Commit be97241a authored by Michael Kozono's avatar Michael Kozono

Merge branch 'oauth_bypass_two_factor' into 'master'

Add option to allow OAuth providers to bypass two factor

Closes #56059

See merge request gitlab-org/gitlab-ce!31996
parents 5e59c919 6e2032f2
---
title: Add option to allow OAuth providers to bypass two factor
merge_request: 31996
author: Dodocat
type: added
...@@ -780,6 +780,14 @@ production: &base ...@@ -780,6 +780,14 @@ production: &base
# (default: []) # (default: [])
external_providers: [] external_providers: []
# CAUTION!
# This allows users to login with the specified providers without two factor. Define the allowed providers
# using an array, e.g. ["twitter", 'google_oauth2'], or as true/false to allow all providers or none.
# This option should only be configured for providers which already have two factor.
# This configration dose not apply to SAML.
# (default: false)
allow_bypass_two_factor: ["twitter", 'google_oauth2']
## Auth providers ## Auth providers
# Uncomment the following lines and fill in the data of the auth provider you want to use # Uncomment the following lines and fill in the data of the auth provider you want to use
# If your favorite auth provider is not listed you can use others: # If your favorite auth provider is not listed you can use others:
......
...@@ -84,6 +84,7 @@ Settings['omniauth'] ||= Settingslogic.new({}) ...@@ -84,6 +84,7 @@ Settings['omniauth'] ||= Settingslogic.new({})
Settings.omniauth['enabled'] = true if Settings.omniauth['enabled'].nil? Settings.omniauth['enabled'] = true if Settings.omniauth['enabled'].nil?
Settings.omniauth['auto_sign_in_with_provider'] = false if Settings.omniauth['auto_sign_in_with_provider'].nil? Settings.omniauth['auto_sign_in_with_provider'] = false if Settings.omniauth['auto_sign_in_with_provider'].nil?
Settings.omniauth['allow_single_sign_on'] = false if Settings.omniauth['allow_single_sign_on'].nil? Settings.omniauth['allow_single_sign_on'] = false if Settings.omniauth['allow_single_sign_on'].nil?
Settings.omniauth['allow_bypass_two_factor'] = false if Settings.omniauth['allow_bypass_two_factor'].nil?
Settings.omniauth['external_providers'] = [] if Settings.omniauth['external_providers'].nil? Settings.omniauth['external_providers'] = [] if Settings.omniauth['external_providers'].nil?
Settings.omniauth['block_auto_created_users'] = true if Settings.omniauth['block_auto_created_users'].nil? Settings.omniauth['block_auto_created_users'] = true if Settings.omniauth['block_auto_created_users'].nil?
Settings.omniauth['auto_link_ldap_user'] = false if Settings.omniauth['auto_link_ldap_user'].nil? Settings.omniauth['auto_link_ldap_user'] = false if Settings.omniauth['auto_link_ldap_user'].nil?
......
...@@ -277,3 +277,23 @@ omniauth: ...@@ -277,3 +277,23 @@ omniauth:
sync_profile_from_provider: ['twitter', 'google_oauth2'] sync_profile_from_provider: ['twitter', 'google_oauth2']
sync_profile_attributes: ['email', 'location'] sync_profile_attributes: ['email', 'location']
``` ```
## Bypassing two factor authentication
Starting with GitLab 12.3, this allows users to login with the specified
providers without two factor authentication.
Define the allowed providers using an array, e.g. `["twitter", 'google_oauth2']`, or as
`true`/`false` to allow all providers or none. This option should only be configured
for providers which already have two factor authentication (default: false).
This configration dose not apply to SAML.
```ruby
gitlab_rails['omniauth_allow_bypass_two_factor'] = ['twitter', 'google_oauth2']
```
**For installations from source**
```yaml
omniauth:
allow_bypass_two_factor: ['twitter', 'google_oauth2']
```
...@@ -77,7 +77,12 @@ module Gitlab ...@@ -77,7 +77,12 @@ module Gitlab
end end
def bypass_two_factor? def bypass_two_factor?
false providers = Gitlab.config.omniauth.allow_bypass_two_factor
if providers.is_a?(Array)
providers.include?(auth_hash.provider)
else
providers
end
end end
protected protected
......
...@@ -55,6 +55,18 @@ describe 'OAuth Login', :js, :allow_forgery_protection do ...@@ -55,6 +55,18 @@ describe 'OAuth Login', :js, :allow_forgery_protection do
expect(current_path).to eq root_path expect(current_path).to eq root_path
end end
it 'when bypass-two-factor is enabled' do
allow(Gitlab.config.omniauth).to receive_messages(allow_bypass_two_factor: true)
login_via(provider.to_s, user, uid, remember_me: false)
expect(current_path).to eq root_path
end
it 'when bypass-two-factor is disabled' do
allow(Gitlab.config.omniauth).to receive_messages(allow_bypass_two_factor: false)
login_with_provider(provider, enter_two_factor: true)
expect(current_path).to eq root_path
end
end end
context 'when "remember me" is checked' do context 'when "remember me" is checked' do
......
...@@ -787,11 +787,25 @@ describe Gitlab::Auth::OAuth::User do ...@@ -787,11 +787,25 @@ describe Gitlab::Auth::OAuth::User do
end end
end end
describe '#bypass_two_factor?' do describe "#bypass_two_factor?" do
subject { oauth_user.bypass_two_factor? } it "when with allow_bypass_two_factor disabled (Default)" do
stub_omniauth_config(allow_bypass_two_factor: false)
expect(oauth_user.bypass_two_factor?).to be_falsey
end
it "when with allow_bypass_two_factor enabled" do
stub_omniauth_config(allow_bypass_two_factor: true)
expect(oauth_user.bypass_two_factor?).to be_truthy
end
it "when provider in allow_bypass_two_factor array" do
stub_omniauth_config(allow_bypass_two_factor: [provider])
expect(oauth_user.bypass_two_factor?).to be_truthy
end
it 'returns always false' do it "when provider not in allow_bypass_two_factor array" do
is_expected.to be_falsey stub_omniauth_config(allow_bypass_two_factor: ["foo"])
expect(oauth_user.bypass_two_factor?).to be_falsey
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment