From 53af3e6b9e6fd221f2b6da1f6029017cf4a23831 Mon Sep 17 00:00:00 2001
From: Kartikey Tanna <tannakartikey@gmail.com>
Date: Tue, 18 Jun 2019 16:18:14 +0000
Subject:  #57815 Password authentication disabled for UltraAuth users

Disabled password authentication for the users registered using
omniauth-ultraauth strategy
---
 .../concerns/enforces_two_factor_authentication.rb           |  3 ++-
 app/models/user.rb                                           | 12 ++++++++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

(limited to 'app')

diff --git a/app/controllers/concerns/enforces_two_factor_authentication.rb b/app/controllers/concerns/enforces_two_factor_authentication.rb
index 0fddf15d197..825181568ad 100644
--- a/app/controllers/concerns/enforces_two_factor_authentication.rb
+++ b/app/controllers/concerns/enforces_two_factor_authentication.rb
@@ -23,7 +23,8 @@ module EnforcesTwoFactorAuthentication
 
   def two_factor_authentication_required?
     Gitlab::CurrentSettings.require_two_factor_authentication? ||
-      current_user.try(:require_two_factor_authentication_from_group?)
+      current_user.try(:require_two_factor_authentication_from_group?) ||
+      current_user.try(:ultraauth_user?)
   end
 
   # rubocop: disable CodeReuse/ActiveRecord
diff --git a/app/models/user.rb b/app/models/user.rb
index 2eb5c63a4cc..38cb4d1a6e8 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -835,11 +835,11 @@ class User < ApplicationRecord
   end
 
   def allow_password_authentication_for_web?
-    Gitlab::CurrentSettings.password_authentication_enabled_for_web? && !ldap_user?
+    Gitlab::CurrentSettings.password_authentication_enabled_for_web? && !ldap_user? && !ultraauth_user?
   end
 
   def allow_password_authentication_for_git?
-    Gitlab::CurrentSettings.password_authentication_enabled_for_git? && !ldap_user?
+    Gitlab::CurrentSettings.password_authentication_enabled_for_git? && !ldap_user? && !ultraauth_user?
   end
 
   def can_change_username?
@@ -919,6 +919,14 @@ class User < ApplicationRecord
     end
   end
 
+  def ultraauth_user?
+    if identities.loaded?
+      identities.find { |identity| Gitlab::Auth::OAuth::Provider.ultraauth_provider?(identity.provider) && !identity.extern_uid.nil? }
+    else
+      identities.exists?(["provider = ? AND extern_uid IS NOT NULL", "ultraauth"])
+    end
+  end
+
   def ldap_identity
     @ldap_identity ||= identities.find_by(["provider LIKE ?", "ldap%"])
   end
-- 
cgit v1.2.3