Merge branch 'rs-backport-ldap-2fa' into 'master'

Support Two-factor Authentication for LDAP users Closes #12653 See merge request !2688
author: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2016-02-04 15:19:33 +0000
committer: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2016-02-04 15:19:33 +0000
commit: d9624bb87aa6a1ad505cbb0541489c88ae662e44 (patch)
tree: 1947b52da45fac2a46147523d69aa90ff66051fd
parent: e933a50b6b8e7feec76bcc71313c14736967cd7a (diff)
parent: d6ef6c634e58ae81113983c37a55515ad640f18f (diff)
download: gitlab-ce-d9624bb87aa6a1ad505cbb0541489c88ae662e44.tar.gz
3 files changed, 33 insertions, 28 deletions
diff --git a/CHANGELOG b/CHANGELOG
index f434e361281..ba0bcef8f01 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -16,6 +16,7 @@ v 8.5.0 (unreleased)
   - Don't vendor minified JS
   - Display 404 error on group not found
   - Track project import failure
+  - Support Two-factor Authentication for LDAP users
   - Fix visibility level text in admin area (Zeger-Jan van de Weg)
   - Warn admin during OAuth of granting admin rights (Zeger-Jan van de Weg)
   - Update the ExternalIssue regex pattern (Blake Hitchcock)
diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb
index 4c13228fce9..9cf76521a0d 100644
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -1,4 +1,5 @@
 class OmniauthCallbacksController < Devise::OmniauthCallbacksController
+  include AuthenticatesWithTwoFactor
 
   protect_from_forgery except: [:kerberos, :saml, :cas3]
 
@@ -29,8 +30,12 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
 
     # Do additional LDAP checks for the user filter and EE features
     if ldap_user.allowed?
-      log_audit_event(@user, with: :ldap)
-      sign_in_and_redirect(@user)
+      if @user.two_factor_enabled?
+        prompt_for_two_factor(@user)
+      else
+        log_audit_event(@user, with: :ldap)
+        sign_in_and_redirect(@user)
+      end
     else
       flash[:alert] = "Access denied for your LDAP account."
       redirect_to new_user_session_path
diff --git a/app/views/profiles/accounts/show.html.haml b/app/views/profiles/accounts/show.html.haml
index 52bfc595fda..9fa96084f94 100644
--- a/app/views/profiles/accounts/show.html.haml
+++ b/app/views/profiles/accounts/show.html.haml
@@ -31,34 +31,33 @@
           - else
             = f.submit 'Generate', class: "btn btn-default"
 
-  - unless current_user.ldap_user?
-    .panel.panel-default
-      .panel-heading
-        Two-factor Authentication
-      .panel-body
-        - if current_user.two_factor_enabled?
-          .pull-right
-            = link_to 'Disable Two-factor Authentication', profile_two_factor_auth_path, method: :delete, class: 'btn btn-close btn-sm',
-                data: { confirm: 'Are you sure?' }
-          %p.text-success
-            %strong
-              Two-factor Authentication is enabled
-          %p
-            If you lose your recovery codes you can
-            %strong
-              = succeed ',' do
-                = link_to 'generate new ones', codes_profile_two_factor_auth_path, method: :post, data: { confirm: 'Are you sure?' }
-            invalidating all previous codes.
+  .panel.panel-default
+    .panel-heading
+      Two-factor Authentication
+    .panel-body
+      - if current_user.two_factor_enabled?
+        .pull-right
+          = link_to 'Disable Two-factor Authentication', profile_two_factor_auth_path, method: :delete, class: 'btn btn-close btn-sm',
+              data: { confirm: 'Are you sure?' }
+        %p.text-success
+          %strong
+            Two-factor Authentication is enabled
+        %p
+          If you lose your recovery codes you can
+          %strong
+            = succeed ',' do
+              = link_to 'generate new ones', codes_profile_two_factor_auth_path, method: :post, data: { confirm: 'Are you sure?' }
+          invalidating all previous codes.
 
-        - else
-          %p
-            Increase your account's security by enabling two-factor authentication (2FA).
-          %p
-            Each time you log in you’ll be required to provide your username and
-            password as usual, plus a randomly-generated code from your phone.
+      - else
+        %p
+          Increase your account's security by enabling two-factor authentication (2FA).
+        %p
+          Each time you log in you’ll be required to provide your username and
+          password as usual, plus a randomly-generated code from your phone.
 
-          .form-actions
-            = link_to 'Enable Two-factor Authentication', new_profile_two_factor_auth_path, class: 'btn btn-success'
+        .form-actions
+          = link_to 'Enable Two-factor Authentication', new_profile_two_factor_auth_path, class: 'btn btn-success'
 
   - if button_based_providers.any?
     .panel.panel-default
author	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2016-02-04 15:19:33 +0000
committer	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2016-02-04 15:19:33 +0000
commit	d9624bb87aa6a1ad505cbb0541489c88ae662e44 (patch)
tree	1947b52da45fac2a46147523d69aa90ff66051fd
parent	e933a50b6b8e7feec76bcc71313c14736967cd7a (diff)
parent	d6ef6c634e58ae81113983c37a55515ad640f18f (diff)
download	gitlab-ce-d9624bb87aa6a1ad505cbb0541489c88ae662e44.tar.gz