2020-06-05 Meeting notes

Owned by Mike Gorrell
Last updated: Jun 15, 2020 by Julian LadischVersion comment
2 min read

Date

Attendees

Discussion items

TimeItemWhoNotes
15 minJIRA setup

Mike Gorrell

We discussed the SECURITY Project that was setup and the Security Level field that can be used to limit who can view any given issue. The security team has been setup as a Group in JIRA and have been added to the list of JIRA users who can set Security Level for issues. Open questions that Mike Gorrell will investigate:

  1. Can the Security Project be setup so that new issues automatically set the Security Level to FOLIO Security Group?
  2. Some issues appear to show Security Level but others don't. Investigate. Could be issue type (Epic vs Story vs Task vs Bug).
  3. Clarify and/or propose how we set a security level that allows only those who might need to know (ie. the specific developers who might work on issues) 
 30 minMODLOGIN-128 and MODLOGIN-129

 Craig McNally and team

 Craig summarized in our slack channel:

Originally posted to #core-platform.  I wanted to keep you guys in the loop too.  Let me know if you have any reservations/thoughts/questions. Guys, Zak and I have done a bunch of digging related to two login security issues recently raised.  Here's our summary of the work to be done.  We have created several tickets - it looks like a lot of work but most of this should be pretty straight forward.  Please provide your thoughts on the proposed changes as well as what we should try to get into the Q2 release.Remove the ability to retrieve user credentials (hash/salt):
MODLOGIN-128 (via GET /authn/credentials and GET /authn/credentials/<id>)
Blocked by:

  1. MODUSERBL-97 (via several endpoints w/ ?includes=credentials)
  2. UIU-1671, do not create credentials record when adding username, blocked on MODLOGIN-131 
  3. UIU-1672, if username is present, display “send reset password” link


NOTE:  Breaking changes in both mod-login and mod-users-bl.Password-less user / placeholder credentials record:
MODLOGIN-129
Depends on:

  • MODLOGIN-131 - the reset-password endpoint bl-users/password-reset/reset throws a 500 if a credentials record doesn’t exist already.  This is actually caused by a bug in mod-login's POST /authn/password/repeatable endpoint that results in an NPE if no credentials record is found.


NOTE:  We might want to provide a script to be run before performing an upgrade that cleans up these "placeholder" credential records, e.g. via API: list all credentials, for each generate a hash using the salt and "".  If that matches the hash make another call to remove the credentials.Additional mod-login cleanup:

  • MODLOGIN-132 POST /authn/credentials: Returns id, userId, hash, salt.  Change to return a 201 w/ empty body
  • MODLOGIN-133 PUT /authn/credentials/<id>: bypasses password strength verification and should be removed.  Note this endpoint is rendered useless by MODLOGIN-132 and MODLOGIN-128 since the credentials record id will never be returned to the client once these stories are complete.

We discussed impact and effort and agreed to press for this to get addressed in the current live release (Goldenrod). The fixes to these P2 issues will cause some disruption but when fixed will benefit from the scrutiny and activities related to a quarterly release - so better than targeting a hot fix after Goldenrod.

2 minReview Security IssuesTeamAgreed to commit to reviewing security issues as defined by the search labels = security AND status not in (Closed) ORDER BY priority DESC for our next meeting June 19th.

Action items

  •