Commit 5f5d8a8e authored by Patricio Cano's avatar Patricio Cano

Moved 2FA check to `auth.rb` and cleaned up the flow `authenticate_user`

parent f971026a
...@@ -27,9 +27,11 @@ class Projects::GitHttpClientController < Projects::ApplicationController ...@@ -27,9 +27,11 @@ class Projects::GitHttpClientController < Projects::ApplicationController
@ci = true @ci = true
elsif auth_result.type == :oauth && !download_request? elsif auth_result.type == :oauth && !download_request?
# Not allowed # Not allowed
elsif auth_result.type == :missing_personal_token
render_missing_personal_token
return # Render above denied access, nothing left to do
else else
@user = auth_result.user @user = auth_result.user
check_2fa(auth_result.type)
end end
if ci? || user if ci? || user
...@@ -92,13 +94,11 @@ class Projects::GitHttpClientController < Projects::ApplicationController ...@@ -92,13 +94,11 @@ class Projects::GitHttpClientController < Projects::ApplicationController
[nil, nil] [nil, nil]
end end
def check_2fa(auth_type) def render_missing_personal_token
if user && user.two_factor_enabled? && auth_type == :gitlab_or_ldap render plain: "HTTP Basic: Access denied\n"\
render plain: "HTTP Basic: Access denied\n"\ "You have 2FA enabled, please use a personal access token for Git over HTTP.\n"\
"You have 2FA enabled, please use a personal access token for Git over HTTP.\n"\ "You can generate one at #{profile_personal_access_tokens_url}",
"You can generate one at #{profile_personal_access_tokens_url}", status: 401
status: 401
end
end end
def repository def repository
......
...@@ -11,14 +11,20 @@ module Gitlab ...@@ -11,14 +11,20 @@ module Gitlab
if valid_ci_request?(login, password, project) if valid_ci_request?(login, password, project)
result.type = :ci result.type = :ci
elsif result.user = find_with_user_password(login, password) elsif result.user = find_with_user_password(login, password)
result.type = :gitlab_or_ldap if result.user.two_factor_enabled?
result.user = nil
result.type = :missing_personal_token
else
result.type = :gitlab_or_ldap
end
elsif result.user = oauth_access_token_check(login, password) elsif result.user = oauth_access_token_check(login, password)
result.type = :oauth result.type = :oauth
elsif result.user = personal_access_token_check(login, password) elsif result.user = personal_access_token_check(login, password)
result.type = :personal_token result.type = :personal_token
end end
rate_limit!(ip, success: !!result.user || (result.type == :ci), login: login) success = result.user.present? || [:ci, :missing_personal_token].include?(result.type)
rate_limit!(ip, success: success, login: login)
result result
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment