Commit 18fc6343 authored by Bob Van Landuyt's avatar Bob Van Landuyt

Merge branch 'if-webauthn-avoid_falling_back_to_u2f' into 'master'

Avoid falling back to U2F registrations when WebAuthn enabled

See merge request gitlab-org/gitlab!75748
parents 309d0906 1f9dee79
......@@ -25,7 +25,7 @@ module AuthenticatesWithTwoFactor
session[:user_password_hash] = Digest::SHA256.hexdigest(user.encrypted_password)
push_frontend_feature_flag(:webauthn)
if user.two_factor_webauthn_enabled?
if Feature.enabled?(:webauthn)
setup_webauthn_authentication(user)
else
setup_u2f_authentication(user)
......
......@@ -917,6 +917,8 @@ class User < ApplicationRecord
end
def two_factor_u2f_enabled?
return false if Feature.enabled?(:webauthn)
if u2f_registrations.loaded?
u2f_registrations.any?
else
......
......@@ -26,6 +26,7 @@ RSpec.describe Admin::SessionsController, :do_not_mock_admin_mode do
context 'when U2F authentication fails' do
before do
stub_feature_flags(webauthn: false)
allow(U2fRegistration).to receive(:authenticate).and_return(false)
end
......
......@@ -104,6 +104,7 @@ RSpec.describe SessionsController, :geo do
context 'when U2F authentication fails' do
before do
stub_feature_flags(webauthn: false)
allow(U2fRegistration).to receive(:authenticate).and_return(false)
end
......
......@@ -113,35 +113,6 @@ RSpec.describe 'Using WebAuthn Devices for Authentication', :js do
describe 'authentication' do
let(:otp_required_for_login) { true }
let(:user) { create(:user, webauthn_xid: WebAuthn.generate_user_id, otp_required_for_login: otp_required_for_login) }
describe 'when there is only an U2F device' do
let!(:u2f_device) do
fake_device = U2F::FakeU2F.new(app_id) # "Client"
u2f = U2F::U2F.new(app_id) # "Server"
challenges = u2f.registration_requests.map(&:challenge)
device_response = fake_device.register_response(challenges[0])
device_registration_params = { device_response: device_response,
name: 'My device' }
U2fRegistration.register(user, app_id, device_registration_params, challenges)
FakeU2fDevice.new(page, 'My device', fake_device)
end
it 'falls back to U2F' do
# WebAuthn registration is automatically created with the U2fRegistration because of the after_create callback
# so we need to delete it
WebauthnRegistration.delete_all
gitlab_sign_in(user)
u2f_device.respond_to_u2f_authentication
expect(page).to have_css('.sign-out-link', visible: false)
end
end
describe 'when there is a WebAuthn device' do
let!(:webauthn_device) do
add_webauthn_device(app_id, user)
end
......@@ -234,5 +205,4 @@ RSpec.describe 'Using WebAuthn Devices for Authentication', :js do
end
end
end
end
end
......@@ -1726,6 +1726,52 @@ RSpec.describe User do
end
end
context 'two_factor_u2f_enabled?' do
let_it_be(:user) { create(:user, :two_factor) }
context 'when webauthn feature flag is enabled' do
context 'user has no U2F registration' do
it { expect(user.two_factor_u2f_enabled?).to eq(false) }
end
context 'user has existing U2F registration' do
it 'returns false' do
device = U2F::FakeU2F.new(FFaker::BaconIpsum.characters(5))
create(:u2f_registration, name: 'my u2f device',
user: user,
certificate: Base64.strict_encode64(device.cert_raw),
key_handle: U2F.urlsafe_encode64(device.key_handle_raw),
public_key: Base64.strict_encode64(device.origin_public_key_raw))
expect(user.two_factor_u2f_enabled?).to eq(false)
end
end
end
context 'when webauthn feature flag is disabled' do
before do
stub_feature_flags(webauthn: false)
end
context 'user has no U2F registration' do
it { expect(user.two_factor_u2f_enabled?).to eq(false) }
end
context 'user has existing U2F registration' do
it 'returns true' do
device = U2F::FakeU2F.new(FFaker::BaconIpsum.characters(5))
create(:u2f_registration, name: 'my u2f device',
user: user,
certificate: Base64.strict_encode64(device.cert_raw),
key_handle: U2F.urlsafe_encode64(device.key_handle_raw),
public_key: Base64.strict_encode64(device.origin_public_key_raw))
expect(user.two_factor_u2f_enabled?).to eq(true)
end
end
end
end
describe 'projects' do
before do
@user = create(:user)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment