Remove: deprecated native MFA feature #2717
Merged
Commits on Feb 8, 2024
-
Remove: deprecated native MFA feature
- Context about its deprecation: - This feature is under-utilized, and requires further maintenance for which our team lacks the resource. (For example, this feature is potentially vulnerable because a secure Content-Security-Policy cannot be applied to its pages without breaking them.) The feature has also been marked as "not ready for production" for a few years now. So we opt to remove the feature and instead recommend using the external IDPs's own MFA features. See more context in #2196. - This commit removes all MFA-specific codes, except for the following, on which we will make follow-up commits: - README's deprecation notice - database operations - Content-Security-Policy's exemption toward MFA endpoint (https://github.com/cloudfoundry/uaa/blob/72565fb56cd1f90af499119d32c891937f3c5a76/server/src/main/java/org/cloudfoundry/identity/uaa/security/web/ContentSecurityPolicyFilter.java#L29) - breaking changes planning: cloudfoundry/uaa-release#739 - Further notes about specific changes in tests: - For PasscodeMockMvcTests.testLoginUsingPasscodeWithUnknownToken(), the assertion on response code is changed from 401 to 403. This is because 403 was the original asserted value before MFA was added (see: 92abee6). The 403 response also makes sense in the context of the test (authentication present but has insufficient access). [#186854489] -
clean up unused MFA-related DB tables
- the MFA feature has been removed, hence adding DB migrations to drop the feature's related DB tables. - also clean up README and tests [#186854489]
-
- the MFA feature has been removed (aka the "/login/mfa/" endpoint) hence the code that creates an exemption for the MFA endpoint when enforcing "Content-Security-Policy" is no longer needed [#186854489]
-
remove: out of date deprecation notice about MFA
- the MFA feature has been removed, so no longer need the deprecation notice [#186854489]
-
- the beans are for MFA feature, which has been removed [#186854489]
-
refactor: reduce unnecessary dependency
- use a more standard way to intialize a list, instead of using com.beust.jcommander.internal.Lists.newArrayList - motivation: this com.beust.jcommander.internal.Lists.newArrayList dep was added to our dependencies indirectly via another dependency I'm trying to remove [#186854489]
-
- these deps are for MFA feature (which has been removed) - also: before, the code was using org.apache.httpcomponents:httpclient but getting it indirectly via the MFA-related deps (which this commit aims to remove); hence, now need to directly declare org.apache.httpcomponents:httpclient as a dependency. [#186854489]
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.