Commit bc801c22 authored by Imre Farkas's avatar Imre Farkas

Merge branch '232671-default-enable-webauthn' into 'master'

Default enable webauthn feature flag

See merge request gitlab-org/gitlab!50735
parents c6d4c188 81a6ee38
...@@ -23,9 +23,9 @@ module AuthenticatesWithTwoFactor ...@@ -23,9 +23,9 @@ module AuthenticatesWithTwoFactor
session[:otp_user_id] = user.id session[:otp_user_id] = user.id
session[:user_password_hash] = Digest::SHA256.hexdigest(user.encrypted_password) session[:user_password_hash] = Digest::SHA256.hexdigest(user.encrypted_password)
push_frontend_feature_flag(:webauthn) push_frontend_feature_flag(:webauthn, default_enabled: :yaml)
if Feature.enabled?(:webauthn) if Feature.enabled?(:webauthn, default_enabled: :yaml)
setup_webauthn_authentication(user) setup_webauthn_authentication(user)
else else
setup_u2f_authentication(user) setup_u2f_authentication(user)
......
...@@ -11,7 +11,7 @@ module AuthenticatesWithTwoFactorForAdminMode ...@@ -11,7 +11,7 @@ module AuthenticatesWithTwoFactorForAdminMode
return handle_locked_user(user) unless user.can?(:log_in) return handle_locked_user(user) unless user.can?(:log_in)
session[:otp_user_id] = user.id session[:otp_user_id] = user.id
push_frontend_feature_flag(:webauthn) push_frontend_feature_flag(:webauthn, default_enabled: :yaml)
if user.two_factor_webauthn_enabled? if user.two_factor_webauthn_enabled?
setup_webauthn_authentication(user) setup_webauthn_authentication(user)
......
...@@ -8,7 +8,7 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController ...@@ -8,7 +8,7 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
helper_method :current_password_required? helper_method :current_password_required?
before_action do before_action do
push_frontend_feature_flag(:webauthn) push_frontend_feature_flag(:webauthn, default_enabled: :yaml)
end end
feature_category :authentication_and_authorization feature_category :authentication_and_authorization
...@@ -44,7 +44,7 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController ...@@ -44,7 +44,7 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
@qr_code = build_qr_code @qr_code = build_qr_code
@account_string = account_string @account_string = account_string
if Feature.enabled?(:webauthn) if Feature.enabled?(:webauthn, default_enabled: :yaml)
setup_webauthn_registration setup_webauthn_registration
else else
setup_u2f_registration setup_u2f_registration
...@@ -69,7 +69,7 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController ...@@ -69,7 +69,7 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
@error = { message: _('Invalid pin code.') } @error = { message: _('Invalid pin code.') }
@qr_code = build_qr_code @qr_code = build_qr_code
if Feature.enabled?(:webauthn) if Feature.enabled?(:webauthn, default_enabled: :yaml)
setup_webauthn_registration setup_webauthn_registration
else else
setup_u2f_registration setup_u2f_registration
......
...@@ -8,7 +8,7 @@ class ProfilesController < Profiles::ApplicationController ...@@ -8,7 +8,7 @@ class ProfilesController < Profiles::ApplicationController
before_action :authorize_change_username!, only: :update_username before_action :authorize_change_username!, only: :update_username
skip_before_action :require_email, only: [:show, :update] skip_before_action :require_email, only: [:show, :update]
before_action do before_action do
push_frontend_feature_flag(:webauthn) push_frontend_feature_flag(:webauthn, default_enabled: :yaml)
end end
feature_category :users feature_category :users
......
...@@ -32,7 +32,7 @@ class SessionsController < Devise::SessionsController ...@@ -32,7 +32,7 @@ class SessionsController < Devise::SessionsController
before_action :load_recaptcha before_action :load_recaptcha
before_action :set_invite_params, only: [:new] before_action :set_invite_params, only: [:new]
before_action do before_action do
push_frontend_feature_flag(:webauthn) push_frontend_feature_flag(:webauthn, default_enabled: :yaml)
end end
after_action :log_failed_login, if: :action_new_and_failed_login? after_action :log_failed_login, if: :action_new_and_failed_login?
...@@ -305,9 +305,9 @@ class SessionsController < Devise::SessionsController ...@@ -305,9 +305,9 @@ class SessionsController < Devise::SessionsController
def authentication_method def authentication_method
if user_params[:otp_attempt] if user_params[:otp_attempt]
AuthenticationEvent::TWO_FACTOR AuthenticationEvent::TWO_FACTOR
elsif user_params[:device_response] && Feature.enabled?(:webauthn) elsif user_params[:device_response] && Feature.enabled?(:webauthn, default_enabled: :yaml)
AuthenticationEvent::TWO_FACTOR_WEBAUTHN AuthenticationEvent::TWO_FACTOR_WEBAUTHN
elsif user_params[:device_response] && !Feature.enabled?(:webauthn) elsif user_params[:device_response] && !Feature.enabled?(:webauthn, default_enabled: :yaml)
AuthenticationEvent::TWO_FACTOR_U2F AuthenticationEvent::TWO_FACTOR_U2F
else else
AuthenticationEvent::STANDARD AuthenticationEvent::STANDARD
......
...@@ -13,7 +13,7 @@ class MembersPreloader ...@@ -13,7 +13,7 @@ class MembersPreloader
ActiveRecord::Associations::Preloader.new.preload(members, :created_by) ActiveRecord::Associations::Preloader.new.preload(members, :created_by)
ActiveRecord::Associations::Preloader.new.preload(members, user: :status) ActiveRecord::Associations::Preloader.new.preload(members, user: :status)
ActiveRecord::Associations::Preloader.new.preload(members, user: :u2f_registrations) ActiveRecord::Associations::Preloader.new.preload(members, user: :u2f_registrations)
ActiveRecord::Associations::Preloader.new.preload(members, user: :webauthn_registrations) if Feature.enabled?(:webauthn) ActiveRecord::Associations::Preloader.new.preload(members, user: :webauthn_registrations) if Feature.enabled?(:webauthn, default_enabled: :yaml)
end end
end end
......
...@@ -911,7 +911,7 @@ class User < ApplicationRecord ...@@ -911,7 +911,7 @@ class User < ApplicationRecord
end end
def two_factor_u2f_enabled? def two_factor_u2f_enabled?
return false if Feature.enabled?(:webauthn) return false if Feature.enabled?(:webauthn, default_enabled: :yaml)
if u2f_registrations.loaded? if u2f_registrations.loaded?
u2f_registrations.any? u2f_registrations.any?
...@@ -925,7 +925,7 @@ class User < ApplicationRecord ...@@ -925,7 +925,7 @@ class User < ApplicationRecord
end end
def two_factor_webauthn_enabled? def two_factor_webauthn_enabled?
return false unless Feature.enabled?(:webauthn) return false unless Feature.enabled?(:webauthn, default_enabled: :yaml)
(webauthn_registrations.loaded? && webauthn_registrations.any?) || (!webauthn_registrations.loaded? && webauthn_registrations.exists?) (webauthn_registrations.loaded? && webauthn_registrations.any?) || (!webauthn_registrations.loaded? && webauthn_registrations.exists?)
end end
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
- page_title _('Two-Factor Authentication'), _('Account') - page_title _('Two-Factor Authentication'), _('Account')
- add_to_breadcrumbs _('Account'), profile_account_path - add_to_breadcrumbs _('Account'), profile_account_path
- @content_class = "limit-container-width" unless fluid_layout - @content_class = "limit-container-width" unless fluid_layout
- webauthn_enabled = Feature.enabled?(:webauthn) - webauthn_enabled = Feature.enabled?(:webauthn, default_enabled: :yaml)
.js-two-factor-auth{ 'data-two-factor-skippable' => "#{two_factor_skippable?}", 'data-two_factor_skip_url' => skip_profile_two_factor_auth_path } .js-two-factor-auth{ 'data-two-factor-skippable' => "#{two_factor_skippable?}", 'data-two_factor_skip_url' => skip_profile_two_factor_auth_path }
.row.gl-mt-3 .row.gl-mt-3
......
...@@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/232671 ...@@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/232671
milestone: '13.4' milestone: '13.4'
type: development type: development
group: group::access group: group::access
default_enabled: false default_enabled: true
...@@ -20,8 +20,7 @@ password secret. ...@@ -20,8 +20,7 @@ password secret.
NOTE: NOTE:
When you enable 2FA, don't forget to back up your [recovery codes](#recovery-codes)! When you enable 2FA, don't forget to back up your [recovery codes](#recovery-codes)!
In addition to time-based one time passwords (TOTP), GitLab supports U2F In addition to time-based one time passwords (TOTP), GitLab supports WebAuthn devices as the second factor
(universal 2nd factor) and WebAuthn (experimental) devices as the second factor
of authentication. After being enabled, in addition to supplying your username of authentication. After being enabled, in addition to supplying your username
and password to sign in, you're prompted to activate your U2F / WebAuthn device and password to sign in, you're prompted to activate your U2F / WebAuthn device
(usually by pressing a button on it) which performs secure authentication on (usually by pressing a button on it) which performs secure authentication on
...@@ -269,11 +268,11 @@ Click on **Register U2F Device** to complete the process. ...@@ -269,11 +268,11 @@ Click on **Register U2F Device** to complete the process.
### WebAuthn device ### WebAuthn device
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/22506) in GitLab 13.4. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/22506) in GitLab 13.4 [with a flag](../../../administration/feature_flags.md) named `webauthn`. Disabled by default.
> - It's [deployed behind a feature flag](../../feature_flags.md), disabled by default. > - [Enabled on GitLab.com and self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/232671) in GitLab 14.6.
> - It's disabled on GitLab.com.
> - It's not recommended for production use. FLAG:
> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-webauthn). On self-managed GitLab, by default this feature is available. To disable the feature, ask an administrator to [disable the feature flag](../../../administration/feature_flags.md) named `webauthn`. If you disable the WebAuthn feature flag after WebAuthn devices have been registered, these devices are not usable until you re-enable this feature. On GitLab.com, this feature is available.
The WebAuthn workflow is [supported by](https://caniuse.com/#search=webauthn) the The WebAuthn workflow is [supported by](https://caniuse.com/#search=webauthn) the
following desktop browsers: following desktop browsers:
...@@ -350,7 +349,7 @@ request, and you're automatically signed in. ...@@ -350,7 +349,7 @@ request, and you're automatically signed in.
### Sign in by using a WebAuthn device ### Sign in by using a WebAuthn device
In supported browsers you should be automatically prompted to activate your WebAuthn device In supported browsers you should be automatically prompted to activate your WebAuthn device
(for example, by touching/pressing its button) after entering your credentials. (for example, by touching or pressing its button) after entering your credentials.
A message displays, indicating that your device responded to the authentication A message displays, indicating that your device responded to the authentication
request and you're automatically signed in. request and you're automatically signed in.
...@@ -495,25 +494,6 @@ request a GitLab global administrator disable two-factor authentication for your ...@@ -495,25 +494,6 @@ request a GitLab global administrator disable two-factor authentication for your
- To enforce 2FA at the system or group levels see [Enforce Two-factor Authentication](../../../security/two_factor_authentication.md). - To enforce 2FA at the system or group levels see [Enforce Two-factor Authentication](../../../security/two_factor_authentication.md).
## Enable or disable WebAuthn **(FREE SELF)**
Support for WebAuthn is under development and not ready for production use. It is
deployed behind a feature flag that is **disabled by default**.
[GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md)
can enable it.
To enable it:
```ruby
Feature.enable(:webauthn)
```
To disable it:
```ruby
Feature.disable(:webauthn)
```
## Troubleshooting ## Troubleshooting
If you are receiving an `invalid pin code` error, this may indicate that there is a time sync issue between the authentication application and the GitLab instance itself. If you are receiving an `invalid pin code` error, this may indicate that there is a time sync issue between the authentication application and the GitLab instance itself.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment