Commit 53af3e6b authored by Kartikey Tanna's avatar Kartikey Tanna Committed by Kamil Trzciński

#57815 Password authentication disabled for UltraAuth users

Disabled password authentication for the users registered using
omniauth-ultraauth strategy
parent c8f18c50
...@@ -23,7 +23,8 @@ module EnforcesTwoFactorAuthentication ...@@ -23,7 +23,8 @@ module EnforcesTwoFactorAuthentication
def two_factor_authentication_required? def two_factor_authentication_required?
Gitlab::CurrentSettings.require_two_factor_authentication? || Gitlab::CurrentSettings.require_two_factor_authentication? ||
current_user.try(:require_two_factor_authentication_from_group?) current_user.try(:require_two_factor_authentication_from_group?) ||
current_user.try(:ultraauth_user?)
end end
# rubocop: disable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord
......
...@@ -835,11 +835,11 @@ class User < ApplicationRecord ...@@ -835,11 +835,11 @@ class User < ApplicationRecord
end end
def allow_password_authentication_for_web? def allow_password_authentication_for_web?
Gitlab::CurrentSettings.password_authentication_enabled_for_web? && !ldap_user? Gitlab::CurrentSettings.password_authentication_enabled_for_web? && !ldap_user? && !ultraauth_user?
end end
def allow_password_authentication_for_git? def allow_password_authentication_for_git?
Gitlab::CurrentSettings.password_authentication_enabled_for_git? && !ldap_user? Gitlab::CurrentSettings.password_authentication_enabled_for_git? && !ldap_user? && !ultraauth_user?
end end
def can_change_username? def can_change_username?
...@@ -919,6 +919,14 @@ class User < ApplicationRecord ...@@ -919,6 +919,14 @@ class User < ApplicationRecord
end end
end end
def ultraauth_user?
if identities.loaded?
identities.find { |identity| Gitlab::Auth::OAuth::Provider.ultraauth_provider?(identity.provider) && !identity.extern_uid.nil? }
else
identities.exists?(["provider = ? AND extern_uid IS NOT NULL", "ultraauth"])
end
end
def ldap_identity def ldap_identity
@ldap_identity ||= identities.find_by(["provider LIKE ?", "ldap%"]) @ldap_identity ||= identities.find_by(["provider LIKE ?", "ldap%"])
end end
......
---
title: Enforced requirements for UltraAuth users
merge_request: 28941
author: Kartikey Tanna
type: changed
...@@ -71,8 +71,8 @@ To get the credentials (a pair of Client ID and Client Secret), you must registe ...@@ -71,8 +71,8 @@ To get the credentials (a pair of Client ID and Client Secret), you must registe
1. [Reconfigure GitLab]( ../administration/restart_gitlab.md#omnibus-gitlab-reconfigure ) or [restart GitLab]( ../administration/restart_gitlab.md#installations-from-source ) for the changes to take effect if you 1. [Reconfigure GitLab]( ../administration/restart_gitlab.md#omnibus-gitlab-reconfigure ) or [restart GitLab]( ../administration/restart_gitlab.md#installations-from-source ) for the changes to take effect if you
installed GitLab via Omnibus or from source respectively. installed GitLab via Omnibus or from source respectively.
On the sign in page, there should now be a UltraAuth icon below the regular sign in form. On the sign in page, there should now be an UltraAuth icon below the regular sign in form.
Click the icon to begin the authentication process. UltraAuth will ask the user to sign in and authorize the GitLab application. Click the icon to begin the authentication process. UltraAuth will ask the user to sign in and authorize the GitLab application.
If everything goes well, the user will be returned to GitLab and will be signed in. If everything goes well, the user will be returned to GitLab and will be signed in.
**Note:** GitLab requires the email address of each new user. Once the user is logged in using UltraAuth, GitLab will redirect the user to the profile page where they will have to provide the email and verify the email. GitLab requires the email address of each new user. Once the user is logged in using UltraAuth, GitLab will redirect the user to the profile page where they will have to provide the email and verify the email. Password authentication will be disabled for UltraAuth users and two-factor authentication (2FA) will be enforced.
...@@ -40,6 +40,10 @@ module Gitlab ...@@ -40,6 +40,10 @@ module Gitlab
name.to_s.start_with?('ldap') name.to_s.start_with?('ldap')
end end
def self.ultraauth_provider?(name)
name.to_s.eql?('ultraauth')
end
def self.sync_profile_from_provider?(provider) def self.sync_profile_from_provider?(provider)
return true if ldap_provider?(provider) return true if ldap_provider?(provider)
......
...@@ -289,6 +289,13 @@ describe ApplicationController do ...@@ -289,6 +289,13 @@ describe ApplicationController do
expect(subject).to be_truthy expect(subject).to be_truthy
end end
it 'returns true if user has signed up using omniauth-ultraauth' do
user = create(:omniauth_user, provider: 'ultraauth')
allow(controller).to receive(:current_user).and_return(user)
expect(subject).to be_truthy
end
end end
describe '#two_factor_grace_period' do describe '#two_factor_grace_period' do
......
...@@ -1769,6 +1769,26 @@ describe User do ...@@ -1769,6 +1769,26 @@ describe User do
end end
end end
describe '#ultraauth_user?' do
it 'is true if provider is ultraauth' do
user = create(:omniauth_user, provider: 'ultraauth')
expect(user.ultraauth_user?).to be_truthy
end
it 'is false with othe provider' do
user = create(:omniauth_user, provider: 'not-ultraauth')
expect(user.ultraauth_user?).to be_falsey
end
it 'is false if no extern_uid is provided' do
user = create(:omniauth_user, extern_uid: nil)
expect(user.ldap_user?).to be_falsey
end
end
describe '#full_website_url' do describe '#full_website_url' do
let(:user) { create(:user) } let(:user) { create(:user) }
...@@ -2807,6 +2827,12 @@ describe User do ...@@ -2807,6 +2827,12 @@ describe User do
expect(user.allow_password_authentication_for_web?).to be_falsey expect(user.allow_password_authentication_for_web?).to be_falsey
end end
it 'returns false for ultraauth user' do
user = create(:omniauth_user, provider: 'ultraauth')
expect(user.allow_password_authentication_for_web?).to be_falsey
end
end end
describe '#allow_password_authentication_for_git?' do describe '#allow_password_authentication_for_git?' do
...@@ -2829,6 +2855,12 @@ describe User do ...@@ -2829,6 +2855,12 @@ describe User do
expect(user.allow_password_authentication_for_git?).to be_falsey expect(user.allow_password_authentication_for_git?).to be_falsey
end end
it 'returns false for ultraauth user' do
user = create(:omniauth_user, provider: 'ultraauth')
expect(user.allow_password_authentication_for_git?).to be_falsey
end
end end
describe '#assigned_open_merge_requests_count' do describe '#assigned_open_merge_requests_count' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment