Avoid falling back to U2F registrations when WebAuthn enabled

1f9dee79 · Imre Farkas · 733ba47f · 1f9dee79 · 1f9dee79 · 1f9dee79
Commit 1f9dee79 authored Dec 02, 2021 by Imre Farkas
6 changed files
--- a/app/controllers/concerns/authenticates_with_two_factor.rb
+++ b/app/controllers/concerns/authenticates_with_two_factor.rb
@@ -25,7 +25,7 @@ module AuthenticatesWithTwoFactor
    session[:user_password_hash] = Digest::SHA256.hexdigest(user.encrypted_password)
    push_frontend_feature_flag(:webauthn)
-    if user.two_factor_webauthn_enabled?
+    if Feature.enabled?(:webauthn)
      setup_webauthn_authentication(user)
    else
      setup_u2f_authentication(user)

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -917,6 +917,8 @@ class User < ApplicationRecord
  end
  def two_factor_u2f_enabled?
+    return false if Feature.enabled?(:webauthn)
    if u2f_registrations.loaded?
      u2f_registrations.any?
    else

--- a/ee/spec/controllers/ee/admin/sessions_controller_spec.rb
+++ b/ee/spec/controllers/ee/admin/sessions_controller_spec.rb
@@ -26,6 +26,7 @@ RSpec.describe Admin::SessionsController, :do_not_mock_admin_mode do
      context 'when U2F authentication fails' do
        before do
+          stub_feature_flags(webauthn: false)
          allow(U2fRegistration).to receive(:authenticate).and_return(false)
        end

--- a/ee/spec/controllers/ee/sessions_controller_spec.rb
+++ b/ee/spec/controllers/ee/sessions_controller_spec.rb
@@ -104,6 +104,7 @@ RSpec.describe SessionsController, :geo do
      context 'when U2F authentication fails' do
        before do
+          stub_feature_flags(webauthn: false)
          allow(U2fRegistration).to receive(:authenticate).and_return(false)
        end

--- a/spec/features/webauthn_spec.rb
+++ b/spec/features/webauthn_spec.rb
@@ -113,35 +113,6 @@ RSpec.describe 'Using WebAuthn Devices for Authentication', :js do
  describe 'authentication' do
    let(:otp_required_for_login) { true }
    let(:user) { create(:user, webauthn_xid: WebAuthn.generate_user_id, otp_required_for_login: otp_required_for_login) }
-    describe 'when there is only an U2F device' do
-      let!(:u2f_device) do
-        fake_device = U2F::FakeU2F.new(app_id) # "Client"
-        u2f = U2F::U2F.new(app_id) # "Server"
-        challenges = u2f.registration_requests.map(&:challenge)
-        device_response = fake_device.register_response(challenges[0])
-        device_registration_params = { device_response: device_response,
-                                       name: 'My device' }
-        U2fRegistration.register(user, app_id, device_registration_params, challenges)
-        FakeU2fDevice.new(page, 'My device', fake_device)
-      end
-      it 'falls back to U2F' do
-        # WebAuthn registration is automatically created with the U2fRegistration because of the after_create callback
-        # so we need to delete it
-        WebauthnRegistration.delete_all
-        gitlab_sign_in(user)
-        u2f_device.respond_to_u2f_authentication
-        expect(page).to have_css('.sign-out-link', visible: false)
-      end
-    end
-    describe 'when there is a WebAuthn device' do
    let!(:webauthn_device) do
      add_webauthn_device(app_id, user)
    end
@@ -234,5 +205,4 @@ RSpec.describe 'Using WebAuthn Devices for Authentication', :js do
      end
    end
  end
-  end
 end
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -1726,6 +1726,52 @@ RSpec.describe User do
    end
  end
+  context 'two_factor_u2f_enabled?' do
+    let_it_be(:user) { create(:user, :two_factor) }
+    context 'when webauthn feature flag is enabled' do
+      context 'user has no U2F registration' do
+        it { expect(user.two_factor_u2f_enabled?).to eq(false) }
+      end
+      context 'user has existing U2F registration' do
+        it 'returns false' do
+          device = U2F::FakeU2F.new(FFaker::BaconIpsum.characters(5))
+          create(:u2f_registration, name: 'my u2f device',
+                 user: user,
+                 certificate: Base64.strict_encode64(device.cert_raw),
+                 key_handle: U2F.urlsafe_encode64(device.key_handle_raw),
+                 public_key: Base64.strict_encode64(device.origin_public_key_raw))
+          expect(user.two_factor_u2f_enabled?).to eq(false)
+        end
+      end
+    end
+    context 'when webauthn feature flag is disabled' do
+      before do
+        stub_feature_flags(webauthn: false)
+      end
+      context 'user has no U2F registration' do
+        it { expect(user.two_factor_u2f_enabled?).to eq(false) }
+      end
+      context 'user has existing U2F registration' do
+        it 'returns true' do
+          device = U2F::FakeU2F.new(FFaker::BaconIpsum.characters(5))
+          create(:u2f_registration, name: 'my u2f device',
+                 user: user,
+                 certificate: Base64.strict_encode64(device.cert_raw),
+                 key_handle: U2F.urlsafe_encode64(device.key_handle_raw),
+                 public_key: Base64.strict_encode64(device.origin_public_key_raw))
+          expect(user.two_factor_u2f_enabled?).to eq(true)
+        end
+      end
+    end
+  end
  describe 'projects' do
    before do
      @user = create(:user)