Add latest changes from gitlab-org/gitlab@13-5-stable-eev13.5.0-rc42

author: GitLab Bot <gitlab-bot@gitlab.com> 2020-10-21 10:08:36 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2020-10-21 10:08:36 +0300
commit: 48aff82709769b098321c738f3444b9bdaa694c6 (patch)
tree: e00c7c43e2d9b603a5a6af576b1685e400410dee /lib/gitlab/auth
parent: 879f5329ee916a948223f8f43d77fba4da6cd028 (diff)
5 files changed, 93 insertions, 1 deletions
diff --git a/lib/gitlab/auth/auth_finders.rb b/lib/gitlab/auth/auth_finders.rb
index ccf52bae9a5..3d3f7212053 100644
--- a/lib/gitlab/auth/auth_finders.rb
+++ b/lib/gitlab/auth/auth_finders.rb
@@ -290,7 +290,7 @@ module Gitlab
       end
 
       def api_request?
-        current_request.path.starts_with?('/api/')
+        current_request.path.starts_with?(Gitlab::Utils.append_path(Gitlab.config.gitlab.relative_url_root, '/api/'))
       end
 
       def archive_request?
diff --git a/lib/gitlab/auth/otp/strategies/base.rb b/lib/gitlab/auth/otp/strategies/base.rb
new file mode 100644
index 00000000000..718630e0e31
--- /dev/null
+++ b/lib/gitlab/auth/otp/strategies/base.rb
@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Auth
+    module Otp
+      module Strategies
+        class Base
+          def initialize(user)
+            @user = user
+          end
+
+          private
+
+          attr_reader :user
+
+          def success
+            { status: :success }
+          end
+
+          def error(message, http_status = nil)
+            result = { message: message,
+                       status: :error }
+
+            result[:http_status] = http_status if http_status
+
+            result
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/auth/otp/strategies/devise.rb b/lib/gitlab/auth/otp/strategies/devise.rb
new file mode 100644
index 00000000000..93068d6c9b0
--- /dev/null
+++ b/lib/gitlab/auth/otp/strategies/devise.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Auth
+    module Otp
+      module Strategies
+        class Devise < Base
+          def validate(otp_code)
+            user.validate_and_consume_otp!(otp_code) ? success : error('invalid OTP code')
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/auth/otp/strategies/forti_authenticator.rb b/lib/gitlab/auth/otp/strategies/forti_authenticator.rb
new file mode 100644
index 00000000000..fbcb9fd8cdb
--- /dev/null
+++ b/lib/gitlab/auth/otp/strategies/forti_authenticator.rb
@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Auth
+    module Otp
+      module Strategies
+        class FortiAuthenticator < Base
+          def validate(otp_code)
+            body = { username: user.username,
+                     token_code: otp_code }
+
+            response = Gitlab::HTTP.post(
+              auth_url,
+              headers: { 'Content-Type': 'application/json' },
+              body: body.to_json,
+              basic_auth: api_credentials)
+
+            # Successful authentication results in HTTP 200: OK
+            # https://docs.fortinet.com/document/fortiauthenticator/6.2.0/rest-api-solution-guide/704555/authentication-auth
+            response.ok? ? success : error(message: response.message, http_status: response.code)
+          end
+
+          private
+
+          def auth_url
+            host = ::Gitlab.config.forti_authenticator.host
+            port = ::Gitlab.config.forti_authenticator.port
+            path = 'api/v1/auth/'
+
+            "https://#{host}:#{port}/#{path}"
+          end
+
+          def api_credentials
+            { username: ::Gitlab.config.forti_authenticator.username,
+              password: ::Gitlab.config.forti_authenticator.token }
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/auth/user_access_denied_reason.rb b/lib/gitlab/auth/user_access_denied_reason.rb
index cc4b8d887ff..36b54ba2e46 100644
--- a/lib/gitlab/auth/user_access_denied_reason.rb
+++ b/lib/gitlab/auth/user_access_denied_reason.rb
@@ -11,6 +11,8 @@ module Gitlab
         case rejection_type
         when :internal
           "This action cannot be performed by internal users"
+        when :blocked_pending_approval
+          "Your account is pending approval from your administrator and hence blocked."
         when :terms_not_accepted
           "You (#{@user.to_reference}) must accept the Terms of Service in order to perform this action. "\
           "Please access GitLab from a web browser to accept these terms."
@@ -31,6 +33,8 @@ module Gitlab
       def rejection_type
         if @user.internal?
           :internal
+        elsif @user.blocked_pending_approval?
+          :blocked_pending_approval
         elsif @user.required_terms_not_accepted?
           :terms_not_accepted
         elsif @user.deactivated?
author	GitLab Bot <gitlab-bot@gitlab.com>	2020-10-21 10:08:36 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2020-10-21 10:08:36 +0300
commit	48aff82709769b098321c738f3444b9bdaa694c6 (patch)
tree	e00c7c43e2d9b603a5a6af576b1685e400410dee /lib/gitlab/auth
parent	879f5329ee916a948223f8f43d77fba4da6cd028 (diff)