From 1f608ac4614f57130992916931ad10f4d5fd9d50 Mon Sep 17 00:00:00 2001 From: Tomasz Maczukin Date: Sat, 4 Jun 2016 00:02:40 +0200 Subject: Remove 'unscoped' from project builds selection --- app/controllers/projects/artifacts_controller.rb | 2 +- app/controllers/projects/builds_controller.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/projects/artifacts_controller.rb b/app/controllers/projects/artifacts_controller.rb index cfea1266516..832d7deb57d 100644 --- a/app/controllers/projects/artifacts_controller.rb +++ b/app/controllers/projects/artifacts_controller.rb @@ -37,7 +37,7 @@ class Projects::ArtifactsController < Projects::ApplicationController private def build - @build ||= project.builds.unscoped.find_by!(id: params[:build_id]) + @build ||= project.builds.find_by!(id: params[:build_id]) end def artifacts_file diff --git a/app/controllers/projects/builds_controller.rb b/app/controllers/projects/builds_controller.rb index bb1f6c5e980..db3ae586059 100644 --- a/app/controllers/projects/builds_controller.rb +++ b/app/controllers/projects/builds_controller.rb @@ -81,7 +81,7 @@ class Projects::BuildsController < Projects::ApplicationController private def build - @build ||= project.builds.unscoped.find_by!(id: params[:id]) + @build ||= project.builds.find_by!(id: params[:id]) end def build_path(build) -- cgit v1.2.3 From 791cc9138be6ea1783e3c3853370cf0290f4d41e Mon Sep 17 00:00:00 2001 From: Timothy Andrew Date: Mon, 6 Jun 2016 10:08:42 +0530 Subject: Add a `U2fRegistrations` table/model. - To hold registrations from U2F devices, and to authenticate them. - Previously, `User#two_factor_enabled` was aliased to the `otp_required_for_login` column on `users`. - This commit changes things a bit: - `User#two_factor_enabled` is not a method anymore - `User#two_factor_enabled?` checks both the `otp_required_for_login` column, as well as `U2fRegistration`s - Change all instances of `User#two_factor_enabled` to `User#two_factor_enabled?` - Add the `u2f` gem, and implement registration/authentication at the model level. --- app/controllers/application_controller.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index c28d1ca9e3b..e73b2d08551 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -182,8 +182,8 @@ class ApplicationController < ActionController::Base end def check_2fa_requirement - if two_factor_authentication_required? && current_user && !current_user.two_factor_enabled && !skip_two_factor? - redirect_to new_profile_two_factor_auth_path + if two_factor_authentication_required? && current_user && !current_user.two_factor_enabled? && !skip_two_factor? + redirect_to profile_two_factor_auth_path end end -- cgit v1.2.3 From 128549f10beb406333fa23c1693750c06ff7bc4a Mon Sep 17 00:00:00 2001 From: Timothy Andrew Date: Mon, 6 Jun 2016 10:14:51 +0530 Subject: Implement U2F registration. - Move the `TwoFactorAuthsController`'s `new` action to `show`, since the page is not used to create a single "two factor auth" anymore. We can have a single 2FA authenticator app, along with any number of U2F devices, in any combination, so the page will be accessed after the first "two factor auth" is created. - Add the `u2f` javascript library, which provides an API to the browser's U2F implementation. - Add tests for the JS components --- app/controllers/application_controller.rb | 11 ++++++ .../profiles/two_factor_auths_controller.rb | 45 +++++++++++++++++++--- 2 files changed, 50 insertions(+), 6 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index e73b2d08551..62f63701799 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -342,6 +342,10 @@ class ApplicationController < ActionController::Base session[:skip_tfa] && session[:skip_tfa] > Time.current end + def browser_supports_u2f? + browser.chrome? && browser.version.to_i >= 41 && !browser.device.mobile? + end + def redirect_to_home_page_url? # If user is not signed-in and tries to access root_path - redirect him to landing page # Don't redirect to the default URL to prevent endless redirections @@ -355,6 +359,13 @@ class ApplicationController < ActionController::Base current_user.nil? && root_path == request.path end + # U2F (universal 2nd factor) devices need a unique identifier for the application + # to perform authentication. + # https://developers.yubico.com/U2F/App_ID.html + def u2f_app_id + request.base_url + end + private def set_default_sort diff --git a/app/controllers/profiles/two_factor_auths_controller.rb b/app/controllers/profiles/two_factor_auths_controller.rb index 8f83fdd02bc..6a358fdcc05 100644 --- a/app/controllers/profiles/two_factor_auths_controller.rb +++ b/app/controllers/profiles/two_factor_auths_controller.rb @@ -1,7 +1,7 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController skip_before_action :check_2fa_requirement - def new + def show unless current_user.otp_secret current_user.otp_secret = User.generate_otp_secret(32) end @@ -12,21 +12,22 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController current_user.save! if current_user.changed? - if two_factor_authentication_required? + if two_factor_authentication_required? && !current_user.two_factor_enabled? if two_factor_grace_period_expired? - flash.now[:alert] = 'You must enable Two-factor Authentication for your account.' + flash.now[:alert] = 'You must enable Two-Factor Authentication for your account.' else grace_period_deadline = current_user.otp_grace_period_started_at + two_factor_grace_period.hours - flash.now[:alert] = "You must enable Two-factor Authentication for your account before #{l(grace_period_deadline)}." + flash.now[:alert] = "You must enable Two-Factor Authentication for your account before #{l(grace_period_deadline)}." end end @qr_code = build_qr_code + setup_u2f_registration end def create if current_user.validate_and_consume_otp!(params[:pin_code]) - current_user.two_factor_enabled = true + current_user.otp_required_for_login = true @codes = current_user.generate_otp_backup_codes! current_user.save! @@ -34,8 +35,23 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController else @error = 'Invalid pin code' @qr_code = build_qr_code + setup_u2f_registration + render 'show' + end + end + + # A U2F (universal 2nd factor) device's information is stored after successful + # registration, which is then used while 2FA authentication is taking place. + def create_u2f + @u2f_registration = U2fRegistration.register(current_user, u2f_app_id, params[:device_response], session[:challenges]) - render 'new' + if @u2f_registration.persisted? + session.delete(:challenges) + redirect_to profile_account_path, notice: "Your U2F device was registered!" + else + @qr_code = build_qr_code + setup_u2f_registration + render :show end end @@ -70,4 +86,21 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController def issuer_host Gitlab.config.gitlab.host end + + # Setup in preparation of communication with a U2F (universal 2nd factor) device + # Actual communication is performed using a Javascript API + def setup_u2f_registration + @u2f_registration ||= U2fRegistration.new + @registration_key_handles = current_user.u2f_registrations.pluck(:key_handle) + u2f = U2F::U2F.new(u2f_app_id) + + registration_requests = u2f.registration_requests + sign_requests = u2f.authentication_requests(@registration_key_handles) + session[:challenges] = registration_requests.map(&:challenge) + + gon.push(u2f: { challenges: session[:challenges], app_id: u2f_app_id, + register_requests: registration_requests, + sign_requests: sign_requests, + browser_supports_u2f: browser_supports_u2f? }) + end end -- cgit v1.2.3 From 86b07caa599a7f064e9077770b1a87c670d7607c Mon Sep 17 00:00:00 2001 From: Timothy Andrew Date: Mon, 6 Jun 2016 10:20:39 +0530 Subject: Implement authentication (login) using a U2F device. - Move the `authenticate_with_two_factor` method from `ApplicationController` to the `AuthenticatesWithTwoFactor` module, where it should be. --- .../concerns/authenticates_with_two_factor.rb | 59 +++++++++++++++++++++- app/controllers/sessions_controller.rb | 23 +-------- 2 files changed, 59 insertions(+), 23 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/concerns/authenticates_with_two_factor.rb b/app/controllers/concerns/authenticates_with_two_factor.rb index d5918a7af3b..998b8adc411 100644 --- a/app/controllers/concerns/authenticates_with_two_factor.rb +++ b/app/controllers/concerns/authenticates_with_two_factor.rb @@ -24,7 +24,64 @@ module AuthenticatesWithTwoFactor # Returns nil def prompt_for_two_factor(user) session[:otp_user_id] = user.id + setup_u2f_authentication(user) + render 'devise/sessions/two_factor' + end + + def authenticate_with_two_factor + user = self.resource = find_user + + if user_params[:otp_attempt].present? && session[:otp_user_id] + authenticate_with_two_factor_via_otp(user) + elsif user_params[:device_response].present? && session[:otp_user_id] + authenticate_with_two_factor_via_u2f(user) + elsif user && user.valid_password?(user_params[:password]) + prompt_for_two_factor(user) + end + end + + private + + def authenticate_with_two_factor_via_otp(user) + if valid_otp_attempt?(user) + # Remove any lingering user data from login + session.delete(:otp_user_id) + + remember_me(user) if user_params[:remember_me] == '1' + sign_in(user) + else + flash.now[:alert] = 'Invalid two-factor code.' + render :two_factor + end + end + + # Authenticate using the response from a U2F (universal 2nd factor) device + def authenticate_with_two_factor_via_u2f(user) + if U2fRegistration.authenticate(user, u2f_app_id, user_params[:device_response], session[:challenges]) + # Remove any lingering user data from login + session.delete(:otp_user_id) + session.delete(:challenges) + + sign_in(user) + else + flash.now[:alert] = 'Authentication via U2F device failed.' + prompt_for_two_factor(user) + end + end + + # Setup in preparation of communication with a U2F (universal 2nd factor) device + # Actual communication is performed using a Javascript API + def setup_u2f_authentication(user) + key_handles = user.u2f_registrations.pluck(:key_handle) + u2f = U2F::U2F.new(u2f_app_id) - render 'devise/sessions/two_factor' and return + if key_handles.present? + sign_requests = u2f.authentication_requests(key_handles) + challenges = sign_requests.map(&:challenge) + session[:challenges] = challenges + gon.push(u2f: { challenges: challenges, app_id: u2f_app_id, + sign_requests: sign_requests, + browser_supports_u2f: browser_supports_u2f? }) + end end end diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index d68c2a708e3..1c19c1cc1a8 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -54,7 +54,7 @@ class SessionsController < Devise::SessionsController end def user_params - params.require(:user).permit(:login, :password, :remember_me, :otp_attempt) + params.require(:user).permit(:login, :password, :remember_me, :otp_attempt, :device_response) end def find_user @@ -89,27 +89,6 @@ class SessionsController < Devise::SessionsController find_user.try(:two_factor_enabled?) end - def authenticate_with_two_factor - user = self.resource = find_user - - if user_params[:otp_attempt].present? && session[:otp_user_id] - if valid_otp_attempt?(user) - # Remove any lingering user data from login - session.delete(:otp_user_id) - - remember_me(user) if user_params[:remember_me] == '1' - sign_in(user) and return - else - flash.now[:alert] = 'Invalid two-factor code.' - render :two_factor and return - end - else - if user && user.valid_password?(user_params[:password]) - prompt_for_two_factor(user) - end - end - end - def auto_sign_in_with_provider provider = Gitlab.config.omniauth.auto_sign_in_with_provider return unless provider.present? -- cgit v1.2.3 From 4db19bb4455cd21e80097a3e547d8b266a884aea Mon Sep 17 00:00:00 2001 From: Timothy Andrew Date: Mon, 6 Jun 2016 10:22:06 +0530 Subject: Add a U2F-specific audit log entry after logging in. - "two-factor" for OTP-based 2FA - "two-factor-via-u2f-device" for U2F-based 2FA - "standard" for non-2FA login --- app/controllers/sessions_controller.rb | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 1c19c1cc1a8..f6eedb1773c 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -30,8 +30,7 @@ class SessionsController < Devise::SessionsController resource.update_attributes(reset_password_token: nil, reset_password_sent_at: nil) end - authenticated_with = user_params[:otp_attempt] ? "two-factor" : "standard" - log_audit_event(current_user, with: authenticated_with) + log_audit_event(current_user, with: authentication_method) end end @@ -117,4 +116,14 @@ class SessionsController < Devise::SessionsController def load_recaptcha Gitlab::Recaptcha.load_configurations! end + + def authentication_method + if user_params[:otp_attempt] + "two-factor" + elsif user_params[:device_response] + "two-factor-via-u2f-device" + else + "standard" + end + end end -- cgit v1.2.3