Commit d9624bb8 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch 'rs-backport-ldap-2fa' into 'master'

Support Two-factor Authentication for LDAP users

Closes #12653

See merge request !2688
parents e933a50b d6ef6c63
...@@ -16,6 +16,7 @@ v 8.5.0 (unreleased) ...@@ -16,6 +16,7 @@ v 8.5.0 (unreleased)
- Don't vendor minified JS - Don't vendor minified JS
- Display 404 error on group not found - Display 404 error on group not found
- Track project import failure - Track project import failure
- Support Two-factor Authentication for LDAP users
- Fix visibility level text in admin area (Zeger-Jan van de Weg) - Fix visibility level text in admin area (Zeger-Jan van de Weg)
- Warn admin during OAuth of granting admin rights (Zeger-Jan van de Weg) - Warn admin during OAuth of granting admin rights (Zeger-Jan van de Weg)
- Update the ExternalIssue regex pattern (Blake Hitchcock) - Update the ExternalIssue regex pattern (Blake Hitchcock)
......
class OmniauthCallbacksController < Devise::OmniauthCallbacksController class OmniauthCallbacksController < Devise::OmniauthCallbacksController
include AuthenticatesWithTwoFactor
protect_from_forgery except: [:kerberos, :saml, :cas3] protect_from_forgery except: [:kerberos, :saml, :cas3]
...@@ -29,8 +30,12 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController ...@@ -29,8 +30,12 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
# Do additional LDAP checks for the user filter and EE features # Do additional LDAP checks for the user filter and EE features
if ldap_user.allowed? if ldap_user.allowed?
log_audit_event(@user, with: :ldap) if @user.two_factor_enabled?
sign_in_and_redirect(@user) prompt_for_two_factor(@user)
else
log_audit_event(@user, with: :ldap)
sign_in_and_redirect(@user)
end
else else
flash[:alert] = "Access denied for your LDAP account." flash[:alert] = "Access denied for your LDAP account."
redirect_to new_user_session_path redirect_to new_user_session_path
......
...@@ -31,34 +31,33 @@ ...@@ -31,34 +31,33 @@
- else - else
= f.submit 'Generate', class: "btn btn-default" = f.submit 'Generate', class: "btn btn-default"
- unless current_user.ldap_user? .panel.panel-default
.panel.panel-default .panel-heading
.panel-heading Two-factor Authentication
Two-factor Authentication .panel-body
.panel-body - if current_user.two_factor_enabled?
- if current_user.two_factor_enabled? .pull-right
.pull-right = link_to 'Disable Two-factor Authentication', profile_two_factor_auth_path, method: :delete, class: 'btn btn-close btn-sm',
= link_to 'Disable Two-factor Authentication', profile_two_factor_auth_path, method: :delete, class: 'btn btn-close btn-sm', data: { confirm: 'Are you sure?' }
data: { confirm: 'Are you sure?' } %p.text-success
%p.text-success %strong
%strong Two-factor Authentication is enabled
Two-factor Authentication is enabled %p
%p If you lose your recovery codes you can
If you lose your recovery codes you can %strong
%strong = succeed ',' do
= succeed ',' do = link_to 'generate new ones', codes_profile_two_factor_auth_path, method: :post, data: { confirm: 'Are you sure?' }
= link_to 'generate new ones', codes_profile_two_factor_auth_path, method: :post, data: { confirm: 'Are you sure?' } invalidating all previous codes.
invalidating all previous codes.
- else - else
%p %p
Increase your account's security by enabling two-factor authentication (2FA). Increase your account's security by enabling two-factor authentication (2FA).
%p %p
Each time you log in you’ll be required to provide your username and Each time you log in you’ll be required to provide your username and
password as usual, plus a randomly-generated code from your phone. password as usual, plus a randomly-generated code from your phone.
.form-actions .form-actions
= link_to 'Enable Two-factor Authentication', new_profile_two_factor_auth_path, class: 'btn btn-success' = link_to 'Enable Two-factor Authentication', new_profile_two_factor_auth_path, class: 'btn btn-success'
- if button_based_providers.any? - if button_based_providers.any?
.panel.panel-default .panel.panel-default
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment