Merge branch '35102-prevent-2FA-being-enabled-if-email-unverified' into 'master'

Require verified email to enable 2FA See merge request gitlab-org/gitlab!69593

Merge branch '35102-prevent-2FA-being-enabled-if-email-unverified' into 'master'
Require verified email to enable 2FA See merge request gitlab-org/gitlab!69593
89d68830 · Andy Soiron · 920ae4d2 · 5e365148 · 89d68830 · 89d68830
Commit 89d68830 authored Sep 07, 2021 by Andy Soiron
4 changed files
--- a/app/controllers/profiles/two_factor_auths_controller.rb
+++ b/app/controllers/profiles/two_factor_auths_controller.rb
@@ -2,6 +2,7 @@

 class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
  skip_before_action :check_two_factor_requirement
+  before_action :ensure_verified_primary_email, only: [:show, :create]
  before_action do
    push_frontend_feature_flag(:webauthn)
  end
@@ -218,4 +219,12 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
    s_(%{The group settings for %{group_links} require you to enable Two-Factor Authentication for your account. You can %{leave_group_links}.})
        .html_safe % { group_links: group_links.html_safe, leave_group_links: leave_group_links.html_safe }
  end
+
+  def ensure_verified_primary_email
+    return unless Feature.enabled?(:ensure_verified_primary_email_for_2fa)
+
+    unless current_user.two_factor_enabled? || current_user.primary_email_verified?
+      redirect_to profile_emails_path, notice: s_('You need to verify your primary email first before enabling Two-Factor Authentication.')
+    end
+  end
 end
--- a/config/feature_flags/development/ensure_verified_primary_email_for_2fa.yml
+++ b/config/feature_flags/development/ensure_verified_primary_email_for_2fa.yml
+---
+name: ensure_verified_primary_email_for_2fa
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/69593
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/340151
+milestone: '14.3'
+type: development
+group: group::access
+default_enabled: false
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -38567,6 +38567,9 @@ msgstr ""
 msgid "You need to upload a GitLab project export archive (ending in .gz)."
 msgstr ""

+msgid "You need to verify your primary email first before enabling Two-Factor Authentication."
+msgstr ""
+
 msgid "You successfully declined the invitation"
 msgstr ""


--- a/spec/controllers/profiles/two_factor_auths_controller_spec.rb
+++ b/spec/controllers/profiles/two_factor_auths_controller_spec.rb
@@ -10,8 +10,33 @@ RSpec.describe Profiles::TwoFactorAuthsController do
    allow(subject).to receive(:current_user).and_return(user)
  end

+  shared_examples 'user must first verify their primary email address' do
+    before do
+      allow(user).to receive(:primary_email_verified?).and_return(false)
+    end
+
+    it 'redirects to profile_emails_path' do
+      go
+
+      expect(response).to redirect_to(profile_emails_path)
+    end
+
+    it 'displays a notice' do
+      go
+
+      expect(flash[:notice])
+        .to eq _('You need to verify your primary email first before enabling Two-Factor Authentication.')
+    end
+
+    it 'does not redirect when the `ensure_verified_primary_email_for_2fa` feature flag is disabled' do
+      stub_feature_flags(ensure_verified_primary_email_for_2fa: false)
+
+      expect(response).not_to redirect_to(profile_emails_path)
+    end
+  end
+
  describe 'GET show' do
-    let(:user) { create(:user) }
+    let_it_be_with_reload(:user) { create(:user) }

    it 'generates otp_secret for user' do
      expect(User).to receive(:generate_otp_secret).with(32).and_call_original.once
@@ -34,11 +59,16 @@ RSpec.describe Profiles::TwoFactorAuthsController do
        get :show
      end
    end
+
+    it_behaves_like 'user must first verify their primary email address' do
+      let(:go) { get :show }
+    end
  end

  describe 'POST create' do
-    let(:user) { create(:user) }
-    let(:pin)  { 'pin-code' }
+    let_it_be_with_reload(:user) { create(:user) }
+
+    let(:pin) { 'pin-code' }

    def go
      post :create, params: { pin_code: pin }
@@ -105,10 +135,12 @@ RSpec.describe Profiles::TwoFactorAuthsController do
        expect(response).to render_template(:show)
      end
    end
+
+    it_behaves_like 'user must first verify their primary email address'
  end

  describe 'POST codes' do
-    let(:user) { create(:user, :two_factor) }
+    let_it_be_with_reload(:user) { create(:user, :two_factor) }

    it 'presents plaintext codes for the user to save' do
      expect(user).to receive(:generate_otp_backup_codes!).and_return(%w(a b c))
@@ -135,7 +167,7 @@ RSpec.describe Profiles::TwoFactorAuthsController do
    subject { delete :destroy }

    context 'for a user that has 2FA enabled' do
-      let(:user) { create(:user, :two_factor) }
+      let_it_be_with_reload(:user) { create(:user, :two_factor) }

      it 'disables two factor' do
        subject
@@ -158,7 +190,7 @@ RSpec.describe Profiles::TwoFactorAuthsController do
    end

    context 'for a user that does not have 2FA enabled' do
-      let(:user) { create(:user) }
+      let_it_be_with_reload(:user) { create(:user) }

      it 'redirects to profile_account_path' do
        subject