GOCDB / gocdb

Grid Operations Configuration Management Database. A Repository, Portal and REST style API for managing Grid and Cloud topology objects including; projects, administrative domains, sites, services, service-endpoints, service-groups, downtimes, users, roles and business rules.
Apache License 2.0
12 stars 28 forks source link

Identity linking has a 'magic number' that limits account linking / recovery #329

Open gregcorbett opened 2 years ago

gregcorbett commented 2 years ago

See: https://github.com/GOCDB/gocdb/blob/dev/htdocs/web_portal/controllers/user/link_identity.php#L52

1 is a bit of a magic number here, I believe it limits the number of identities one can associate with an account. I.e. if a user user has both an EGI Check In identifier and a X.509 identifier associated, they wouldn't be able to associate an IRIS IAM account as well - because they'd trigger this if statement and get shown the user/link_identity_rejected.php page.

This check might be best reworked as a comparison to the length of $authTypes (on the assumption that a user can't have multiple identifiers of the same type - which I don't believe they can, and certainly the intention is they shouldn't be able to.) Or it might not be needed.

This may be best fixed as a hot fix so it can be pushed out quickly, or as part of 5.9.0 itself.

For testing, one would need a user with two identifiers associated with them and the ability to associate a third (i.e. using the preprod DB on an instance integrated with IRIS IAM)

gregcorbett commented 2 years ago

This magic number also prevents recovery of an account if you have maxed out your number of allowed identifiers. Given this, maybe we don't need the check.

gregcorbett commented 2 years ago

This magic number also prevents recovery of an account if you have maxed out your number of allowed identifiers. Given this, maybe we don't need the check.

i.e. If I have an X.509 cert and EGI CheckIn identifier associated with my account, I can't recover my account if my DN changes.

image