Thomas Gerbet (tgerbet)2018-02-23 16:12 In terms of reliability, Cloudflare support the service and serve it through their CDN infrastructure. Responses provided by the API are marked as valid for a long time (max-age of 31 days sets in the Cache-Control header) so most of the responses end up served directly by Cloudflare. That should at least cover the slowed down part. However to not let my extremist side completely take over we can consider that a password is acceptable if it is not found in the breach corpuses or if the API call ended up with an error or no response. Later on we could add a way for site administrators to enable the strict check (password rejected if found in the breach corpuses or if the API call has failed) with all the needed warnings in the UI.
Manuel Vacelet (vaceletm)2018-02-23 14:27 Unless I'm wrong in most of these cases the authentication/user management is mainly managed with an LDAP/ActiveDirectory server so it will only impacts users that have been created manually. So the most common use case will never hit the feature and it will probably be enough to prevent us too much troubles. Ok. Worst thing that can happen if the API is not accessible is that users won't be able to change their password or to register, existing administrative accounts would still be able to connect and solve the issue. Unless we have a solid track of record of this 3rd party reliability, I would not block those features if the API is slowed down or blocked.
Thomas Gerbet (tgerbet)2018-02-23 12:10 Unless I'm wrong in most of these cases the authentication/user management is mainly managed with an LDAP/ActiveDirectory server so it will only impacts users that have been created manually. So the most common use case will never hit the feature and it will probably be enough to prevent us too much troubles. That's said we might want to add in the AC that a warning message should be displayed in the site administration when accesses to the API fail (timeouts or unexpected HTTP error codes) to lead the site administrator directly where the feature can be disabled. I'm in favor to have this enabled by default because nobody is going through settings to enable this kind of thing after an installation and the default choice should be the safe/secure one. Also, while I can't back this guess with numbers, I think most of the Tuleap instances being installed have access to internet. Worst thing that can happen if the API is not accessible is that users won't be able to change their password or to register, existing administrative accounts would still be able to connect and solve the issue.
Manuel Vacelet (vaceletm)2018-02-23 10:17 I overlooked the tech details sorry. You propose to enable it by default but how will we manage deployment in DMZ without internet access ?
Thomas Gerbet (tgerbet)2018-02-23 09:10 I put some details on how to do it in the "Technical info" field → A GET request to the Have I Been Pwned API with some basic processing. A specific lib is not really needed.
Manuel Vacelet (vaceletm)2018-02-23 09:05 How do you forsee that ? Is there any lib / tool that can be used ? Permissions set to