2018-12-05 23:21:45 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
2017-08-17 22:00:37 +05:30
|
|
|
# == EnforcesTwoFactorAuthentication
|
|
|
|
|
#
|
|
|
|
|
# Controller concern to enforce two-factor authentication requirements
|
|
|
|
|
#
|
|
|
|
|
# Upon inclusion, adds `check_two_factor_requirement` as a before_action,
|
|
|
|
|
# and makes `two_factor_grace_period_expired?` and `two_factor_skippable?`
|
|
|
|
|
# available as view helpers.
|
|
|
|
|
module EnforcesTwoFactorAuthentication
|
|
|
|
|
extend ActiveSupport::Concern
|
|
|
|
|
|
|
|
|
|
included do
|
|
|
|
|
before_action :check_two_factor_requirement
|
2020-08-18 19:51:02 +05:30
|
|
|
|
|
|
|
|
# to include this in controllers inheriting from `ActionController::Metal`
|
|
|
|
|
# we need to add this block
|
|
|
|
|
if respond_to?(:helper_method)
|
|
|
|
|
helper_method :two_factor_grace_period_expired?, :two_factor_skippable?
|
|
|
|
|
end
|
2017-08-17 22:00:37 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def check_two_factor_requirement
|
2020-08-18 19:51:02 +05:30
|
|
|
return unless respond_to?(:current_user)
|
|
|
|
|
|
2020-04-22 19:07:51 +05:30
|
|
|
if two_factor_authentication_required? && current_user_requires_two_factor?
|
2017-08-17 22:00:37 +05:30
|
|
|
redirect_to profile_two_factor_auth_path
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def two_factor_authentication_required?
|
2018-03-17 18:26:18 +05:30
|
|
|
Gitlab::CurrentSettings.require_two_factor_authentication? ||
|
2020-06-23 00:09:42 +05:30
|
|
|
current_user.try(:require_two_factor_authentication_from_group?)
|
2017-08-17 22:00:37 +05:30
|
|
|
end
|
|
|
|
|
|
2020-04-22 19:07:51 +05:30
|
|
|
def current_user_requires_two_factor?
|
|
|
|
|
current_user && !current_user.temp_oauth_email? && !current_user.two_factor_enabled? && !skip_two_factor?
|
|
|
|
|
end
|
|
|
|
|
|
2018-12-05 23:21:45 +05:30
|
|
|
# rubocop: disable CodeReuse/ActiveRecord
|
2017-08-17 22:00:37 +05:30
|
|
|
def two_factor_authentication_reason(global: -> {}, group: -> {})
|
|
|
|
|
if two_factor_authentication_required?
|
2018-03-17 18:26:18 +05:30
|
|
|
if Gitlab::CurrentSettings.require_two_factor_authentication?
|
2017-08-17 22:00:37 +05:30
|
|
|
global.call
|
|
|
|
|
else
|
|
|
|
|
groups = current_user.expanded_groups_requiring_two_factor_authentication.reorder(name: :asc)
|
|
|
|
|
group.call(groups)
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
2018-12-05 23:21:45 +05:30
|
|
|
# rubocop: enable CodeReuse/ActiveRecord
|
2017-08-17 22:00:37 +05:30
|
|
|
|
|
|
|
|
def two_factor_grace_period
|
2018-03-17 18:26:18 +05:30
|
|
|
periods = [Gitlab::CurrentSettings.two_factor_grace_period]
|
2017-08-17 22:00:37 +05:30
|
|
|
periods << current_user.two_factor_grace_period if current_user.try(:require_two_factor_authentication_from_group?)
|
|
|
|
|
periods.min
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def two_factor_grace_period_expired?
|
|
|
|
|
date = current_user.otp_grace_period_started_at
|
|
|
|
|
date && (date + two_factor_grace_period.hours) < Time.current
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def two_factor_skippable?
|
|
|
|
|
two_factor_authentication_required? &&
|
|
|
|
|
!current_user.two_factor_enabled? &&
|
|
|
|
|
!two_factor_grace_period_expired?
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def skip_two_factor?
|
|
|
|
|
session[:skip_two_factor] && session[:skip_two_factor] > Time.current
|
|
|
|
|
end
|
|
|
|
|
end
|
2020-04-22 19:07:51 +05:30
|
|
|
|
|
|
|
|
EnforcesTwoFactorAuthentication.prepend_if_ee('EE::EnforcesTwoFactorAuthentication')
|
