Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

As a super user, I would like my access to the admin dashboard protected by two-factor authentication #517

Closed
7 tasks
alexsoble opened this issue Jan 6, 2021 · 5 comments · Fixed by #537
Closed
7 tasks

As a super user, I would like my access to the admin dashboard protected by two-factor authentication #517

alexsoble opened this issue Jan 6, 2021 · 5 comments · Fixed by #537
Assignees
@carltonsmith
Labels
dev security
Milestone
Sprint 12

Comments

@alexsoble
Copy link

alexsoble commented Jan 6, 2021
edited by carltonsmith
Loading

Description:

From the RFQ:

The software must have multi-factor authentication for the grantees and PIV authorization for the OFA staff and key personnel. The Login.gov system has already been procured to fulfill this requirement.

https://github.com/18F/tdrs-app-rfq/blob/main/Final-RFQ/FINAL-TDRS-software-development-RFQ.md#32-quality-assurance-surveillance-plan-qasp

Notes:

  • This could be accomplished by putting the Django Admin page behind the same Login.gov two-factor flow as the rest of the app. Alternatively, the app could have separate authentication flows for the frontend app and the Django Admin page, both with separate two factor authentication implementation.

Acceptance Criteria:

  • Django Admin page protected by two factor authentication
  • Leverage login.gov MFA for authentication to the admin site
  • Only users with staff can open the admin console
  • Only users with superuser can read/update data in the admin console
  • The Admin login page redirects to login.gov

Tasks:

  • Add BE login url to the settings
  • Force authentication to the admin login page (which will redirect it to the correct login)
@shubhi-raft shubhi-raft added this to the Sprint 12 milestone Jan 6, 2021
@alexsoble
Copy link
Author

I did a little research into our options here -- I think putting the Django admin dashboard behind the same Login.gov flow as the rest of the app would be a good strategy for a few reasons:

  1. Using Login.gov for Django Admin would allow use of PIV cards to authenticate.
  2. Using PIV cards would give us an AAL3 assurance level for the entire app. If we don't use Login for the Django Amin dashboard, we'll have part of the app protected at AAL3 and part of the app protected at AAL2.
  3. If we don't use Login for the Django Admin dashboard, we'll have to maintain and secure two separate auth systems.

@carltonsmith As reference points for implementation:

@carltonsmith
Copy link

Thanks, I'll check out the articles and let you know what I think

@carltonsmith
Copy link

Since we've determined the admin is using the login.gov authentication, I am updating the AC's accordingly. Please revise if needed @lfrohlich @alexsoble

@carltonsmith carltonsmith mentioned this issue Jan 14, 2021
Merged
7 tasks
@alexsoble
Copy link
Author

Thanks for updating those ACs @carltonsmith! They look good to me but I'd ask -- could we frame some of them as evil user stories, so that we can more explicitly spell out what an evil user might try to do and how we can verify that they can't do it?

@lfrohlich
Copy link
Collaborator

Per @alexsoble 's review, I'm pushing this back to "in progress" for tests to be added

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@carltonsmith carltonsmith

Labels
dev security
Projects
None yet
Milestone
Sprint 12
Development

Successfully merging a pull request may close this issue.

Backend/517/admin mfa raft-tech/TANF-app
4 participants
@carltonsmith @alexsoble @shubhi-raft @lfrohlich