Merge branch 'rs-ldap-2fa' into 'master'

Enable 2FA for LDAP logins See merge request !395

Merge branch 'rs-ldap-2fa' into 'master'
Enable 2FA for LDAP logins See merge request !395
21b10d61 · Dmitriy Zaporozhets · c3427745 · 0ad9fc60 · 21b10d61 · 21b10d61
Commit 21b10d61 authored May 14, 2015 by Dmitriy Zaporozhets
5 changed files
--- a/CHANGELOG-EE
+++ b/CHANGELOG-EE
 v 7.11.0
  - Skip git hooks commit validation when pushing new tag.
+  - Add Two-factor authentication (2FA) for LDAP logins
 v 7.10.1
  - Check if comment exists in Jira before sending a reference

--- a/app/controllers/concerns/authenticates_with_two_factor.rb
+++ b/app/controllers/concerns/authenticates_with_two_factor.rb
+# == AuthenticatesWithTwoFactor
+#
+# Controller concern to handle two-factor authentication
+#
+# Upon inclusion, skips `require_no_authentication` on `:create`.
+module AuthenticatesWithTwoFactor
+  extend ActiveSupport::Concern
+  included do
+    # This action comes from DeviseController, but because we call `sign_in`
+    # manually, not skipping this action would cause a "You are already signed
+    # in." error message to be shown upon successful login.
+    skip_before_action :require_no_authentication, only: [:create]
+  end
+  # Store the user's ID in the session for later retrieval and render the
+  # two factor code prompt
+  #
+  # The user must have been authenticated with a valid login and password
+  # before calling this method!
+  #
+  # user - User record
+  #
+  # Returns nil
+  def prompt_for_two_factor(user)
+    session[:otp_user_id] = user.id
+    render 'devise/sessions/two_factor' and return
+  end
+end
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
 class OmniauthCallbacksController < Devise::OmniauthCallbacksController
+  include AuthenticatesWithTwoFactor
  protect_from_forgery except: :kerberos
  Gitlab.config.omniauth.providers.each do |provider|
    define_method provider['name'] do
      handle_omniauth
@@ -26,7 +29,11 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
    # Do additional LDAP checks for the user filter and EE features
    if @user.allowed?
+      if @user.otp_required_for_login?
+        prompt_for_two_factor(gl_user)
+      else
        sign_in_and_redirect(gl_user)
+      end
    else
      flash[:alert] = "Access denied for your LDAP account."
      redirect_to new_user_session_path

--- a/app/views/profiles/accounts/show.html.haml
+++ b/app/views/profiles/accounts/show.html.haml
@@ -26,7 +26,6 @@
              %span You don`t have one yet. Click generate to fix it.
              = f.submit 'Generate', class: "btn success btn-build-token"
-  - unless current_user.ldap_user?
  %fieldset
    - if current_user.otp_required_for_login
      %legend.text-success

--- a/lib/gitlab/ldap/user.rb
+++ b/lib/gitlab/ldap/user.rb
@@ -24,7 +24,9 @@ module Gitlab
        update_user_attributes
      end
-      # instance methods
+      delegate :otp_required_for_login?, :otp_backup_codes, :otp_attempt,
+        to: :gl_user
      def gl_user
        @gl_user ||= find_by_uid_and_provider || find_by_email || build_new_user
      end