Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2019-12-11 15:08:10 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2019-12-11 15:08:10 +0300
commit: b86f474bf51e20d2db4cf0895d0a8e0894e31c08 (patch)
tree: 061d2a4c749924f5a35fe6199dd1d8982c4b0b27 /app/controllers
parent: 6b8040dc25fdc5fe614c3796a147517dd50bc7d8 (diff)
8 files changed, 70 insertions, 11 deletions
diff --git a/app/controllers/admin/sessions_controller.rb b/app/controllers/admin/sessions_controller.rb
index 1f946e41995..f9587655a8d 100644
--- a/app/controllers/admin/sessions_controller.rb
+++ b/app/controllers/admin/sessions_controller.rb
@@ -6,17 +6,23 @@ class Admin::SessionsController < ApplicationController
   before_action :user_is_admin!
 
   def new
-    # Renders a form in which the admin can enter their password
+    if current_user_mode.admin_mode?
+      redirect_to redirect_path, notice: _('Admin mode already enabled')
+    else
+      current_user_mode.request_admin_mode! unless current_user_mode.admin_mode_requested?
+      store_location_for(:redirect, redirect_path)
+    end
   end
 
   def create
     if current_user_mode.enable_admin_mode!(password: params[:password])
-      redirect_location = stored_location_for(:redirect) || admin_root_path
-      redirect_to safe_redirect_path(redirect_location)
+      redirect_to redirect_path, notice: _('Admin mode enabled')
     else
-      flash.now[:alert] = _('Invalid Login or password')
+      flash.now[:alert] = _('Invalid login or password')
       render :new
     end
+  rescue Gitlab::Auth::CurrentUserMode::NotRequestedError
+    redirect_to new_admin_session_path, alert: _('Re-authentication period expired or never requested. Please try again')
   end
 
   def destroy
@@ -30,4 +36,19 @@ class Admin::SessionsController < ApplicationController
   def user_is_admin!
     render_404 unless current_user&.admin?
   end
+
+  def redirect_path
+    redirect_to_path = safe_redirect_path(stored_location_for(:redirect)) || safe_redirect_path_for_url(request.referer)
+
+    if redirect_to_path &&
+        excluded_redirect_paths.none? { |excluded| redirect_to_path.include?(excluded) }
+      redirect_to_path
+    else
+      admin_root_path
+    end
+  end
+
+  def excluded_redirect_paths
+    [new_admin_session_path, admin_session_path]
+  end
 end
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index ee2b3741ac9..33ae778769a 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -16,6 +16,7 @@ class ApplicationController < ActionController::Base
   include ConfirmEmailWarning
   include Gitlab::Tracking::ControllerConcern
   include Gitlab::Experimentation::ControllerConcern
+  include InitializesCurrentUserMode
 
   before_action :authenticate_user!, except: [:route_not_found]
   before_action :enforce_terms!, if: :should_enforce_terms?
@@ -41,7 +42,6 @@ class ApplicationController < ActionController::Base
   protect_from_forgery with: :exception, prepend: true
 
   helper_method :can?
-  helper_method :current_user_mode
   helper_method :import_sources_enabled?, :github_import_enabled?,
     :gitea_import_enabled?, :github_import_configured?,
     :gitlab_import_enabled?, :gitlab_import_configured?,
@@ -546,10 +546,6 @@ class ApplicationController < ActionController::Base
     end
   end
 
-  def current_user_mode
-    @current_user_mode ||= Gitlab::Auth::CurrentUserMode.new(current_user)
-  end
-
   # A user requires a role and have the setup_for_company attribute set when they are part of the experimental signup
   # flow (executed by the Growth team). Users are redirected to the welcome page when their role is required and the
   # experiment is enabled for the current user.
diff --git a/app/controllers/concerns/enforces_admin_authentication.rb b/app/controllers/concerns/enforces_admin_authentication.rb
index e731211f423..527759de0bb 100644
--- a/app/controllers/concerns/enforces_admin_authentication.rb
+++ b/app/controllers/concerns/enforces_admin_authentication.rb
@@ -18,6 +18,7 @@ module EnforcesAdminAuthentication
     return unless Feature.enabled?(:user_mode_in_session)
 
     unless current_user_mode.admin_mode?
+      current_user_mode.request_admin_mode!
       store_location_for(:redirect, request.fullpath) if storable_location?
       redirect_to(new_admin_session_path, notice: _('Re-authentication required'))
     end
diff --git a/app/controllers/concerns/initializes_current_user_mode.rb b/app/controllers/concerns/initializes_current_user_mode.rb
new file mode 100644
index 00000000000..df7cea5c754
--- /dev/null
+++ b/app/controllers/concerns/initializes_current_user_mode.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module InitializesCurrentUserMode
+  extend ActiveSupport::Concern
+
+  included do
+    helper_method :current_user_mode
+  end
+
+  def current_user_mode
+    @current_user_mode ||= Gitlab::Auth::CurrentUserMode.new(current_user)
+  end
+end
diff --git a/app/controllers/concerns/sessionless_authentication.rb b/app/controllers/concerns/sessionless_authentication.rb
index f644923443b..d5c26fca957 100644
--- a/app/controllers/concerns/sessionless_authentication.rb
+++ b/app/controllers/concerns/sessionless_authentication.rb
@@ -33,6 +33,8 @@ module SessionlessAuthentication
   end
 
   def enable_admin_mode!
-    current_user_mode.enable_admin_mode!(skip_password_validation: true) if Feature.enabled?(:user_mode_in_session)
+    return unless Feature.enabled?(:user_mode_in_session)
+
+    current_user_mode.enable_sessionless_admin_mode!
   end
 end
diff --git a/app/controllers/oauth/applications_controller.rb b/app/controllers/oauth/applications_controller.rb
index 8dd51ce1d64..bbf0bdd3662 100644
--- a/app/controllers/oauth/applications_controller.rb
+++ b/app/controllers/oauth/applications_controller.rb
@@ -6,6 +6,7 @@ class Oauth::ApplicationsController < Doorkeeper::ApplicationsController
   include PageLayoutHelper
   include OauthApplications
   include Gitlab::Experimentation::ControllerConcern
+  include InitializesCurrentUserMode
 
   before_action :verify_user_oauth_applications_enabled, except: :index
   before_action :authenticate_user!
diff --git a/app/controllers/oauth/authorizations_controller.rb b/app/controllers/oauth/authorizations_controller.rb
index e65726dffbf..2a4e659c5b9 100644
--- a/app/controllers/oauth/authorizations_controller.rb
+++ b/app/controllers/oauth/authorizations_controller.rb
@@ -2,6 +2,8 @@
 
 class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
   include Gitlab::Experimentation::ControllerConcern
+  include InitializesCurrentUserMode
+
   layout 'profile'
 
   # Overridden from Doorkeeper::AuthorizationsController to
diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb
index eca58748cc5..92f36c031f1 100644
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -4,6 +4,7 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
   include AuthenticatesWithTwoFactor
   include Devise::Controllers::Rememberable
   include AuthHelper
+  include InitializesCurrentUserMode
 
   protect_from_forgery except: [:kerberos, :saml, :cas3, :failure], with: :exception, prepend: true
 
@@ -94,8 +95,12 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
       return render_403 unless link_provider_allowed?(oauth['provider'])
 
       log_audit_event(current_user, with: oauth['provider'])
-      identity_linker ||= auth_module::IdentityLinker.new(current_user, oauth, session)
 
+      if Feature.enabled?(:user_mode_in_session)
+        return admin_mode_flow if current_user_mode.admin_mode_requested?
+      end
+
+      identity_linker ||= auth_module::IdentityLinker.new(current_user, oauth, session)
       link_identity(identity_linker)
 
       if identity_linker.changed?
@@ -239,6 +244,24 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
       store_location_for(:user, uri.to_s)
     end
   end
+
+  def admin_mode_flow
+    if omniauth_identity_matches_current_user?
+      current_user_mode.enable_admin_mode!(skip_password_validation: true)
+
+      redirect_to stored_location_for(:redirect) || admin_root_path, notice: _('Admin mode enabled')
+    else
+      fail_admin_mode_invalid_credentials
+    end
+  end
+
+  def omniauth_identity_matches_current_user?
+    current_user.matches_identity?(oauth['provider'], oauth['uid'])
+  end
+
+  def fail_admin_mode_invalid_credentials
+    redirect_to new_admin_session_path, alert: _('Invalid login or password')
+  end
 end
 
 OmniauthCallbacksController.prepend_if_ee('EE::OmniauthCallbacksController')
author	GitLab Bot <gitlab-bot@gitlab.com>	2019-12-11 15:08:10 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2019-12-11 15:08:10 +0300
commit	b86f474bf51e20d2db4cf0895d0a8e0894e31c08 (patch)
tree	061d2a4c749924f5a35fe6199dd1d8982c4b0b27 /app/controllers
parent	6b8040dc25fdc5fe614c3796a147517dd50bc7d8 (diff)