## Objective Implement the basic 2FA reset functionality that allows Developer-role users to reset two-factor authentication for GitLab users through a manual pipeline job, without requiring direct admin access. ## Scope This issue focuses exclusively on the 2FA Reset Workflow as part of Phase 1 implementation. ## Tasks ### 1. Pipeline Configuration - [ ] Create `.gitlab-ci.yml` with manual job for 2FA reset - [ ] Configure job to run only on protected branches - [ ] Add input parameter for target username - [ ] Set up job to use protected and masked `ADMIN_TOKEN` variable ### 2. Python Script Implementation - [ ] Create `scripts/reset_2fa.py` - [ ] Implement GitLab API client initialization with admin token - [ ] Add function to disable 2FA for specified user via API - [ ] Include error handling for: - Invalid username - User not found - API authentication failures - User already has 2FA disabled - [ ] Add basic logging with timestamp and requester identity ### 3. Dependencies - [ ] Create `requirements.txt` with necessary Python packages: - `python-gitlab` or `requests` for API calls - Any logging/notification libraries ### 4. Security Configuration - [ ] Document how to set up `ADMIN_TOKEN` as protected CI/CD variable - [ ] Ensure token is marked as "Protected" (only runs on protected branches) - [ ] Ensure token is marked as "Masked" (hidden in job logs) - [ ] Configure main/master branch as protected ### 5. Testing & Validation - [ ] Test with valid username - [ ] Test with invalid username - [ ] Test with user who doesn't have 2FA enabled - [ ] Verify token is not exposed in job logs - [ ] Verify only Developers can trigger the job ## Acceptance Criteria - [ ] Developer-role users can trigger manual pipeline job - [ ] Job accepts username as input parameter - [ ] Script successfully disables 2FA via GitLab API - [ ] Admin token remains secure and masked in logs - [ ] Job logs show requester identity and timestamp - [ ] Appropriate error messages for failure scenarios - [ ] Job only runs on protected branches ## Technical Details ### GitLab API Endpoint ``` DELETE /users/:id/two_factor ``` ### Pipeline Job Structure ```yaml reset_2fa: stage: admin_actions script: - python scripts/reset_2fa.py "$TARGET_USERNAME" when: manual only: - main variables: TARGET_USERNAME: description: "Username of the user to reset 2FA" ``` ### Expected Output - Success message with username and timestamp - Requester identity (from CI/CD variables) - Confirmation that 2FA has been disabled ## Documentation Needed - [ ] README with setup instructions - [ ] How to configure admin token variable - [ ] How to trigger the pipeline job - [ ] Expected behavior and error messages ## Related Parent issue: #1