Skip to content

Remove waffle flag '2fa-enforcement-for-developers-and-special-users' #24018

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Remove waffle flag '2fa-enforcement-for-developers-and-special-users' #24018

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
91a19a3
Remove waffle flag '2fa-enforcement-for-developers-and-special-users'
wagnerand-moz Oct 14, 2025
e30a640
Fix tests
wagnerand-moz Oct 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions docs/topics/development/waffle.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,6 @@ over flags in most cases as switches are:

Flags can be used if you want to do a gradual rollout a feature over time or to a subset of users.

We have a flag `2fa-enforcement-for-developers-and-special-users` in production now.

## Creating/Deleting a switch

Switches are added via database migrations.
Expand Down
8 changes: 1 addition & 7 deletions src/olympia/accounts/decorators.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
import functools

import waffle

import olympia.core.logger
from olympia.accounts.utils import redirect_for_login_with_2fa_enforced

Expand All @@ -15,11 +13,7 @@ def two_factor_auth_required(f):

@functools.wraps(f)
def wrapper(request, *args, **kw):
if not request.session.get(
'has_two_factor_authentication'
) and waffle.flag_is_active(
request, '2fa-enforcement-for-developers-and-special-users'
):
if not request.session.get('has_two_factor_authentication'):
# Note: Technically the user might not be logged in or not, it does
# not matter, if they are they need to go through FxA again anyway.
login_hint = request.user.email if request.user.is_authenticated else None
Expand Down
10 changes: 0 additions & 10 deletions src/olympia/accounts/tests/test_decorators.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ def setUp(self):
self.request = RequestFactory().get('/')
self.request.session = {}
self.request.user = AnonymousUser()
self.create_flag('2fa-enforcement-for-developers-and-special-users')

def test_has_two_factor_auth(self):
self.request.session['has_two_factor_authentication'] = True
Expand All @@ -36,15 +35,6 @@ def test_does_not_have_two_factor_auth_yet(self):
)['location']
self.assert3xx(response, expected_redirect_url)

def test_does_not_have_two_factor_auth_yet_but_waffle_is_off(self):
self.create_flag(
'2fa-enforcement-for-developers-and-special-users', everyone=False
)
func = two_factor_auth_required(self.f) # Does nothing
response = func(self.request)
assert self.f.call_count == 1
assert response == 'FakeResponse'

def test_does_not_have_two_factor_auth_yet_anonymous(self):
func = two_factor_auth_required(self.f)
response = func(self.request)
Expand Down
41 changes: 2 additions & 39 deletions src/olympia/accounts/tests/test_views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -338,6 +338,8 @@ def setUp(self):
self.find_user = self.patch('olympia.accounts.views.find_user')
self.request = mock.MagicMock()
self.user = AnonymousUser()
self.user.is_addon_developer = False
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the code needs a real user we may as well use user_factory to create one rather than AnonymousUser

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can do that. I didn't want to make large changes to this test as I don't understand what exactly it is testing and more change tends to lead to more breaking.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@eviljeff I think I'd need some more guidance here. I am not sure how I can use user_factory here (without rewriting the entire test class I guess?) when user properties like id and email are set per individual test, e.g. identity = identity or {'uid': '1234', 'email': '[email protected]'}.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you'd change it to something like identity = {'uid': self.user.fxa_id, 'email': self.user.email} when it was supposed to be correct. But I'm having difficulties with switching it out for user_factory() - it seems to be redirecting to login instead (and so breaking all the tests) which is weird. It's probably just bad tests but I'm going to play around with it some more to confirm to myself there's not something actually broken.

self.user.groups_list = []
self.request.user = self.user
self.request.session = {'fxa_state': 'some-blob'}

Expand Down Expand Up @@ -600,7 +602,6 @@ def _test_should_continue_without_redirect_for_two_factor_auth(
}

def test_addon_developer_should_redirect_for_two_factor_auth(self):
self.create_flag('2fa-enforcement-for-developers-and-special-users')
self.user = user_factory()
# They have developed a theme, but also an extension, so they will need
# 2FA.
Expand All @@ -609,37 +610,17 @@ def test_addon_developer_should_redirect_for_two_factor_auth(self):
self._test_should_redirect_for_two_factor_auth()

def test_special_user_should_redirect_for_two_factor_auth(self):
self.create_flag('2fa-enforcement-for-developers-and-special-users')
self.user = user_factory()
# User isn't a developer but is part of a group.
self.grant_permission(self.user, 'Some:Thing')
self._test_should_redirect_for_two_factor_auth()

def test_user_should_redirect_for_two_factor_auth_flag_user_specific(self):
self.user = user_factory()
flag = self.create_flag(
'2fa-enforcement-for-developers-and-special-users', everyone=False
)
flag.users.add(self.user)
# User isn't a developer but is part of a group.
self.grant_permission(self.user, 'Some:Thing')
# The flag is enabled for that user.
self._test_should_redirect_for_two_factor_auth()

# Others should be unaffected as the flag is only set for a specific
# user.
self.user = user_factory()
self.grant_permission(self.user, 'Some:Thing')
self._test_should_continue_without_redirect_for_two_factor_auth()

def test_theme_developer_should_not_redirect_for_two_factor_auth(self):
self.create_flag('2fa-enforcement-for-developers-and-special-users')
self.user = user_factory()
addon_factory(users=[self.user], type=amo.ADDON_STATICTHEME)
self._test_should_continue_without_redirect_for_two_factor_auth()

def test_addon_developer_already_using_two_factor_should_continue(self):
self.create_flag('2fa-enforcement-for-developers-and-special-users')
self.user = user_factory()
addon_factory(users=[self.user])
identity = {
Expand All @@ -652,7 +633,6 @@ def test_addon_developer_already_using_two_factor_should_continue(self):
)

def test_2fa_enforced_already_using_two_factor_should_continue(self):
self.create_flag('2fa-enforcement-for-developers-and-special-users')
self.user = user_factory()
identity = {
'uid': '1234',
Expand All @@ -668,27 +648,10 @@ def test_2fa_enforced_already_using_two_factor_should_continue(self):
assert 'enforce_2fa' not in self.request.session

def test_2fa_enforced_on_this_view_should_redirect_for_two_factor_auth(self):
self.create_flag('2fa-enforcement-for-developers-and-special-users')
self.user = user_factory()
self.request.session['enforce_2fa'] = True
self._test_should_redirect_for_two_factor_auth()

def test_waffle_flag_off_developer_without_2fa_should_continue(self):
self.create_flag(
'2fa-enforcement-for-developers-and-special-users', everyone=False
)
self.user = user_factory()
addon_factory(users=[self.user])
self._test_should_continue_without_redirect_for_two_factor_auth()

def test_waffle_flag_off_enforced_2fa_should_have_no_effect(self):
self.create_flag(
'2fa-enforcement-for-developers-and-special-users', everyone=False
)
self.user = user_factory()
self.request.session['enforce_2fa'] = True
self._test_should_continue_without_redirect_for_two_factor_auth()

@override_settings(FXA_CONFIG={'default': {'client_id': ''}})
def test_fake_fxa_auth(self):
self.user = user_factory()
Expand Down
11 changes: 0 additions & 11 deletions src/olympia/accounts/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@

import jwt
import requests
import waffle
from corsheaders.conf import conf as corsheaders_conf
from corsheaders.middleware import (
ACCESS_CONTROL_ALLOW_CREDENTIALS,
Expand Down Expand Up @@ -294,19 +293,9 @@ def inner(self, request):
extra={'sensitive': True},
)
user = find_user(identity)
# We can't use waffle.flag_is_active() wrapper, because
# request.user isn't populated at this point (and we don't want
# it to be).
enforce_2fa_flag = waffle.get_waffle_flag_model().get(
'2fa-enforcement-for-developers-and-special-users'
)
enforce_2fa_flag_is_active = enforce_2fa_flag.is_active(request) or (
enforce_2fa_flag.pk and enforce_2fa_flag.is_active_for_user(user)
)
if (
user
and not identity.get('twoFactorAuthentication')
and enforce_2fa_flag_is_active
and (
user.is_addon_developer
or user.groups_list
Expand Down
15 changes: 1 addition & 14 deletions src/olympia/devhub/tests/test_views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -916,7 +916,6 @@ def setUp(self):
self.client.force_login_with_2fa(UserProfile.objects.get(email='[email protected]'))
self.user = UserProfile.objects.get(email='[email protected]')
self.user.update(last_login_ip='192.168.1.1')
self.create_flag('2fa-enforcement-for-developers-and-special-users')

def _submit_actions(self, doc):
return doc('form[name=api-credentials-form] button[type=submit][name=action]')
Expand Down Expand Up @@ -1283,7 +1282,6 @@ def setUp(self):
self.client.force_login(self.user)
self.url = reverse('devhub.upload')
self.xpi_path = self.file_path('webextension_no_id.xpi')
self.create_flag('2fa-enforcement-for-developers-and-special-users')

def post(self, theme_specific=False, **kwargs):
data = {
Expand Down Expand Up @@ -1452,17 +1450,6 @@ def test_upload_extension_without_2fa(self):
}
}

def test_upload_extension_without_2fa_waffle_is_off(self):
self.create_flag(
'2fa-enforcement-for-developers-and-special-users', everyone=False
)
self.url = reverse('devhub.upload')
response = self.post()
upload = FileUpload.objects.get()
assert upload.channel == amo.CHANNEL_LISTED
url = reverse('devhub.upload_detail', args=[upload.uuid.hex, 'json'])
self.assert3xx(response, url)

def test_upload_theme_without_2fa(self):
self.xpi_path = os.path.join(
settings.ROOT, 'src/olympia/devhub/tests/addons/static_theme.zip'
Expand Down Expand Up @@ -2064,7 +2051,7 @@ def test_doc_urls(self):
assert '/en-US/developers/docs/te' == reverse('devhub.docs', args=['te'])
assert '/en-US/developers/docs/te/st', reverse('devhub.docs', args=['te/st'])

self.client.force_login(user_factory(read_dev_agreement=None))
self.client.force_login_with_2fa(user_factory(read_dev_agreement=None))
response = self.client.get(reverse('devhub.submit.agreement'))
doc = pq(response.content)

Expand Down
4 changes: 0 additions & 4 deletions src/olympia/devhub/tests/test_views_submit.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,6 @@ def setUp(self):
self.client.force_login_with_2fa(self.user)
self.user.update(last_login_ip='192.0.2.1')
self.addon = self.get_addon()
self.create_flag('2fa-enforcement-for-developers-and-special-users')

def get_addon(self):
return Addon.objects.get(pk=3615)
Expand Down Expand Up @@ -407,7 +406,6 @@ def setUp(self):
self.client.force_login_with_2fa(self.user)
self.user.update(last_login_ip='192.0.2.1')
self.url = reverse('devhub.submit.distribution')
self.create_flag('2fa-enforcement-for-developers-and-special-users')

def test_check_agreement_okay(self):
response = self.client.post(reverse('devhub.submit.agreement'))
Expand Down Expand Up @@ -523,7 +521,6 @@ def setUp(self):
self.user.update(last_login_ip='192.0.2.1')
self.upload = self.get_upload('webextension_no_id.xpi', user=self.user)
self.statsd_incr_mock = self.patch('olympia.devhub.views.statsd.incr')
self.create_flag('2fa-enforcement-for-developers-and-special-users')

def post(
self,
Expand Down Expand Up @@ -2235,7 +2232,6 @@ def setUp(self):
self.version.save()
self.upload = self.get_upload('webextension.xpi', user=self.user)
self.statsd_incr_mock = self.patch('olympia.devhub.views.statsd.incr')
self.create_flag('2fa-enforcement-for-developers-and-special-users')

def post(
self,
Expand Down
3 changes: 0 additions & 3 deletions src/olympia/devhub/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -621,9 +621,6 @@ def upload(request, channel='listed', addon=None, is_standalone=False):
not theme_specific
and not is_standalone
and not request.session.get('has_two_factor_authentication')
and waffle.flag_is_active(
request, '2fa-enforcement-for-developers-and-special-users'
)
):
# This shouldn't happen: it means the user attempted to use the add-on
# submission flow that is behind @two_factor_auth_required decorator
Expand Down
Loading