10 14 2024 Tech Team Report

10-14-2024

Date	Task	Hours (Main)
7-Oct-2024	Reporting, dig into Keycloak DB, find/fix acr loa setting, test ~all scenarios, try level2 w social - decide it won't work, plan to use mfaStatus only	4
8-Oct-2024	Add isprivUser API call, start checking in Drupal to manage mfaStatus setting	4
9-Oct-2024	Test adding message during login if bad mfastatus, stop redirect, start adding to controller, coord re: login history needs to show email, update stage login_history report (structure/views)	3
10-Oct-2024	Finish controller, improve messaging on profile form, add logic on Dataverse side to show similar message with redirect to /me/edit, cleanup code, remove acr logic, fix Oauth2 tests, deploy via Jenkins to dev, update QDR solr/lib fixes PR per review	5
11-Oct-2024	Add feature flag to require MFA in Dataverse, deploy to dev/stage, create step-by-step deploy notes for prod, test, find/fix/create PR for minor bug in DataCiteXML login #10919, review Keycloak latest version changes	4

Found/fixed db entry causing all SSO to fail on the dev machine
Tried again to get both attribute and ACR triggered use of MFA to work together - seems to be possible for local accounts, but I could not find a way to handle it for social logins (using configuration options - probably possible with Keycloak code changes/plugins)
Switched to just using an attribute (mfastatus - true = LDAP description = "MFA User", false when description = "UP User"), finished adding the choice to the reg form, user profile, user edit form
Added a check to require MFA if the user is a Dataverse superuser or has an admin or curator role in Dataverse (not configurable, but could be). Created an API call in Dataverse that Drupal can call, allowing Drupal to show a warning that you'll need MFA to login to Dataverse. Added similar internal logic/message in Dataverse itself.
Removed ACR-related logic from code and configs
Deployed changes (inc. Dataverse 6.4-qdr and Drupal updated) to stage, tracked list of config changes required to enable MFA
Read the release notes for the new Keycloak 26.0.x release - no critical security issues, updating/getting an update for the ORCID plugin remains the one known issue to updating from 24.0.5.

Added email to the login_history report on dev/stage/prod per request (since username is no longer required to be the email)

Added feature flag to make the new check for user's role optional, updated Oauth2 tests to handle both flag on/off paths
Updated the Solr 9.6.1 PR/updated libs PR per reviewer request
Found/fixed/made a one-line PR for a minor issue in the updated DataCite XML - having a Software Name and no Version resulted in an entry with a "null" for the version.

FWIW: I was surprised to hear the Chicago HEAL folks getting an overview of Dataverse/Harvard's services around data - it sounded like they might play an active role in buying storage/managing collections for HEAL researchers, versus just connecting and harvesting metadata/ making data available in their platform. It wasn't clear if that's true or just Harvard's assumption.
FWIW: At this point, the MFA branch is also the v6.4 branch

Fix bugs/make updates based on testing feedback for MFA #43(MFA, etc.)
Background work to change/remove deprecated Drupal modules in prep for 11.0.0
Fix Stata-14 ingest by allowing file inspection during direct upload or adjusting the Stata ingester.
Fix #113 if possible
Matomo - investigate event-level tracking via tag manager, remove non-working google scripts
AnnoRep - explore round-trip, configure auto-start and log rotation
Ops
- check missing globalidcreationdates and fix via /modifyRegistration or alternative
Dataverse
- Make PR for guestbook adding datasetversion fix
- Popup info accessibility - IQSS likes the recommendations from the source I linked to, so this can be implemented along those lines.
QDAS Previewer
- Updates per request
- Investigate writing aux file/previewing lower-sensitivity version and/or other write options
TBD: FRDR Security