Support Two-factor Authentication for LDAP usersrs-backport-ldap-2fa

Closes #12653
author: Robert Speicher <rspeicher@gmail.com> 2016-02-03 13:31:12 -0500
committer: Robert Speicher <rspeicher@gmail.com> 2016-02-03 13:31:12 -0500
commit: d6ef6c634e58ae81113983c37a55515ad640f18f (patch)
tree: fc9e9a02df6046b3eb6670e2b1c5934b59fc82d1
parent: d506b3f958654534de93f443b9a81ba4434c0b71 (diff)
download: gitlab-ce-rs-backport-ldap-2fa.tar.gz
3 files changed, 33 insertions, 28 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 5f081236c10..305ce4cbaf6 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -16,6 +16,7 @@ v 8.5.0 (unreleased)
   - Don't vendor minified JS
   - Display 404 error on group not found
   - Track project import failure
+  - Support Two-factor Authentication for LDAP users
   - Fix visibility level text in admin area (Zeger-Jan van de Weg)
   - Warn admin during OAuth of granting admin rights (Zeger-Jan van de Weg)
   - Update the ExternalIssue regex pattern (Blake Hitchcock)
diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb
index 4c13228fce9..9cf76521a0d 100644
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -1,4 +1,5 @@
 class OmniauthCallbacksController < Devise::OmniauthCallbacksController
+  include AuthenticatesWithTwoFactor
 
   protect_from_forgery except: [:kerberos, :saml, :cas3]
 
@@ -29,8 +30,12 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
 
     # Do additional LDAP checks for the user filter and EE features
     if ldap_user.allowed?
-      log_audit_event(@user, with: :ldap)
-      sign_in_and_redirect(@user)
+      if @user.two_factor_enabled?
+        prompt_for_two_factor(@user)
+      else
+        log_audit_event(@user, with: :ldap)
+        sign_in_and_redirect(@user)
+      end
     else
       flash[:alert] = "Access denied for your LDAP account."
       redirect_to new_user_session_path
diff --git a/app/views/profiles/accounts/show.html.haml b/app/views/profiles/accounts/show.html.haml
index 52bfc595fda..9fa96084f94 100644
--- a/app/views/profiles/accounts/show.html.haml
+++ b/app/views/profiles/accounts/show.html.haml
@@ -31,34 +31,33 @@
           - else
             = f.submit 'Generate', class: "btn btn-default"
 
-  - unless current_user.ldap_user?
-    .panel.panel-default
-      .panel-heading
-        Two-factor Authentication
-      .panel-body
-        - if current_user.two_factor_enabled?
-          .pull-right
-            = link_to 'Disable Two-factor Authentication', profile_two_factor_auth_path, method: :delete, class: 'btn btn-close btn-sm',
-                data: { confirm: 'Are you sure?' }
-          %p.text-success
-            %strong
-              Two-factor Authentication is enabled
-          %p
-            If you lose your recovery codes you can
-            %strong
-              = succeed ',' do
-                = link_to 'generate new ones', codes_profile_two_factor_auth_path, method: :post, data: { confirm: 'Are you sure?' }
-            invalidating all previous codes.
+  .panel.panel-default
+    .panel-heading
+      Two-factor Authentication
+    .panel-body
+      - if current_user.two_factor_enabled?
+        .pull-right
+          = link_to 'Disable Two-factor Authentication', profile_two_factor_auth_path, method: :delete, class: 'btn btn-close btn-sm',
+              data: { confirm: 'Are you sure?' }
+        %p.text-success
+          %strong
+            Two-factor Authentication is enabled
+        %p
+          If you lose your recovery codes you can
+          %strong
+            = succeed ',' do
+              = link_to 'generate new ones', codes_profile_two_factor_auth_path, method: :post, data: { confirm: 'Are you sure?' }
+          invalidating all previous codes.
 
-        - else
-          %p
-            Increase your account's security by enabling two-factor authentication (2FA).
-          %p
-            Each time you log in you’ll be required to provide your username and
-            password as usual, plus a randomly-generated code from your phone.
+      - else
+        %p
+          Increase your account's security by enabling two-factor authentication (2FA).
+        %p
+          Each time you log in you’ll be required to provide your username and
+          password as usual, plus a randomly-generated code from your phone.
 
-          .form-actions
-            = link_to 'Enable Two-factor Authentication', new_profile_two_factor_auth_path, class: 'btn btn-success'
+        .form-actions
+          = link_to 'Enable Two-factor Authentication', new_profile_two_factor_auth_path, class: 'btn btn-success'
 
   - if button_based_providers.any?
     .panel.panel-default
author	Robert Speicher <rspeicher@gmail.com>	2016-02-03 13:31:12 -0500
committer	Robert Speicher <rspeicher@gmail.com>	2016-02-03 13:31:12 -0500
commit	d6ef6c634e58ae81113983c37a55515ad640f18f (patch)
tree	fc9e9a02df6046b3eb6670e2b1c5934b59fc82d1
parent	d506b3f958654534de93f443b9a81ba4434c0b71 (diff)
download	gitlab-ce-rs-backport-ldap-2fa.tar.gz