Add latest changes from gitlab-org/gitlab@13-4-stable-ee

6 files changed, 136 insertions, 19 deletions

diff --git a/app/controllers/profiles/accounts_controller.rb b/app/controllers/profiles/accounts_controller.rb
index 95e055a44db..b19285e98bb 100644
--- a/app/controllers/profiles/accounts_controller.rb
+++ b/app/controllers/profiles/accounts_controller.rb
@@ -7,10 +7,9 @@ class Profiles::AccountsController < Profiles::ApplicationController
     render(locals: show_view_variables)
   end
 
-  # rubocop: disable CodeReuse/ActiveRecord
   def unlink
     provider = params[:provider]
-    identity = current_user.identities.find_by(provider: provider)
+    identity = find_identity(provider)
 
     return render_404 unless identity
 
@@ -22,13 +21,18 @@ class Profiles::AccountsController < Profiles::ApplicationController
 
     redirect_to profile_account_path
   end
-  # rubocop: enable CodeReuse/ActiveRecord
 
   private
 
   def show_view_variables
     {}
   end
+
+  def find_identity(provider)
+    return current_user.atlassian_identity if provider == 'atlassian_oauth2'
+
+    current_user.identities.find_by(provider: provider) # rubocop: disable CodeReuse/ActiveRecord
+  end
 end
 
 Profiles::AccountsController.prepend_if_ee('EE::Profiles::AccountsController')
diff --git a/app/controllers/profiles/keys_controller.rb b/app/controllers/profiles/keys_controller.rb
index 99e1b9027fa..965493955ac 100644
--- a/app/controllers/profiles/keys_controller.rb
+++ b/app/controllers/profiles/keys_controller.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class Profiles::KeysController < Profiles::ApplicationController
+  skip_before_action :authenticate_user!, only: [:get_keys]
+
   def index
     @keys = current_user.keys.order_id_desc
     @key = Key.new
@@ -31,6 +33,25 @@ class Profiles::KeysController < Profiles::ApplicationController
     end
   end
 
+  # Get all keys of a user(params[:username]) in a text format
+  # Helpful for sysadmins to put in respective servers
+  def get_keys
+    if params[:username].present?
+      begin
+        user = UserFinder.new(params[:username]).find_by_username
+        if user.present?
+          render plain: user.all_ssh_keys.join("\n")
+        else
+          render_404
+        end
+      rescue => e
+        render html: e.message
+      end
+    else
+      render_404
+    end
+  end
+
   private
 
   def key_params
diff --git a/app/controllers/profiles/notifications_controller.rb b/app/controllers/profiles/notifications_controller.rb
index 064b2a2cc12..bc51830c119 100644
--- a/app/controllers/profiles/notifications_controller.rb
+++ b/app/controllers/profiles/notifications_controller.rb
@@ -4,12 +4,9 @@ class Profiles::NotificationsController < Profiles::ApplicationController
   # rubocop: disable CodeReuse/ActiveRecord
   def show
     @user = current_user
-    @group_notifications = current_user.notification_settings.preload_source_route.for_groups.order(:id)
-    @group_notifications += GroupsFinder.new(
-      current_user,
-      all_available: false,
-      exclude_group_ids: @group_notifications.select(:source_id)
-    ).execute.map { |group| current_user.notification_settings_for(group, inherit: true) }
+    @user_groups = user_groups
+    @group_notifications = UserGroupNotificationSettingsFinder.new(current_user, user_groups).execute
+
     @project_notifications = current_user.notification_settings.for_projects.order(:id)
                              .preload_source_route
                              .select { |notification| current_user.can?(:read_project, notification.source) }
@@ -32,4 +29,10 @@ class Profiles::NotificationsController < Profiles::ApplicationController
   def user_params
     params.require(:user).permit(:notification_email, :notified_of_own_activity)
   end
+
+  private
+
+  def user_groups
+    GroupsFinder.new(current_user, all_available: false).execute.order_name_asc.page(params[:page])
+  end
 end
diff --git a/app/controllers/profiles/preferences_controller.rb b/app/controllers/profiles/preferences_controller.rb
index 8653fe3b6ed..ea4d3e861be 100644
--- a/app/controllers/profiles/preferences_controller.rb
+++ b/app/controllers/profiles/preferences_controller.rb
@@ -51,6 +51,7 @@ class Profiles::PreferencesController < Profiles::ApplicationController
       :view_diffs_file_by_file,
       :tab_width,
       :sourcegraph_enabled,
+      :gitpod_enabled,
       :render_whitespace_in_code
     ]
   end
diff --git a/app/controllers/profiles/two_factor_auths_controller.rb b/app/controllers/profiles/two_factor_auths_controller.rb
index 50fbf8146e5..5de6d84fdd9 100644
--- a/app/controllers/profiles/two_factor_auths_controller.rb
+++ b/app/controllers/profiles/two_factor_auths_controller.rb
@@ -2,6 +2,9 @@
 
 class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
   skip_before_action :check_two_factor_requirement
+  before_action do
+    push_frontend_feature_flag(:webauthn)
+  end
 
   def show
     unless current_user.two_factor_enabled?
@@ -33,7 +36,12 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
 
     @qr_code = build_qr_code
     @account_string = account_string
-    setup_u2f_registration
+
+    if Feature.enabled?(:webauthn)
+      setup_webauthn_registration
+    else
+      setup_u2f_registration
+    end
   end
 
   def create
@@ -48,7 +56,13 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
     else
       @error = _('Invalid pin code')
       @qr_code = build_qr_code
-      setup_u2f_registration
+
+      if Feature.enabled?(:webauthn)
+        setup_webauthn_registration
+      else
+        setup_u2f_registration
+      end
+
       render 'show'
     end
   end
@@ -56,7 +70,7 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
   # A U2F (universal 2nd factor) device's information is stored after successful
   # registration, which is then used while 2FA authentication is taking place.
   def create_u2f
-    @u2f_registration = U2fRegistration.register(current_user, u2f_app_id, u2f_registration_params, session[:challenges])
+    @u2f_registration = U2fRegistration.register(current_user, u2f_app_id, device_registration_params, session[:challenges])
 
     if @u2f_registration.persisted?
       session.delete(:challenges)
@@ -68,6 +82,21 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
     end
   end
 
+  def create_webauthn
+    @webauthn_registration = Webauthn::RegisterService.new(current_user, device_registration_params, session[:challenge]).execute
+    if @webauthn_registration.persisted?
+      session.delete(:challenge)
+
+      redirect_to profile_two_factor_auth_path, notice: s_("Your WebAuthn device was registered!")
+    else
+      @qr_code = build_qr_code
+
+      setup_webauthn_registration
+
+      render :show
+    end
+  end
+
   def codes
     Users::UpdateService.new(current_user, user: current_user).execute! do |user|
       @codes = user.generate_otp_backup_codes!
@@ -75,9 +104,13 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
   end
 
   def destroy
-    current_user.disable_two_factor!
+    result = TwoFactor::DestroyService.new(current_user, user: current_user).execute
 
-    redirect_to profile_account_path, status: :found
+    if result[:status] == :success
+      redirect_to profile_account_path, status: :found, notice: s_('Two-factor authentication has been disabled successfully!')
+    else
+      redirect_to profile_account_path, status: :found, alert: result[:message]
+    end
   end
 
   def skip
@@ -108,11 +141,11 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
   # Actual communication is performed using a Javascript API
   def setup_u2f_registration
     @u2f_registration ||= U2fRegistration.new
-    @u2f_registrations = current_user.u2f_registrations
+    @registrations = u2f_registrations
     u2f = U2F::U2F.new(u2f_app_id)
 
     registration_requests = u2f.registration_requests
-    sign_requests = u2f.authentication_requests(@u2f_registrations.map(&:key_handle))
+    sign_requests = u2f.authentication_requests(current_user.u2f_registrations.map(&:key_handle))
     session[:challenges] = registration_requests.map(&:challenge)
 
     gon.push(u2f: { challenges: session[:challenges], app_id: u2f_app_id,
@@ -120,8 +153,53 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
                     sign_requests: sign_requests })
   end
 
-  def u2f_registration_params
-    params.require(:u2f_registration).permit(:device_response, :name)
+  def device_registration_params
+    params.require(:device_registration).permit(:device_response, :name)
+  end
+
+  def setup_webauthn_registration
+    @registrations = webauthn_registrations
+    @webauthn_registration ||= WebauthnRegistration.new
+
+    unless current_user.webauthn_xid
+      current_user.user_detail.update!(webauthn_xid: WebAuthn.generate_user_id)
+    end
+
+    options = webauthn_options
+    session[:challenge] = options.challenge
+
+    gon.push(webauthn: { options: options, app_id: u2f_app_id })
+  end
+
+  # Adds delete path to u2f registrations
+  # to reduce logic in view template
+  def u2f_registrations
+    current_user.u2f_registrations.map do |u2f_registration|
+      {
+          name: u2f_registration.name,
+          created_at: u2f_registration.created_at,
+          delete_path: profile_u2f_registration_path(u2f_registration)
+      }
+    end
+  end
+
+  def webauthn_registrations
+    current_user.webauthn_registrations.map do |webauthn_registration|
+      {
+          name: webauthn_registration.name,
+          created_at: webauthn_registration.created_at,
+          delete_path: profile_webauthn_registration_path(webauthn_registration)
+      }
+    end
+  end
+
+  def webauthn_options
+    WebAuthn::Credential.options_for_create(
+      user: { id: current_user.webauthn_xid, name: current_user.username },
+      exclude: current_user.webauthn_registrations.map { |c| c.credential_xid },
+      authenticator_selection: { user_verification: 'discouraged' },
+      rp: { name: 'GitLab' }
+    )
   end
 
   def groups_notification(groups)
@@ -129,6 +207,6 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
     leave_group_links = groups.map { |group| view_context.link_to (s_("leave %{group_name}") % { group_name: group.full_name }), leave_group_members_path(group), remote: false, method: :delete}.to_sentence
 
     s_(%{The group settings for %{group_links} require you to enable Two-Factor Authentication for your account. You can %{leave_group_links}.})
-      .html_safe % { group_links: group_links.html_safe, leave_group_links: leave_group_links.html_safe }
+        .html_safe % { group_links: group_links.html_safe, leave_group_links: leave_group_links.html_safe }
   end
 end
diff --git a/app/controllers/profiles/webauthn_registrations_controller.rb b/app/controllers/profiles/webauthn_registrations_controller.rb
new file mode 100644
index 00000000000..81b1dd6f710
--- /dev/null
+++ b/app/controllers/profiles/webauthn_registrations_controller.rb
@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+class Profiles::WebauthnRegistrationsController < Profiles::ApplicationController
+  def destroy
+    webauthn_registration = current_user.webauthn_registrations.find(params[:id])
+    webauthn_registration.destroy
+
+    redirect_to profile_two_factor_auth_path, status: :found, notice: _("Successfully deleted WebAuthn device.")
+  end
+end