Merge branch 'dblessing-email-on-new-signin' into 'master'

Send email notification for unknown sign ins

Closes #27211

See merge request gitlab-org/gitlab!29741

app/controllers/concerns/known_sign_in.rb

+# frozen_string_literal: true
+
+module KnownSignIn
+  include Gitlab::Utils::StrongMemoize
+
+  private
+
+  def verify_known_sign_in
+    return unless current_user
+
+    notify_user unless known_remote_ip?
+  end
+
+  def known_remote_ip?
+    known_ip_addresses.include?(request.remote_ip)
+  end
+
+  def sessions
+    strong_memoize(:session) do
+      ActiveSession.list(current_user).reject(&:is_impersonated)
+    end
+  end
+
+  def known_ip_addresses
+    [current_user.last_sign_in_ip, sessions.map(&:ip_address)].flatten
+  end
+
+  def notify_user
+    current_user.notification_service.unknown_sign_in(current_user, request.remote_ip)
+  end
+end

app/controllers/omniauth_callbacks_controller.rb

@@ -6,6 +6,9 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
   include Devise::Controllers::Rememberable
   include AuthHelper
   include InitializesCurrentUserMode
+  include KnownSignIn
+
+  after_action :verify_known_sign_in
 
   protect_from_forgery except: [:kerberos, :saml, :cas3, :failure], with: :exception, prepend: true
 

app/controllers/sessions_controller.rb

@@ -7,6 +7,7 @@ class SessionsController < Devise::SessionsController
   include Recaptcha::ClientHelper
   include Recaptcha::Verify
   include RendersLdapServers
+  include KnownSignIn
 
   skip_before_action :check_two_factor_requirement, only: [:destroy]
   # replaced with :require_no_authentication_without_flash
@@ -27,6 +28,7 @@ class SessionsController < Devise::SessionsController
   before_action :frontend_tracking_data, only: [:new]
 
   after_action :log_failed_login, if: :action_new_and_failed_login?
+  after_action :verify_known_sign_in, only: [:create]
 
   helper_method :captcha_enabled?, :captcha_on_login_required?
 

app/mailers/emails/profile.rb

@@ -44,6 +44,16 @@ module Emails
         mail(to: @user.notification_email, subject: subject(_("Your Personal Access Tokens will expire in %{days_to_expire} days or less") % { days_to_expire: @days_to_expire }))
       end
     end
+
+    def unknown_sign_in_email(user, ip)
+      @user = user
+      @ip = ip
+      @target_url = edit_profile_password_url
+
+      Gitlab::I18n.with_locale(@user.preferred_language) do
+        mail(to: @user.notification_email, subject: subject(_("Unknown sign-in from new location")))
+      end
+    end
   end
 end
 

app/mailers/previews/notify_preview.rb

@@ -161,6 +161,10 @@ class NotifyPreview < ActionMailer::Preview
     Notify.remote_mirror_update_failed_email(remote_mirror.id, user.id).message
   end
 
+  def unknown_sign_in_email
+    Notify.unknown_sign_in_email(user, '127.0.0.1').message
+  end
+
   private
 
   def project

app/services/notification_service.rb

@@ -66,6 +66,14 @@ class NotificationService
     mailer.access_token_about_to_expire_email(user).deliver_later
   end
 
+  # Notify a user when a previously unknown IP or device is used to
+  # sign in to their account
+  def unknown_sign_in(user, ip)
+    return unless user.can?(:receive_notifications)
+
+    mailer.unknown_sign_in_email(user, ip).deliver_later
+  end
+
   # When create an issue we should send an email to:
   #
   #  * issue assignee if their notification level is not Disabled

app/views/notify/unknown_sign_in_email.html.haml

+%p
+  = _('Hi %{username}!') % { username: sanitize_name(@user.name) }
+%p
+  = _('A sign-in to your account has been made from the following IP address: %{ip}.') % { ip: @ip }
+%p
+  - password_link_start = '<a href="%{url}" target="_blank" rel="noopener noreferrer">'.html_safe % { url: 'https://docs.gitlab.com/ee/user/profile/#changing-your-password' }
+  = _('If you recently signed in and recognize the IP address, you may disregard this email.')
+  = _('If you did not recently sign in, you should immediately %{password_link_start}change your password%{password_link_end}.').html_safe % { password_link_start: password_link_start, password_link_end: '</a>'.html_safe }
+  = _('Passwords should be unique and not used for any other sites or services.')
+
+- unless @user.two_factor_enabled?
+  %p
+    - mfa_link_start = '<a href="https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html" target="_blank">'.html_safe
+    = _('To further protect your account, consider configuring a %{mfa_link_start}two-factor authentication%{mfa_link_end} method.').html_safe % { mfa_link_start: mfa_link_start, mfa_link_end: '</a>'.html_safe }

app/views/notify/unknown_sign_in_email.text.haml

+= _('Hi %{username}!') % { username: sanitize_name(@user.name) }
+
+= _('A sign-in to your account has been made from the following IP address: %{ip}') % { ip: @ip }
+
+= _('If you recently signed in and recognize the IP address, you may disregard this email.')
+= _('If you did not recently sign in, you should immediately change your password: %{password_link}.') % { password_link: 'https://docs.gitlab.com/ee/user/profile/#changing-your-password' }
+= _('Passwords should be unique and not used for any other sites or services.')
+
+- unless @user.two_factor_enabled?
+  = _('To further protect your account, consider configuring a two-factor authentication method: %{mfa_link}.') % { mfa_link: 'https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html' }

changelogs/unreleased/dblessing-email-on-new-signin.yml

+---
+title: Send email notification for unknown sign-ins
+merge_request: 29741
+author:
+type: added

doc/user/profile/index.md

@@ -17,6 +17,11 @@ There are several ways to create users on GitLab. See the [creating users docume
 There are several ways to sign into your GitLab account.
 See the [authentication topic](../../topics/authentication/index.md) for more details.
 
+### Unknown sign-in
+
+GitLab will notify you if a sign-in occurs that is from an unknown IP address.
+See [Unknown Sign-In Notification](unknown_sign_in_notification.md) for more details.
+
 ## User profile
 
 To access your profile:
@@ -44,6 +49,7 @@ To access your profile settings:
 From there, you can:
 
 - Update your personal information
+- Change your [password](#changing-your-password)
 - Set a [custom status](#current-status) for your profile
 - Manage your [commit email](#commit-email) for your profile
 - Manage [2FA](account/two_factor_authentication.md)
@@ -60,6 +66,18 @@ From there, you can:
 - [View your active sessions](active_sessions.md) and revoke any of them if necessary
 - Access your audit log, a security log of important events involving your account
 
+## Changing your password
+
+1. Navigate to your [profile's](#profile-settings) **Settings > Password**.
+1. Enter your current password in the 'Current password' field.
+1. Enter your desired new password twice, once in the 'New password' field and
+   once in the 'Password confirmation' field.
+1. Click the 'Save password' button.
+
+If you don't know your current password, select the 'I forgot my password' link.
+
+![Change your password](./img/change_password_v13_0.png)
+
 ## Changing your username
 
 Your `username` is a unique [`namespace`](../group/index.md#namespaces)

doc/user/profile/unknown_sign_in_notification.md

+# Email notification for unknown sign-ins
+
+When a user successfully signs in from a previously unknown IP address,
+GitLab notifies the user by email. In this way, GitLab proactively alerts users of potentially
+malicious or unauthorized sign-ins.
+
+There are two methods used to identify a known sign-in:
+
+- Last sign-in IP: The current sign-in IP address is checked against the last sign-in
+  IP address.
+- Current active sessions: If the user has an existing active session from the
+  same IP address. See [Active Sessions](active_sessions.md).
+
+## Example email
+
+![Unknown sign in email](./img/unknown_sign_in_email_v13_0.png)

locale/gitlab.pot

@@ -918,6 +918,12 @@ msgstr ""
 msgid "A secure token that identifies an external storage request."
 msgstr ""
 
+msgid "A sign-in to your account has been made from the following IP address: %{ip}"
+msgstr ""
+
+msgid "A sign-in to your account has been made from the following IP address: %{ip}."
+msgstr ""
+
 msgid "A subscription will trigger a new pipeline on the default branch of this project when a pipeline successfully completes for a new tag on the %{default_branch_docs} of the subscribed project."
 msgstr ""
 
@@ -11204,12 +11210,21 @@ msgstr ""
 msgid "If using GitHub, you’ll see pipeline statuses on GitHub for your commits and pull requests. %{more_info_link}"
 msgstr ""
 
+msgid "If you did not recently sign in, you should immediately %{password_link_start}change your password%{password_link_end}."
+msgstr ""
+
+msgid "If you did not recently sign in, you should immediately change your password: %{password_link}."
+msgstr ""
+
 msgid "If you lose your recovery codes you can generate new ones, invalidating all previous codes."
 msgstr ""
 
 msgid "If you reach 100%% storage capacity, you will not be able to: %{base_message}"
 msgstr ""
 
+msgid "If you recently signed in and recognize the IP address, you may disregard this email."
+msgstr ""
+
 msgid "If your HTTP repository is not publicly accessible, add your credentials."
 msgstr ""
 
@@ -14937,6 +14952,9 @@ msgstr ""
 msgid "Password was successfully updated. Please login with it"
 msgstr ""
 
+msgid "Passwords should be unique and not used for any other sites or services."
+msgstr ""
+
 msgid "Past due"
 msgstr ""
 
@@ -22190,6 +22208,12 @@ msgstr ""
 msgid "To enable it and see User Cohorts, visit %{application_settings_link_start}application settings%{application_settings_link_end}."
 msgstr ""
 
+msgid "To further protect your account, consider configuring a %{mfa_link_start}two-factor authentication%{mfa_link_end} method."
+msgstr ""
+
+msgid "To further protect your account, consider configuring a two-factor authentication method: %{mfa_link}."
+msgstr ""
+
 msgid "To get started you enter your FogBugz URL and login information below. In the next steps, you'll be able to map users and select the projects you want to import."
 msgstr ""
 
@@ -22703,6 +22727,9 @@ msgstr ""
 msgid "Unknown response text"
 msgstr ""
 
+msgid "Unknown sign-in from new location"
+msgstr ""
+
 msgid "Unlimited"
 msgstr ""
 

spec/controllers/omniauth_callbacks_controller_spec.rb

@@ -144,6 +144,10 @@ describe OmniauthCallbacksController, type: :controller, do_not_mock_admin_mode:
         let(:extern_uid) { 'my-uid' }
         let(:provider) { :github }
 
+        it_behaves_like 'known sign in' do
+          let(:post_action) { post provider }
+        end
+
         it 'allows sign in' do
           post provider
 
@@ -287,6 +291,11 @@ describe OmniauthCallbacksController, type: :controller, do_not_mock_admin_mode:
       request.env['omniauth.auth'] = Rails.application.env_config['omniauth.auth']
     end
 
+    it_behaves_like 'known sign in' do
+      let(:user) { create(:omniauth_user, extern_uid: 'my-uid', provider: 'saml') }
+      let(:post_action) { post :saml, params: { SAMLResponse: mock_saml_response } }
+    end
+
     context 'sign up' do
       before do
         user.destroy

spec/controllers/sessions_controller_spec.rb

@@ -99,6 +99,11 @@ describe SessionsController do
       set_devise_mapping(context: @request)
     end
 
+    it_behaves_like 'known sign in' do
+      let(:user) { create(:user) }
+      let(:post_action) { post(:create, params: { user: { login: user.username, password: user.password } }) }
+    end
+
     context 'when using standard authentications' do
       context 'invalid password' do
         it 'does not authenticate user' do

spec/mailers/emails/profile_spec.rb

@@ -156,4 +156,44 @@ describe Emails::Profile do
       it { expect { Notify.access_token_about_to_expire_email('foo') }.not_to raise_error }
     end
   end
+
+  describe 'user unknown sign in email' do
+    let_it_be(:user) { create(:user) }
+    let_it_be(:ip) { '169.0.0.1' }
+
+    subject { Notify.unknown_sign_in_email(user, ip) }
+
+    it_behaves_like 'an email sent from GitLab'
+    it_behaves_like 'it should not have Gmail Actions links'
+    it_behaves_like 'a user cannot unsubscribe through footer link'
+
+    it 'is sent to the user' do
+      expect(subject).to deliver_to user.email
+    end
+
+    it 'has the correct subject' do
+      expect(subject).to have_subject /^Unknown sign-in from new location$/
+    end
+
+    it 'mentions the unknown sign-in IP' do
+      expect(subject).to have_body_text /A sign-in to your account has been made from the following IP address: #{ip}./
+    end
+
+    it 'includes a link to the change password page' do
+      expect(subject).to have_body_text /#{edit_profile_password_path}/
+    end
+
+    it 'mentions two factor authentication when two factor is not enabled' do
+      expect(subject).to have_body_text /two-factor authentication/
+    end
+
+    context 'when two factor authentication is enabled' do
+      it 'does not mention two factor authentication' do
+        two_factor_user = create(:user, :two_factor)
+
+        expect( Notify.unknown_sign_in_email(two_factor_user, ip) )
+          .not_to have_body_text /two-factor authentication/
+      end
+    end
+  end
 end

spec/services/notification_service_spec.rb

@@ -240,6 +240,17 @@ describe NotificationService, :mailer do
     end
   end
 
+  describe '#unknown_sign_in' do
+    let_it_be(:user) { create(:user) }
+    let_it_be(:ip) { '127.0.0.1' }
+
+    subject { notification.unknown_sign_in(user, ip) }
+
+    it 'sends email to the user' do
+      expect { subject }.to have_enqueued_email(user, ip, mail: 'unknown_sign_in_email')
+    end
+  end
+
   describe 'Notes' do
     context 'issue note' do
       let(:project) { create(:project, :private) }

spec/support/shared_examples/controllers/known_sign_in_shared_examples.rb

+# frozen_string_literal: true
+
+RSpec.shared_examples 'known sign in' do
+  def stub_remote_ip(ip)
+    request.remote_ip = ip
+  end
+
+  def stub_user_ip(ip)
+    user.update!(current_sign_in_ip: ip)
+  end
+
+  context 'with a valid post' do
+    context 'when remote IP does not match user last sign in IP' do
+      before do
+        stub_user_ip('127.0.0.1')
+        stub_remote_ip('169.0.0.1')
+      end
+
+      it 'notifies the user' do
+        expect_next_instance_of(NotificationService) do |instance|
+          expect(instance).to receive(:unknown_sign_in)
+        end
+
+        post_action
+      end
+    end
+
+    context 'when remote IP matches an active session' do
+      before do
+        existing_sessions = ActiveSession.session_ids_for_user(user.id)
+        existing_sessions.each { |sessions| ActiveSession.destroy(user, sessions) }
+
+        stub_user_ip('169.0.0.1')
+        stub_remote_ip('127.0.0.1')
+
+        ActiveSession.set(user, request)
+      end
+
+      it 'does not notify the user' do
+        expect_any_instance_of(NotificationService).not_to receive(:unknown_sign_in)
+
+        post_action
+      end
+    end
+
+    context 'when remote IP address matches last sign in IP' do
+      before do
+        stub_user_ip('127.0.0.1')
+        stub_remote_ip('127.0.0.1')
+      end
+
+      it 'does not notify the user' do
+        expect_any_instance_of(NotificationService).not_to receive(:unknown_sign_in)
+
+        post_action
+      end
+    end
+  end
+end