1. 06 Jun, 2016 17 commits
    • Douglas Barbosa Alexandre's avatar
      Import GitHub repositories respecting the API rate limit · 9437b8a2
      Douglas Barbosa Alexandre authored
      While Octokit auto pagination set the page size to the maximum 100, and
      seek to not overstep the rate limit. When the rate limit is reached its
      raises an exception, and stop doing new requests.
      
      Here we use a custom pattern for traversing large lists, so we can
      check if we’ll reach the rate limit and wait the API to reset the rate
      limit before making new requests.
      9437b8a2
    • Rémy Coutable's avatar
      Merge branch 'tests/extend-specs-for-build-badge' into 'master' · ac4e3e8c
      Rémy Coutable authored
      Extend specs for builds badge
      
      ## What does this MR do?
      
      This MR extends specs for builds badge.
      
      ## Why was this MR needed?
      
      We added an edge case to specs, while trying to reproduce problem described in #17549
      
      ## What are the relevant issue numbers?
      
      #17549
      
      See merge request !4401
      ac4e3e8c
    • Jacob Schatz's avatar
      Merge branch 'jquery2' into 'master' · 316630ad
      Jacob Schatz authored
      Upgraded jQuery to version 2
      
      ## What does this MR do?
      
      Upgrades jQuery to 2.2.1. 
      
      Had to include the task_list JS file directly as it includes jQuery 1 directly https://github.com/github-archive/task_list/blob/master/app/assets/javascripts/task_list.coffee#L8 so when we change jQuery to `jquery2` it was including both jQuery 1 & 2.
      
      ## Are there points in the code the reviewer needs to double check?
      
      For any JS errors
      
      ## What are the relevant issue numbers?
      
      Closes #12440
      
      See merge request !4384
      316630ad
    • Dmitriy Zaporozhets's avatar
    • Rémy Coutable's avatar
      Merge branch '15337-yubikey-support' into 'master' · 3cb69f0c
      Rémy Coutable authored
      Allow a U2F Device to be the Second Factor for Authentication
      
      Parent Issue: #15337 
      
      ## TODO
      - [ ] #15337 (!3905) FIDO/U2F 2FA using Yubikey
          - [x] Order a Yubikey?
          - [x] Do some reading to figure out what all this stuff means
          - [x] Look through the existing MR
          - [x] Browser support?
          - [x] Implementation
              - [x] User can register 2FA using their U2H device instead of authenticator
                  - [x] Barebones flow
                  - [x] Save the registration in the database
                  - [x] Authentication flow
                  - [x] First try after login/server start doesn't work
              - [x] User can log in using their U2F device
              - [x] Allow setting up authenticator if U2F is already set up (or vice versa)
              - [x] Change `two_factor_auths/new` to `show`
              - [x] `sign_requests` during registration? (Registering a device that has already been registered)
              - [x] 2FA skippable flow?
              - [x] Enforced 2FA flow (grace period?)
              - [x] Move the "Configure it Later" button to the right place
              - [x] Don't allow registration when the yubikey isn't plugged in
              - [x] Polish authentication flow
              - [x] Login should only show the 2FA method that's enabled
                  - [x] Message to say that u2f only works on chrome, and it's recommended to enable otp as well.
              - [x] Index for key_handle
              - [x] Server-side errors while registering/logging in
              - [x] Handle non-chrome browsers
              - [x] Try to authenticate with a key that hasn't been registered (shouldn't work)
              - [x] Try the same key for multiple user accounts (should work)
              - [x] Fix existing tests
              - [x] Make sure CI is green
              - [x] Add tests
                  - [x] Figure out how to fake the Yubikey
                  - [x] Teaspoon tests for the React components
                      - [x] Each device can only be registered once per user
                  - [x] Feature specs
                      - [x] Regular flows
                      - [x] Test error cases
              - [x] Refactoring
                  - [x] Refactor App ID
                  - [x] Clean up the `show` action
              - [x] Annotate methods with definition of U2F
              - [x] Changelog
              - [x] Fix merge conflicts
              - [x] Verify flows
                  - [x] Authenticator + no U2F
                  - [x] U2F + no authenticator
                  - [x] U2F + authenticator
                  - [x] U2F + authenticator -> disable 2FA
                  - [x] 2FA required with different grace periods
              - [x] Screenshots for MR
          - [x] Augment the [help docs](http://localhost:3000/help/profile/two_factor_authentication)
          - [x] Assign to endboss
          - [x] Ask for feedback on UI/UX
          - [x] Ask for feedback on copy
          - [x] Wait for review/merge
          - [x] Fix merge conflicts
          - [x] Wait for CI to pass
          - [x] Implement review comments/suggestions
              - [x] Move `TwoFactorAuthController#create_u2f` to a service
              - [x] Extra space before `Base64` in `u2f_registration` model
              - [x] Move `with/without_two_factor` scopes to class methods
              - [x] In `profiles/accounts/show`, add spaces at `{` and `}`
              - [x] Remove blank lines in `profiles/two_factor_auths/show`
              - [x] Fix typo in doc. "(universal 2nd factor )"
              - [x] Add "Added in 8.8" to doc
              - [x] In the doc, use 'Enable 2FA via mobile application' instead of 'Via Mobile Application'
              - [x] In the doc, use 'Enable 2FA via U2F device' instead of 'Via U2F Device
              - [x] Use "Two-Factor Authentication" everywhere
              - [x] Use `#icon` wrapper instead of `fa_stacked_icon`
              - [x] Check if `string` is enough for `key_handle` and `public_key`
              - [x] Separate `exercise` and `verify` phases of test (u2f_spec)
              - [x] Assert that `user_without_2fa` is _not_ in results (with_two_factor)
                  - [x] Remove rubocop exception
              - [x] Refactor call to `User.with_two_factor.count` to not include `.length`
              - [x] Add a note that makes the "Disable" button/feature obvious
              - [x] Remove i18n
              - [x] Test in Firefox with addon (+ create new issue for support)
              - [x] Remove React
                  - [x] Rewrite registration
                  - [x] Switch underscore template to default style
                  - [x] Rewrite authentication
                  - [x] Move `register` haml to `u2f` dir
                  - [x] Remove instance variables
                  - [x] Fix tests
                  - [x] Read SCSS guidelines
                  - [x] Address @connorshea's comments regarding text style
                  - [x] Make sure all classes and IDs are in line (add `js-` prefixes)
                      - [x] Register
                      - [x] Authenticate
                  - [x] Refactoring?
              - [x] Include non-minifed version of bowser
              - [x] Audit log
              - [x] Look at the `browser` gem (and don't use bowser)
              - [x] Error message when on HTTP?
          - [x] Test on Mobile
          - [x] Fix merge conflicts
          - [x] Retest all flows
          - [x] Back to Rémy for review
          - [x] Make sure CI is green
          - [x] Wait for merge / more feedback
          - [x] Implement @rymai's changes
              - [x] JS/Coffeescript variables should be lowerCamelCase
              - [x] Spaces before/after `}` and `{` in HAML (and elsewhere)
              - [x] Rails view helpers in u2f HAML
              - [x] `%div.row.append-bottom-10`
              - [x] Wrap line in `without_two_factor` scope
              - [x] Exception-less flow in `U2F::CreateService`
          - [x] Fix merge conflicts
          - [x] Move service to model class method
          - [x] Fix teaspoon specs
          - [x] Address @rymai's suggestions about error handing
          - [x] Javascript error constants
          - [x] Fix merge conflicts
          - [x] One final review
              - [x] Test "registration with errors" flow
          - [x] Assign to Remy
          - [x] Wait for replies from @jschatz1
          - [x] Address @rymai's comments
              - [x] Omit `%div`
              - [x] Scope `$.find` globally
              - [x] Replace `find('#element-id).click` with `click_on('Element Text')
          - [x] Rebase master + conflicts
          - [x] Look at https://news.ycombinator.com/item?id=11690774
          - [x] Address @connorshea's comment regarding HTTPS on localhost
          - [x] Final sanity check
          - [x] Wait for [CI to pass](https://gitlab.com/gitlab-org/gitlab-ce/commit/c84179ad233529c33ee6ba8491cfea862c6cd864/builds)
          - [x] Address @rymai's next round of comments
              - [x] Interpolate `true` and `false` in DB scopes
              - [x] Why have `Gon::Base.render_data` thrice?
              - [x] `user_spec` should have correct spacing
              - [x] Use `arel_table[:id]` instead of `users.id`
              - [x] URL helper in `app/views/profiles/two_factor_auths/show.html.haml`
              - [x] Remove polyfill change
          - [x] Wait for [CI to pass](https://gitlab.com/gitlab-org/gitlab-ce/commit/0123ab8/builds)
          - [x] Address @jschatz1's comments
              - [x] Use `on('click', ...)` instead of `click(...)`
              - [x] Use `is` and `isnt` in coffeescript
              - [x] Use `and` and `or` in coffeescript
          - [x] Add `Gon::Base.render_data` to `devise_empty` (and other base layouts)
          - [x] Wait for [CI to pass](https://gitlab.com/gitlab-org/gitlab-ce/commit/401916397336174c582be3d3004a072f845d4b5f/builds)
          - [x] Wait for [build](https://gitlab.com/gitlab-org/gitlab-ce/commit/75955710ef9a5f0dcee04e8617028c0e3ea5bf50/builds) to pass
          - [x] Fix merge conflicts
          - [x] Inspect diff / workflow
          - [x] Assign back to @rymai
          - [x] Make sure [ci](https://gitlab.com/gitlab-org/gitlab-ce/commit/2c6316b29a9276ef44c7b4b39363a611bf5973a6/builds) has passed
          - [x] Fix merge conflicts (probably introduced by [devise upgrade](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/4216)
          - [x] Wait for [CI](https://gitlab.com/gitlab-org/gitlab-ce/commit/a5ef48b7aa63d0d9e45b41643043b57208eaab9f/builds) to pass
          - [x] Respond to @rymai's comments
              - [x] Use `elsif`
              - [x] Check if we need `and return`
              - [x] Only fetch key handles from the DB
              - [x] No annotations to models?
              - [x] Align hash keys in model
          - [x] Wait for [build](https://gitlab.com/gitlab-org/gitlab-ce/commit/e0ef504734e7f14813c73bbb79f5c5f6fae3248c/builds) to pass
          - [ ] Wait for merge
      
      ## Screenshots
      
      ![Screenshot_2016-05-03_09.53.04](/uploads/1af3f277efa488dc107d36e6b4b07ca4/Screenshot_2016-05-03_09.53.04.png)
      ![Screenshot_2016-05-03_10.19.53](/uploads/2bfc67dfb96c0e005cce033d8b456813/Screenshot_2016-05-03_10.19.53.png)
      ![Screenshot_2016-05-03_10.19.56](/uploads/e912abedd5b1d07d7185cee9f204c5ff/Screenshot_2016-05-03_10.19.56.png)
      ![Screenshot_2016-05-03_10.20.04](/uploads/9350d5c98823d1f3d4e59517dfb8910a/Screenshot_2016-05-03_10.20.04.png)
      ![Screenshot_2016-05-03_10.31.15](/uploads/84473dc263e0643311a39006e649035f/Screenshot_2016-05-03_10.31.15.png)
      ![Screenshot_2016-05-03_10.31.22](/uploads/13ce43e0d7a565000af29984667eeb08/Screenshot_2016-05-03_10.31.22.png)
      ![Screenshot_2016-05-03_10.31.37](/uploads/b90fbb40dbf9bbd73af324f48ffdc948/Screenshot_2016-05-03_10.31.37.png)
      ![Screenshot_2016-05-03_10.36.48](/uploads/41a0fbc493c6fefeafd922b3ddf2a25e/Screenshot_2016-05-03_10.36.48.png)
      
      See merge request !3905
      3cb69f0c
    • Douwe Maan's avatar
      Merge branch 'fix/unauthorized-access-to-build-data' into 'master' · 184aa521
      Douwe Maan authored
      Remove 'unscoped' from project builds selection
      
      This is a fix for this security bug: https://gitlab.com/gitlab-org/gitlab-ce/issues/18188
      
      /cc @kamil @grzegorz @stanhu 
      
      See merge request !1968
      184aa521
    • Timothy Andrew's avatar
      Add the U2F feature to the CHANGELOG · cdf7a6c2
      Timothy Andrew authored
      cdf7a6c2
    • Timothy Andrew's avatar
    • Timothy Andrew's avatar
    • Timothy Andrew's avatar
      Add a U2F-specific audit log entry after logging in. · 4db19bb4
      Timothy Andrew authored
      - "two-factor" for OTP-based 2FA
      - "two-factor-via-u2f-device" for U2F-based 2FA
      - "standard" for non-2FA login
      4db19bb4
    • Timothy Andrew's avatar
      Implement authentication (login) using a U2F device. · 86b07caa
      Timothy Andrew authored
      - Move the `authenticate_with_two_factor` method from
        `ApplicationController` to the `AuthenticatesWithTwoFactor` module,
        where it should be.
      86b07caa
    • Timothy Andrew's avatar
      Implement U2F registration. · 128549f1
      Timothy Andrew authored
      - Move the `TwoFactorAuthsController`'s `new` action to `show`, since
        the page is not used to create a single "two factor auth" anymore. We
        can have a single 2FA authenticator app, along with any number of U2F
        devices, in any combination, so the page will be accessed after the
        first "two factor auth" is created.
      - Add the `u2f` javascript library, which provides an API to the
        browser's U2F implementation.
      - Add tests for the JS components
      128549f1
    • Timothy Andrew's avatar
      Render `gon` data in the page `body`, not `head` · 1f713d52
      Timothy Andrew authored
      - Turbolinks caches the `head`, so `gon` updates don't show up unless
        the user navigates to page directly (by URL) or performs a refresh.
      - The solution is to render `gon` in the body instead.
      - Also update the syntax to the new Rails 4 (according to the gon
        README) syntax.
      1f713d52
    • Timothy Andrew's avatar
      Update the `browser` gem. · e5823f36
      Timothy Andrew authored
      - Need the `mobile?` detection (that the new version provides) for the
        U2F registration/ authentication flow
      e5823f36
    • Timothy Andrew's avatar
      Add a `U2fRegistrations` table/model. · 791cc913
      Timothy Andrew authored
      - To hold registrations from U2F devices, and to authenticate them.
      - Previously, `User#two_factor_enabled` was aliased to the
        `otp_required_for_login` column on `users`.
      - This commit changes things a bit:
          - `User#two_factor_enabled` is not a method anymore
          - `User#two_factor_enabled?` checks both the
            `otp_required_for_login` column, as well as `U2fRegistration`s
          - Change all instances of `User#two_factor_enabled` to
            `User#two_factor_enabled?`
      - Add the `u2f` gem, and implement registration/authentication at the
        model level.
      791cc913
    • Grzegorz Bizon's avatar
      Merge branch 'fix/rubocop-offense-in-specs' into 'master' · fc809d68
      Grzegorz Bizon authored
      Fix rubocop offense in awardable specs
      
      Fixes failing tests on master.
      
      See merge request !4481
      fc809d68
    • Grzegorz Bizon's avatar
      Fix rubocop offense in awardable specs · b75945e9
      Grzegorz Bizon authored
      b75945e9
  2. 05 Jun, 2016 4 commits
  3. 04 Jun, 2016 3 commits
  4. 03 Jun, 2016 16 commits