Hey all Mozillians.org friends!
Last week we pushed a huge release to production. It affects the way we handle identities in mozilla and its a huge step towards implementing Identity and Access Management for both mozilla contributors and staff.
Here is the changelog:
Fix BASE_DIR when setting up puente for l10n. Add banner to inform people to file bugs in case of IAM issue. Fix typo in README. Make the deletion of a profile atomic. Return empty string if request has no access to idp profile. Register task to cleanup empty profiles. Update wording in profile creation. Handle email swapping from the social provider. Enable search in admin for IdpProfiles. Allow unvouched users to add identities. Switch primary email for MFAd accounts. Handle multiple identities with the same id but different emails. Revert "Banner - IAM changes" Banner - IAM changes Fix query to filter primary identities per profile. Send the login email as primary email in CIS. Replace mozorg.cdn.mozilla.net assets with local static files. Add OpenSans fonts in mozillians.org static files Add a message when there is an account upgrade. Update CIS to the latest master. Use IdpProfile to populate the emails sent to CIS. Push a verified profile to CIS. Fix typo in profile template. Workaround for alternate emails/idp API compatibility. Do not allow the deletion of the primary contact identity. Replace user.email with userprofile.email Fix API compatibility on email filtering Revert "Update API to expose/filter IdpProfiles instead of ExternalAccounts." Add help text in the login identity. Update text to match the title in the profile view section. Do not display the primary contact identity in alternate identities. Do not use a form for the primary contact identity. Add missing requirements needed by Sphinx. Check if primary_contact_identity exists in profile.email Update API to expose/filter IdpProfiles instead of ExternalAccounts. Use IdpProfile primary contact as profile email attribute. Adapt mozillians.org codebase to use profile.email Remove unused privacy field for IDP profiles Use the correct privacy aware manager. Replace Alternate emails with Idp Profile in settings. [Fix bug 1410727] Increase footer-nav width Do not create a new user if an IdpProfile exists. Add debug info for CIS calls. Check if an email belongs to another user before making it primary. Show more useful unicode representation for IdpProfile objects. Check if IDP is MFA-ed when populating cis groups. Allow verified MFA accounts to login to the linked profile. Switch the IdpProfile.type to an IntegerField. (deliver #152036040) Refactor authbackend. Update a few dev packages. Remove deprecated multidb support. Update local installation configuration. Revert cryptography==2.1.1 upgrade Check if a profile exists in the CIS task. Add missing upgrades Wipe access groups if there is not an IdpProfile. Fix query for idps on get_cis_groups Check that an identity is tied to a single profile. Do not run CIS tasks on unit-tests. Allow Django admin in CSP. styling/docs (README.md file) - fixing typos; adding ToC Add Google in allowed providers. Use the user object instead of the request.user. Verify Google and Github accounts. Add an EmailField in IdpProfile. Upgrade mozilla-django-oidc to version 0.3.2. Fix missing and conflicting migrations. Register IdpProfile in the admin interface. Upgrade cis version. Add missing migrations caused by pytz upgrade Maintain mozillians.org dependencies Update match with search in middleware regex. Add ExternalAccount export in the admin interface. [fix bug 1401212] Remove Mozilla Locamotion and Verbatim. Data migration to remove external accounts. Handle multiple auth0 user ids per profile.
The highlights are:
- Security improvements:
- Users are now only be able to use the primary email to login
- 2FA is required for a subset of mozillians.org
- Users can now verify external accounts like (email, google, github, ldap)
- Getting closer to the IAM goal
- Profile data for mozillians.org are now pushed to mozilla’s authentication system
- Various web sites across mozilla can now authenticate users in unified way
That said because of the nature of this release some manual intervention was needed to fix various glitches in mozillians.org profiles.
Feel free to reach out if you encounter any issues or if you have any further questions about the IAM project.
Thanks to everyone who helped make this release happen