
3c608fd 
…admin accounts)
lfolco added a commit to lfolco/magento2 that referenced this issue Jun 21, 2019
@lfolco
revert merge changes (magento#22833: Short-term admin accounts)
e4ec0e2
lfolco added a commit to lfolco/magento2 that referenced this issue Jun 30, 2019
@lfolco
Create models for userexpiration, add tests and events (magento#22833:…
e51bf0a 
… Short-term admin accounts)
lfolco added a commit to lfolco/magento2 that referenced this issue Jun 30, 2019
@lfolco
Move events out of adminhtml area; use Auth session prolong plugin in…
071f993 
…stead of AdminSessionsManager to check for expired users (magento#22833: Short-term admin accounts)
lfolco added a commit to lfolco/magento2 that referenced this issue Jun 30, 2019
@lfolco
fix crontab definition, copyright (magento#22833: Short-term admin ac…
b407c8c 
…counts)
lfolco added a commit to lfolco/magento2 that referenced this issue Jul 4, 2019
@lfolco
Refactor observers, update tests (magento#22833: Short-term admin acc…
47a9ed7 
…ounts)
lfolco added a commit to lfolco/magento2 that referenced this issue Oct 13, 2019
@lfolco
fix dates in MFTF test; update admin user form plugin to set the user…
1b1c12e 
… expiration value (magento#22833)
lfolco added a commit to lfolco/magento2 that referenced this issue Oct 13, 2019
@lfolco
remove test debug group (magento#22833)
91e0604
lfolco added a commit to lfolco/magento2 that referenced this issue Oct 14, 2019
@lfolco
delete users after tests in mftf (magento#22833: Short-term admin acc…
47dfddb 
…ounts)
lfolco added a commit to lfolco/magento2 that referenced this issue Oct 14, 2019
@lfolco
fix phpdocs (magento#22833: Short-term admin accounts)
c6f9e6b
lfolco added a commit to lfolco/magento2 that referenced this issue Oct 15, 2019
@lfolco
remove unused import and fix phpdocs (magento#22833: Short-term admin…
df0c97c 
… accounts)
lfolco added a commit to lfolco/magento2 that referenced this issue Oct 19, 2019
@lfolco
deactivate expired users on session prolong (magento#22833)
babc965
lfolco added a commit to lfolco/magento2 that referenced this issue Oct 19, 2019
@lfolco
add copyright (magento#22833)
4c4149f
lfolco added a commit to lfolco/magento2 that referenced this issue Oct 25, 2019
@lfolco
split out deactivateExpiredUsers into two methods suitable for callin…
33a5d36 
…g without input parameters in cron (magento#22833)
lfolco added a commit to lfolco/magento2 that referenced this issue Jan 18, 2020
@lfolco
fix static tests (magento#22833: Short-term admin accounts)
95fce13
lfolco added a commit to lfolco/magento2 that referenced this issue Jan 18, 2020
@lfolco
fix static tests (magento#22833: Short-term admin accounts)
932559d
lfolco added a commit to lfolco/magento2 that referenced this issue Feb 8, 2020
@lfolco
fix integration, unit tests (magento#22833: Short-term admin accounts)
5e6fdeb
lfolco added a commit to lfolco/magento2 that referenced this issue Mar 3, 2020
@lfolco
fix date format, test names (magento#22833: Short-term admin accounts)
b03b0a0
lfolco added a commit to lfolco/magento2 that referenced this issue Mar 3, 2020
@lfolco
make constants private scope (magento#22833: Short-term admin accounts)
c8a41b7
lfolco added a commit to lfolco/magento2 that referenced this issue Mar 3, 2020
@lfolco
revert constant private scope (magento#22833: Short-term admin accounts)
107cb5f
lfolco added a commit to lfolco/magento2 that referenced this issue Mar 4, 2020
@lfolco
move interface into Api/Data, make it extensible (magento#22833: Shor…
bef0bd5 
…t-term admin accounts)
lfolco added a commit to lfolco/magento2 that referenced this issue Mar 4, 2020
@lfolco
use fully qualified class names (magento#22833: Short-term admin acco…
6ef861e 
…unts)
lfolco added a commit to lfolco/magento2 that referenced this issue Mar 5, 2020
@lfolco
fix static test failure (magento#22833: Short-term admin accounts)
d65e609
lfolco added a commit to lfolco/magento2 that referenced this issue Mar 5, 2020
@lfolco
fix static test failure (magento#22833: Short-term admin accounts)
c8cfb5b
@magento-engcom-team
Copy link
Contributor

Hi @piotrekkaminski. Thank you for your report.
The issue has been fixed in #22837 by @lfolco in 2.4-develop branch
Related commit(s):

The fix will be available with the upcoming 2.4.0 release.

@magento-engcom-team magento-engcom-team added the Fixed in 2.4.x The issue has been fixed in 2.4-develop branch label Mar 28, 2020
magento-engcom-team added a commit that referenced this issue Mar 28, 2020
@magento-engcom-team
ENGCOM-6014: [WIP] Short-term admin accounts #22833 #22837
07048f6 
 - Merge Pull Request #22837 from lfolco/magento2:project_pepe
 - Merged commits:
   1. fa1f103
   2. 451fae8
   3. 70821f0
   4. b17c54d
   5. c0c6825
   6. 6e2043e
   7. 9136564
   8. 37c9d12
   9. 8b5bec6
   10. 0b78cbb
   11. 976076f
   12. db95a0d
   13. cf66338
   14. c552e5f
   15. f44ac3e
   16. d5855ba
   17. 439f565
   18. c6f455d
   19. 32f8741
   20. a6511f5
   21. ae08dad
   22. 54882c3
   23. ad4628b
   24. 3c608fd
   25. e4ec0e2
   26. 13bfde2
   27. e51bf0a
   28. 185d640
   29. 071f993
   30. b407c8c
   31. 47a9ed7
   32. b631f9d
   33. 6407af8
   34. 75664d4
   35. c384fab
   36. cd53ca4
   37. 581ace6
   38. 13038fc
   39. 2122209
   40. 192f8e8
   41. c5ac841
   42. 57dda2e
   43. 05fae71
   44. 6378fe6
   45. 1535364
   46. c8e1e93
   47. 437cbf0
   48. 60f5710
   49. 9e82e91
   50. 61d3ffa
   51. e87d4e6
   52. bad8f2b
   53. 6406d93
   54. e13b5e4
   55. 83e393e
   56. d2538ad
   57. b16de6b
   58. b195ca0
   59. 1089987
   60. 581988a
   61. f185806
   62. d8c8473
   63. 0f91a9d
   64. 8036e29
   65. 45d648f
   66. 970510c
   67. 78dc3b5
   68. 171c4c9
   69. 89b8512
   70. bcef590
   71. 627273b
   72. 6b8e89e
   73. 9e6f316
   74. 20f2f0e
   75. 1b1c12e
   76. 91e0604
   77. 47dfddb
   78. c6f9e6b
   79. df0c97c
   80. babc965
   81. 4c4149f
   82. 33a5d36
   83. 0ed4e6a
   84. 74389d7
   85. 5111c05
   86. 9d8ce1c
   87. 95fce13
   88. 932559d
   89. 7fee060
   90. 5e6fdeb
   91. 3a67bc8
   92. b03b0a0
   93. c8a41b7
   94. 107cb5f
   95. bef0bd5
   96. 6ef861e
   97. d65e609
   98. c8cfb5b
magento-engcom-team pushed a commit that referenced this issue Mar 28, 2020
@VladimirZaets
ENGCOM-6014: [WIP] Short-term admin accounts #22833 #22837
d812b02
@sdzhepa sdzhepa mentioned this issue May 9, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lfolco lfolco

Labels
Component: Admin Component: Security Component: User feature request Fixed in 2.4.x The issue has been fixed in 2.4-develop branch Issue: Format is valid Gate 1 Passed. Automatic verification of issue format passed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@avstudnitz @lfolco @piotrekkaminski @ihor-sviziev @sdzhepa @magento-engcom-team