From 8e3f1fa629a61741282214b293c1bc9438aada59 Mon Sep 17 00:00:00 2001 From: tduehr Date: Wed, 11 Nov 2015 22:25:31 -0600 Subject: add CAS authentication support --- app/controllers/application_controller.rb | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'app/controllers/application_controller.rb') diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 0d182e8eb04..01e2e7b2f98 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -10,6 +10,7 @@ class ApplicationController < ActionController::Base before_action :authenticate_user_from_token! before_action :authenticate_user! + before_action :validate_user_service_ticket! before_action :reject_blocked! before_action :check_password_expiration before_action :ldap_security_check @@ -202,6 +203,20 @@ class ApplicationController < ActionController::Base end end + def validate_user_service_ticket! + return unless signed_in? && session[:service_tickets] + + valid = session[:service_tickets].all? do |provider, ticket| + Gitlab::OAuth::Session.valid?(provider, ticket) + end + + unless valid + session[:service_tickets] = nil + sign_out current_user + redirect_to new_user_session_path + end + end + def check_password_expiration if current_user && current_user.password_expires_at && current_user.password_expires_at < Time.now && !current_user.ldap_user? redirect_to new_profile_password_path and return -- cgit v1.2.1 From 33964469b38e2b36b200b20fe3061371a5f5ab18 Mon Sep 17 00:00:00 2001 From: Gabriel Mazetto Date: Fri, 18 Dec 2015 18:29:13 -0200 Subject: WIP require two factor authentication --- app/controllers/application_controller.rb | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'app/controllers/application_controller.rb') diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 01e2e7b2f98..e15d83631b3 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -13,6 +13,7 @@ class ApplicationController < ActionController::Base before_action :validate_user_service_ticket! before_action :reject_blocked! before_action :check_password_expiration + before_action :check_tfa_requirement before_action :ldap_security_check before_action :default_headers before_action :add_gon_variables @@ -223,6 +224,13 @@ class ApplicationController < ActionController::Base end end + def check_tfa_requirement + if two_factor_authentication_required? && current_user && !current_user.two_factor_enabled + redirect_to new_profile_two_factor_auth_path, + alert: 'You must configure Two-Factor Authentication in your account' + end + end + def ldap_security_check if current_user && current_user.requires_ldap_check? unless Gitlab::LDAP::Access.allowed?(current_user) @@ -357,6 +365,10 @@ class ApplicationController < ActionController::Base current_application_settings.import_sources.include?('git') end + def two_factor_authentication_required? + current_application_settings.require_two_factor_authentication + end + def redirect_to_home_page_url? # If user is not signed-in and tries to access root_path - redirect him to landing page # Don't redirect to the default URL to prevent endless redirections -- cgit v1.2.1 From 31fb2b7702345fbf597c2cb17466567776433a56 Mon Sep 17 00:00:00 2001 From: Gabriel Mazetto Date: Thu, 24 Dec 2015 00:02:52 -0200 Subject: Grace period support for TFA --- app/controllers/application_controller.rb | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) (limited to 'app/controllers/application_controller.rb') diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index e15d83631b3..978a269ca52 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -225,9 +225,13 @@ class ApplicationController < ActionController::Base end def check_tfa_requirement - if two_factor_authentication_required? && current_user && !current_user.two_factor_enabled + if two_factor_authentication_required? && current_user && !current_user.two_factor_enabled && !skip_two_factor? + grace_period_started = current_user.otp_grace_period_started_at + grace_period_deadline = grace_period_started + two_factor_grace_period.hours + + deadline_text = "until #{l(grace_period_deadline)}" unless two_factor_grace_period_expired?(grace_period_started) redirect_to new_profile_two_factor_auth_path, - alert: 'You must configure Two-Factor Authentication in your account' + alert: "You must configure Two-Factor Authentication in your account #{deadline_text}" end end @@ -369,6 +373,18 @@ class ApplicationController < ActionController::Base current_application_settings.require_two_factor_authentication end + def two_factor_grace_period + current_application_settings.two_factor_grace_period + end + + def two_factor_grace_period_expired?(date) + date && (date + two_factor_grace_period.hours) < Time.current + end + + def skip_two_factor? + session[:skip_tfa] && session[:skip_tfa] > Time.current + end + def redirect_to_home_page_url? # If user is not signed-in and tries to access root_path - redirect him to landing page # Don't redirect to the default URL to prevent endless redirections -- cgit v1.2.1 From b61a5bc20cbfcd8a2c914f19e8786a989bf69198 Mon Sep 17 00:00:00 2001 From: Gabriel Mazetto Date: Thu, 24 Dec 2015 02:04:41 -0200 Subject: specs for forced two-factor authentication and grace period simplified code and fixed stuffs --- app/controllers/application_controller.rb | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) (limited to 'app/controllers/application_controller.rb') diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 978a269ca52..a945b38e35f 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -226,12 +226,7 @@ class ApplicationController < ActionController::Base def check_tfa_requirement if two_factor_authentication_required? && current_user && !current_user.two_factor_enabled && !skip_two_factor? - grace_period_started = current_user.otp_grace_period_started_at - grace_period_deadline = grace_period_started + two_factor_grace_period.hours - - deadline_text = "until #{l(grace_period_deadline)}" unless two_factor_grace_period_expired?(grace_period_started) - redirect_to new_profile_two_factor_auth_path, - alert: "You must configure Two-Factor Authentication in your account #{deadline_text}" + redirect_to new_profile_two_factor_auth_path end end @@ -377,7 +372,8 @@ class ApplicationController < ActionController::Base current_application_settings.two_factor_grace_period end - def two_factor_grace_period_expired?(date) + def two_factor_grace_period_expired? + date = current_user.otp_grace_period_started_at date && (date + two_factor_grace_period.hours) < Time.current end -- cgit v1.2.1 From 1249289f89feba725109ce769e685b07cf746e4b Mon Sep 17 00:00:00 2001 From: Gabriel Mazetto Date: Thu, 24 Dec 2015 18:58:46 -0200 Subject: Fixed codestyle and added 2FA documentation --- app/controllers/application_controller.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'app/controllers/application_controller.rb') diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index a945b38e35f..d9a37a4d45f 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -13,7 +13,7 @@ class ApplicationController < ActionController::Base before_action :validate_user_service_ticket! before_action :reject_blocked! before_action :check_password_expiration - before_action :check_tfa_requirement + before_action :check_2fa_requirement before_action :ldap_security_check before_action :default_headers before_action :add_gon_variables @@ -224,7 +224,7 @@ class ApplicationController < ActionController::Base end end - def check_tfa_requirement + def check_2fa_requirement if two_factor_authentication_required? && current_user && !current_user.two_factor_enabled && !skip_two_factor? redirect_to new_profile_two_factor_auth_path end -- cgit v1.2.1