Remove all descendant selectors from the push email styling, to
drastically reduce CPU time when inlining the CSS for syntax-highlighted
diffs.
Background:
Premailer is a Ruby gem that inlines CSS styles from an external
stylesheet before emails are sent, so that they are compatible with
Gmail. At a high level, it parses the CSS files it finds, and parses the
email body with Nokogiri. It then loops through the selectors in the
CSS, using Nokogiri to find matching elements, and adds inline
styles. (It does more than this, like merging styles applied to the same
element, but that's not relevant to this issue.)
Nokogiri converts CSS selectors to XPath first, like so:
Nokogiri::CSS.xpath_for('foo bar')
# => ["//foo//bar"]
On documents with high node counts (say, a syntax-highlighted copy of
jQuery), having both descendant selectors is very expensive. Both
`//foo/bar` and `//bar` will be much more efficient, although neither
are directly equivalent.
An example, on a document containing two syntax-highlighted copies of
jQuery:
Benchmark.realtime { p doc.search('.o').count }
# 9476
# => 0.3462457580026239
Benchmark.realtime { p doc.search('.code.white .o').count }
# 9476
# => 85.51952634402551
The performance is similar for selectors which _don't_ match any
elements, and as Premailer loops through all the available selectors, we
want to avoid all descendant selectors in push emails.
Because of the theming support in the web UI, all syntax highlighting
selectors are descendant selectors of classes like `.code.white` or
`.code.monokai`. There are over 60 CSS classes for syntax highlighting
styles alone, all of which are expressed in the inefficient form above.
In emails we always use the white theme, and were reusing the same CSS
file. But in emails, we don't need to descend from `.code.white` as that
will always be the theme, and we can also remove some other selectors
that are only applicable to the web UI. For the remaining descendant
selectors, we can convert them to child selectors, type selectors, or
class selectors as appropriate.
As in the example above, having no descendant selectors at all in the
push email CSS can provide a drastic (and surprising) performance
improvement.
Allow a U2F Device to be the Second Factor for Authentication
Parent Issue: #15337
## TODO
- [ ] #15337 (!3905) FIDO/U2F 2FA using Yubikey
- [x] Order a Yubikey?
- [x] Do some reading to figure out what all this stuff means
- [x] Look through the existing MR
- [x] Browser support?
- [x] Implementation
- [x] User can register 2FA using their U2H device instead of authenticator
- [x] Barebones flow
- [x] Save the registration in the database
- [x] Authentication flow
- [x] First try after login/server start doesn't work
- [x] User can log in using their U2F device
- [x] Allow setting up authenticator if U2F is already set up (or vice versa)
- [x] Change `two_factor_auths/new` to `show`
- [x] `sign_requests` during registration? (Registering a device that has already been registered)
- [x] 2FA skippable flow?
- [x] Enforced 2FA flow (grace period?)
- [x] Move the "Configure it Later" button to the right place
- [x] Don't allow registration when the yubikey isn't plugged in
- [x] Polish authentication flow
- [x] Login should only show the 2FA method that's enabled
- [x] Message to say that u2f only works on chrome, and it's recommended to enable otp as well.
- [x] Index for key_handle
- [x] Server-side errors while registering/logging in
- [x] Handle non-chrome browsers
- [x] Try to authenticate with a key that hasn't been registered (shouldn't work)
- [x] Try the same key for multiple user accounts (should work)
- [x] Fix existing tests
- [x] Make sure CI is green
- [x] Add tests
- [x] Figure out how to fake the Yubikey
- [x] Teaspoon tests for the React components
- [x] Each device can only be registered once per user
- [x] Feature specs
- [x] Regular flows
- [x] Test error cases
- [x] Refactoring
- [x] Refactor App ID
- [x] Clean up the `show` action
- [x] Annotate methods with definition of U2F
- [x] Changelog
- [x] Fix merge conflicts
- [x] Verify flows
- [x] Authenticator + no U2F
- [x] U2F + no authenticator
- [x] U2F + authenticator
- [x] U2F + authenticator -> disable 2FA
- [x] 2FA required with different grace periods
- [x] Screenshots for MR
- [x] Augment the [help docs](http://localhost:3000/help/profile/two_factor_authentication)
- [x] Assign to endboss
- [x] Ask for feedback on UI/UX
- [x] Ask for feedback on copy
- [x] Wait for review/merge
- [x] Fix merge conflicts
- [x] Wait for CI to pass
- [x] Implement review comments/suggestions
- [x] Move `TwoFactorAuthController#create_u2f` to a service
- [x] Extra space before `Base64` in `u2f_registration` model
- [x] Move `with/without_two_factor` scopes to class methods
- [x] In `profiles/accounts/show`, add spaces at `{` and `}`
- [x] Remove blank lines in `profiles/two_factor_auths/show`
- [x] Fix typo in doc. "(universal 2nd factor )"
- [x] Add "Added in 8.8" to doc
- [x] In the doc, use 'Enable 2FA via mobile application' instead of 'Via Mobile Application'
- [x] In the doc, use 'Enable 2FA via U2F device' instead of 'Via U2F Device
- [x] Use "Two-Factor Authentication" everywhere
- [x] Use `#icon` wrapper instead of `fa_stacked_icon`
- [x] Check if `string` is enough for `key_handle` and `public_key`
- [x] Separate `exercise` and `verify` phases of test (u2f_spec)
- [x] Assert that `user_without_2fa` is _not_ in results (with_two_factor)
- [x] Remove rubocop exception
- [x] Refactor call to `User.with_two_factor.count` to not include `.length`
- [x] Add a note that makes the "Disable" button/feature obvious
- [x] Remove i18n
- [x] Test in Firefox with addon (+ create new issue for support)
- [x] Remove React
- [x] Rewrite registration
- [x] Switch underscore template to default style
- [x] Rewrite authentication
- [x] Move `register` haml to `u2f` dir
- [x] Remove instance variables
- [x] Fix tests
- [x] Read SCSS guidelines
- [x] Address @connorshea's comments regarding text style
- [x] Make sure all classes and IDs are in line (add `js-` prefixes)
- [x] Register
- [x] Authenticate
- [x] Refactoring?
- [x] Include non-minifed version of bowser
- [x] Audit log
- [x] Look at the `browser` gem (and don't use bowser)
- [x] Error message when on HTTP?
- [x] Test on Mobile
- [x] Fix merge conflicts
- [x] Retest all flows
- [x] Back to Rémy for review
- [x] Make sure CI is green
- [x] Wait for merge / more feedback
- [x] Implement @rymai's changes
- [x] JS/Coffeescript variables should be lowerCamelCase
- [x] Spaces before/after `}` and `{` in HAML (and elsewhere)
- [x] Rails view helpers in u2f HAML
- [x] `%div.row.append-bottom-10`
- [x] Wrap line in `without_two_factor` scope
- [x] Exception-less flow in `U2F::CreateService`
- [x] Fix merge conflicts
- [x] Move service to model class method
- [x] Fix teaspoon specs
- [x] Address @rymai's suggestions about error handing
- [x] Javascript error constants
- [x] Fix merge conflicts
- [x] One final review
- [x] Test "registration with errors" flow
- [x] Assign to Remy
- [x] Wait for replies from @jschatz1
- [x] Address @rymai's comments
- [x] Omit `%div`
- [x] Scope `$.find` globally
- [x] Replace `find('#element-id).click` with `click_on('Element Text')
- [x] Rebase master + conflicts
- [x] Look at https://news.ycombinator.com/item?id=11690774
- [x] Address @connorshea's comment regarding HTTPS on localhost
- [x] Final sanity check
- [x] Wait for [CI to pass](https://gitlab.com/gitlab-org/gitlab-ce/commit/c84179ad233529c33ee6ba8491cfea862c6cd864/builds)
- [x] Address @rymai's next round of comments
- [x] Interpolate `true` and `false` in DB scopes
- [x] Why have `Gon::Base.render_data` thrice?
- [x] `user_spec` should have correct spacing
- [x] Use `arel_table[:id]` instead of `users.id`
- [x] URL helper in `app/views/profiles/two_factor_auths/show.html.haml`
- [x] Remove polyfill change
- [x] Wait for [CI to pass](https://gitlab.com/gitlab-org/gitlab-ce/commit/0123ab8/builds)
- [x] Address @jschatz1's comments
- [x] Use `on('click', ...)` instead of `click(...)`
- [x] Use `is` and `isnt` in coffeescript
- [x] Use `and` and `or` in coffeescript
- [x] Add `Gon::Base.render_data` to `devise_empty` (and other base layouts)
- [x] Wait for [CI to pass](https://gitlab.com/gitlab-org/gitlab-ce/commit/401916397336174c582be3d3004a072f845d4b5f/builds)
- [x] Wait for [build](https://gitlab.com/gitlab-org/gitlab-ce/commit/75955710ef9a5f0dcee04e8617028c0e3ea5bf50/builds) to pass
- [x] Fix merge conflicts
- [x] Inspect diff / workflow
- [x] Assign back to @rymai
- [x] Make sure [ci](https://gitlab.com/gitlab-org/gitlab-ce/commit/2c6316b29a9276ef44c7b4b39363a611bf5973a6/builds) has passed
- [x] Fix merge conflicts (probably introduced by [devise upgrade](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/4216)
- [x] Wait for [CI](https://gitlab.com/gitlab-org/gitlab-ce/commit/a5ef48b7aa63d0d9e45b41643043b57208eaab9f/builds) to pass
- [x] Respond to @rymai's comments
- [x] Use `elsif`
- [x] Check if we need `and return`
- [x] Only fetch key handles from the DB
- [x] No annotations to models?
- [x] Align hash keys in model
- [x] Wait for [build](https://gitlab.com/gitlab-org/gitlab-ce/commit/e0ef504734e7f14813c73bbb79f5c5f6fae3248c/builds) to pass
- [ ] Wait for merge
## Screenshots
See merge request !3905
Remove 'unscoped' from project builds selection This is a fix for this security bug: https://gitlab.com/gitlab-org/gitlab-ce/issues/18188 /cc @kamil @grzegorz @stanhu See merge request !1968
- "two-factor" for OTP-based 2FA - "two-factor-via-u2f-device" for U2F-based 2FA - "standard" for non-2FA login
- Move the `authenticate_with_two_factor` method from `ApplicationController` to the `AuthenticatesWithTwoFactor` module, where it should be.
- Move the `TwoFactorAuthsController`'s `new` action to `show`, since the page is not used to create a single "two factor auth" anymore. We can have a single 2FA authenticator app, along with any number of U2F devices, in any combination, so the page will be accessed after the first "two factor auth" is created. - Add the `u2f` javascript library, which provides an API to the browser's U2F implementation. - Add tests for the JS components