1. 06 Jun, 2016 14 commits
    • Douwe Maan's avatar
      Add changelog item · ae011aff
      Douwe Maan authored
      ae011aff
    • Douwe Maan's avatar
      Add workhorse controller and API helpers · 8c3ba8d6
      Douwe Maan authored
      8c3ba8d6
    • Rémy Coutable's avatar
      Merge branch '15337-yubikey-support' into 'master' · 3cb69f0c
      Rémy Coutable authored
      Allow a U2F Device to be the Second Factor for Authentication
      
      Parent Issue: #15337 
      
      ## TODO
      - [ ] #15337 (!3905) FIDO/U2F 2FA using Yubikey
          - [x] Order a Yubikey?
          - [x] Do some reading to figure out what all this stuff means
          - [x] Look through the existing MR
          - [x] Browser support?
          - [x] Implementation
              - [x] User can register 2FA using their U2H device instead of authenticator
                  - [x] Barebones flow
                  - [x] Save the registration in the database
                  - [x] Authentication flow
                  - [x] First try after login/server start doesn't work
              - [x] User can log in using their U2F device
              - [x] Allow setting up authenticator if U2F is already set up (or vice versa)
              - [x] Change `two_factor_auths/new` to `show`
              - [x] `sign_requests` during registration? (Registering a device that has already been registered)
              - [x] 2FA skippable flow?
              - [x] Enforced 2FA flow (grace period?)
              - [x] Move the "Configure it Later" button to the right place
              - [x] Don't allow registration when the yubikey isn't plugged in
              - [x] Polish authentication flow
              - [x] Login should only show the 2FA method that's enabled
                  - [x] Message to say that u2f only works on chrome, and it's recommended to enable otp as well.
              - [x] Index for key_handle
              - [x] Server-side errors while registering/logging in
              - [x] Handle non-chrome browsers
              - [x] Try to authenticate with a key that hasn't been registered (shouldn't work)
              - [x] Try the same key for multiple user accounts (should work)
              - [x] Fix existing tests
              - [x] Make sure CI is green
              - [x] Add tests
                  - [x] Figure out how to fake the Yubikey
                  - [x] Teaspoon tests for the React components
                      - [x] Each device can only be registered once per user
                  - [x] Feature specs
                      - [x] Regular flows
                      - [x] Test error cases
              - [x] Refactoring
                  - [x] Refactor App ID
                  - [x] Clean up the `show` action
              - [x] Annotate methods with definition of U2F
              - [x] Changelog
              - [x] Fix merge conflicts
              - [x] Verify flows
                  - [x] Authenticator + no U2F
                  - [x] U2F + no authenticator
                  - [x] U2F + authenticator
                  - [x] U2F + authenticator -> disable 2FA
                  - [x] 2FA required with different grace periods
              - [x] Screenshots for MR
          - [x] Augment the [help docs](http://localhost:3000/help/profile/two_factor_authentication)
          - [x] Assign to endboss
          - [x] Ask for feedback on UI/UX
          - [x] Ask for feedback on copy
          - [x] Wait for review/merge
          - [x] Fix merge conflicts
          - [x] Wait for CI to pass
          - [x] Implement review comments/suggestions
              - [x] Move `TwoFactorAuthController#create_u2f` to a service
              - [x] Extra space before `Base64` in `u2f_registration` model
              - [x] Move `with/without_two_factor` scopes to class methods
              - [x] In `profiles/accounts/show`, add spaces at `{` and `}`
              - [x] Remove blank lines in `profiles/two_factor_auths/show`
              - [x] Fix typo in doc. "(universal 2nd factor )"
              - [x] Add "Added in 8.8" to doc
              - [x] In the doc, use 'Enable 2FA via mobile application' instead of 'Via Mobile Application'
              - [x] In the doc, use 'Enable 2FA via U2F device' instead of 'Via U2F Device
              - [x] Use "Two-Factor Authentication" everywhere
              - [x] Use `#icon` wrapper instead of `fa_stacked_icon`
              - [x] Check if `string` is enough for `key_handle` and `public_key`
              - [x] Separate `exercise` and `verify` phases of test (u2f_spec)
              - [x] Assert that `user_without_2fa` is _not_ in results (with_two_factor)
                  - [x] Remove rubocop exception
              - [x] Refactor call to `User.with_two_factor.count` to not include `.length`
              - [x] Add a note that makes the "Disable" button/feature obvious
              - [x] Remove i18n
              - [x] Test in Firefox with addon (+ create new issue for support)
              - [x] Remove React
                  - [x] Rewrite registration
                  - [x] Switch underscore template to default style
                  - [x] Rewrite authentication
                  - [x] Move `register` haml to `u2f` dir
                  - [x] Remove instance variables
                  - [x] Fix tests
                  - [x] Read SCSS guidelines
                  - [x] Address @connorshea's comments regarding text style
                  - [x] Make sure all classes and IDs are in line (add `js-` prefixes)
                      - [x] Register
                      - [x] Authenticate
                  - [x] Refactoring?
              - [x] Include non-minifed version of bowser
              - [x] Audit log
              - [x] Look at the `browser` gem (and don't use bowser)
              - [x] Error message when on HTTP?
          - [x] Test on Mobile
          - [x] Fix merge conflicts
          - [x] Retest all flows
          - [x] Back to Rémy for review
          - [x] Make sure CI is green
          - [x] Wait for merge / more feedback
          - [x] Implement @rymai's changes
              - [x] JS/Coffeescript variables should be lowerCamelCase
              - [x] Spaces before/after `}` and `{` in HAML (and elsewhere)
              - [x] Rails view helpers in u2f HAML
              - [x] `%div.row.append-bottom-10`
              - [x] Wrap line in `without_two_factor` scope
              - [x] Exception-less flow in `U2F::CreateService`
          - [x] Fix merge conflicts
          - [x] Move service to model class method
          - [x] Fix teaspoon specs
          - [x] Address @rymai's suggestions about error handing
          - [x] Javascript error constants
          - [x] Fix merge conflicts
          - [x] One final review
              - [x] Test "registration with errors" flow
          - [x] Assign to Remy
          - [x] Wait for replies from @jschatz1
          - [x] Address @rymai's comments
              - [x] Omit `%div`
              - [x] Scope `$.find` globally
              - [x] Replace `find('#element-id).click` with `click_on('Element Text')
          - [x] Rebase master + conflicts
          - [x] Look at https://news.ycombinator.com/item?id=11690774
          - [x] Address @connorshea's comment regarding HTTPS on localhost
          - [x] Final sanity check
          - [x] Wait for [CI to pass](https://gitlab.com/gitlab-org/gitlab-ce/commit/c84179ad233529c33ee6ba8491cfea862c6cd864/builds)
          - [x] Address @rymai's next round of comments
              - [x] Interpolate `true` and `false` in DB scopes
              - [x] Why have `Gon::Base.render_data` thrice?
              - [x] `user_spec` should have correct spacing
              - [x] Use `arel_table[:id]` instead of `users.id`
              - [x] URL helper in `app/views/profiles/two_factor_auths/show.html.haml`
              - [x] Remove polyfill change
          - [x] Wait for [CI to pass](https://gitlab.com/gitlab-org/gitlab-ce/commit/0123ab8/builds)
          - [x] Address @jschatz1's comments
              - [x] Use `on('click', ...)` instead of `click(...)`
              - [x] Use `is` and `isnt` in coffeescript
              - [x] Use `and` and `or` in coffeescript
          - [x] Add `Gon::Base.render_data` to `devise_empty` (and other base layouts)
          - [x] Wait for [CI to pass](https://gitlab.com/gitlab-org/gitlab-ce/commit/401916397336174c582be3d3004a072f845d4b5f/builds)
          - [x] Wait for [build](https://gitlab.com/gitlab-org/gitlab-ce/commit/75955710ef9a5f0dcee04e8617028c0e3ea5bf50/builds) to pass
          - [x] Fix merge conflicts
          - [x] Inspect diff / workflow
          - [x] Assign back to @rymai
          - [x] Make sure [ci](https://gitlab.com/gitlab-org/gitlab-ce/commit/2c6316b29a9276ef44c7b4b39363a611bf5973a6/builds) has passed
          - [x] Fix merge conflicts (probably introduced by [devise upgrade](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/4216)
          - [x] Wait for [CI](https://gitlab.com/gitlab-org/gitlab-ce/commit/a5ef48b7aa63d0d9e45b41643043b57208eaab9f/builds) to pass
          - [x] Respond to @rymai's comments
              - [x] Use `elsif`
              - [x] Check if we need `and return`
              - [x] Only fetch key handles from the DB
              - [x] No annotations to models?
              - [x] Align hash keys in model
          - [x] Wait for [build](https://gitlab.com/gitlab-org/gitlab-ce/commit/e0ef504734e7f14813c73bbb79f5c5f6fae3248c/builds) to pass
          - [ ] Wait for merge
      
      ## Screenshots
      
      ![Screenshot_2016-05-03_09.53.04](/uploads/1af3f277efa488dc107d36e6b4b07ca4/Screenshot_2016-05-03_09.53.04.png)
      ![Screenshot_2016-05-03_10.19.53](/uploads/2bfc67dfb96c0e005cce033d8b456813/Screenshot_2016-05-03_10.19.53.png)
      ![Screenshot_2016-05-03_10.19.56](/uploads/e912abedd5b1d07d7185cee9f204c5ff/Screenshot_2016-05-03_10.19.56.png)
      ![Screenshot_2016-05-03_10.20.04](/uploads/9350d5c98823d1f3d4e59517dfb8910a/Screenshot_2016-05-03_10.20.04.png)
      ![Screenshot_2016-05-03_10.31.15](/uploads/84473dc263e0643311a39006e649035f/Screenshot_2016-05-03_10.31.15.png)
      ![Screenshot_2016-05-03_10.31.22](/uploads/13ce43e0d7a565000af29984667eeb08/Screenshot_2016-05-03_10.31.22.png)
      ![Screenshot_2016-05-03_10.31.37](/uploads/b90fbb40dbf9bbd73af324f48ffdc948/Screenshot_2016-05-03_10.31.37.png)
      ![Screenshot_2016-05-03_10.36.48](/uploads/41a0fbc493c6fefeafd922b3ddf2a25e/Screenshot_2016-05-03_10.36.48.png)
      
      See merge request !3905
      3cb69f0c
    • Timothy Andrew's avatar
      Add the U2F feature to the CHANGELOG · cdf7a6c2
      Timothy Andrew authored
      cdf7a6c2
    • Timothy Andrew's avatar
    • Timothy Andrew's avatar
    • Timothy Andrew's avatar
      Add a U2F-specific audit log entry after logging in. · 4db19bb4
      Timothy Andrew authored
      - "two-factor" for OTP-based 2FA
      - "two-factor-via-u2f-device" for U2F-based 2FA
      - "standard" for non-2FA login
      4db19bb4
    • Timothy Andrew's avatar
      Implement authentication (login) using a U2F device. · 86b07caa
      Timothy Andrew authored
      - Move the `authenticate_with_two_factor` method from
        `ApplicationController` to the `AuthenticatesWithTwoFactor` module,
        where it should be.
      86b07caa
    • Timothy Andrew's avatar
      Implement U2F registration. · 128549f1
      Timothy Andrew authored
      - Move the `TwoFactorAuthsController`'s `new` action to `show`, since
        the page is not used to create a single "two factor auth" anymore. We
        can have a single 2FA authenticator app, along with any number of U2F
        devices, in any combination, so the page will be accessed after the
        first "two factor auth" is created.
      - Add the `u2f` javascript library, which provides an API to the
        browser's U2F implementation.
      - Add tests for the JS components
      128549f1
    • Timothy Andrew's avatar
      Render `gon` data in the page `body`, not `head` · 1f713d52
      Timothy Andrew authored
      - Turbolinks caches the `head`, so `gon` updates don't show up unless
        the user navigates to page directly (by URL) or performs a refresh.
      - The solution is to render `gon` in the body instead.
      - Also update the syntax to the new Rails 4 (according to the gon
        README) syntax.
      1f713d52
    • Timothy Andrew's avatar
      Update the `browser` gem. · e5823f36
      Timothy Andrew authored
      - Need the `mobile?` detection (that the new version provides) for the
        U2F registration/ authentication flow
      e5823f36
    • Timothy Andrew's avatar
      Add a `U2fRegistrations` table/model. · 791cc913
      Timothy Andrew authored
      - To hold registrations from U2F devices, and to authenticate them.
      - Previously, `User#two_factor_enabled` was aliased to the
        `otp_required_for_login` column on `users`.
      - This commit changes things a bit:
          - `User#two_factor_enabled` is not a method anymore
          - `User#two_factor_enabled?` checks both the
            `otp_required_for_login` column, as well as `U2fRegistration`s
          - Change all instances of `User#two_factor_enabled` to
            `User#two_factor_enabled?`
      - Add the `u2f` gem, and implement registration/authentication at the
        model level.
      791cc913
    • Grzegorz Bizon's avatar
      Merge branch 'fix/rubocop-offense-in-specs' into 'master' · fc809d68
      Grzegorz Bizon authored
      Fix rubocop offense in awardable specs
      
      Fixes failing tests on master.
      
      See merge request !4481
      fc809d68
    • Grzegorz Bizon's avatar
      Fix rubocop offense in awardable specs · b75945e9
      Grzegorz Bizon authored
      b75945e9
  2. 05 Jun, 2016 2 commits
  3. 04 Jun, 2016 3 commits
  4. 03 Jun, 2016 21 commits