Allow password authentication to be disabled entirely

author: Markus Koller <markus-koller@gmx.ch> 2017-11-23 13:16:14 +0000
committer: Douwe Maan <douwe@gitlab.com> 2017-11-23 13:16:14 +0000
commit: 257fd5713485a05460a9170190100643199a7e48 (patch)
tree: afaaddcdc16ac407d72b7b4c0e96d951a141c268 /lib
parent: a6cafbcbe8d6802a81055c3469312f889cd73c9a (diff)
download: gitlab-ce-257fd5713485a05460a9170190100643199a7e48.tar.gz
6 files changed, 31 insertions, 15 deletions
diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index 16ae99b5c6c..e45c87e4f4f 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -763,7 +763,10 @@ module API
       expose(:default_project_visibility) { |setting, _options| Gitlab::VisibilityLevel.string_level(setting.default_project_visibility) }
       expose(:default_snippet_visibility) { |setting, _options| Gitlab::VisibilityLevel.string_level(setting.default_snippet_visibility) }
       expose(:default_group_visibility) { |setting, _options| Gitlab::VisibilityLevel.string_level(setting.default_group_visibility) }
-      expose :password_authentication_enabled, as: :signin_enabled
+
+      # support legacy names, can be removed in v5
+      expose :password_authentication_enabled_for_web, as: :password_authentication_enabled
+      expose :password_authentication_enabled_for_web, as: :signin_enabled
     end
 
     class Release < Grape::Entity
diff --git a/lib/api/settings.rb b/lib/api/settings.rb
index 851b226e9e5..06373fe5069 100644
--- a/lib/api/settings.rb
+++ b/lib/api/settings.rb
@@ -44,9 +44,11 @@ module API
         requires :domain_blacklist, type: String, desc: 'Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com'
       end
       optional :after_sign_up_text, type: String, desc: 'Text shown after sign up'
-      optional :password_authentication_enabled, type: Boolean, desc: 'Flag indicating if password authentication is enabled'
-      optional :signin_enabled, type: Boolean, desc: 'Flag indicating if password authentication is enabled'
-      mutually_exclusive :password_authentication_enabled, :signin_enabled
+      optional :password_authentication_enabled_for_web, type: Boolean, desc: 'Flag indicating if password authentication is enabled for the web interface'
+      optional :password_authentication_enabled, type: Boolean, desc: 'Flag indicating if password authentication is enabled for the web interface' # support legacy names, can be removed in v5
+      optional :signin_enabled, type: Boolean, desc: 'Flag indicating if password authentication is enabled for the web interface' # support legacy names, can be removed in v5
+      mutually_exclusive :password_authentication_enabled_for_web, :password_authentication_enabled, :signin_enabled
+      optional :password_authentication_enabled_for_git, type: Boolean, desc: 'Flag indicating if password authentication is enabled for Git over HTTP(S)'
       optional :require_two_factor_authentication, type: Boolean, desc: 'Require all users to setup Two-factor authentication'
       given require_two_factor_authentication: ->(val) { val } do
         requires :two_factor_grace_period, type: Integer, desc: 'Amount of time (in hours) that users are allowed to skip forced configuration of two-factor authentication'
@@ -135,8 +137,11 @@ module API
     put "application/settings" do
       attrs = declared_params(include_missing: false)
 
+      # support legacy names, can be removed in v5
       if attrs.has_key?(:signin_enabled)
-        attrs[:password_authentication_enabled] = attrs.delete(:signin_enabled)
+        attrs[:password_authentication_enabled_for_web] = attrs.delete(:signin_enabled)
+      elsif attrs.has_key?(:password_authentication_enabled)
+        attrs[:password_authentication_enabled_for_web] = attrs.delete(:password_authentication_enabled)
       end
 
       if current_settings.update_attributes(attrs)
diff --git a/lib/api/v3/entities.rb b/lib/api/v3/entities.rb
index afdd7b83998..c17b6f45ed8 100644
--- a/lib/api/v3/entities.rb
+++ b/lib/api/v3/entities.rb
@@ -172,8 +172,8 @@ module API
         expose :id
         expose :default_projects_limit
         expose :signup_enabled
-        expose :password_authentication_enabled
-        expose :password_authentication_enabled, as: :signin_enabled
+        expose :password_authentication_enabled_for_web, as: :password_authentication_enabled
+        expose :password_authentication_enabled_for_web, as: :signin_enabled
         expose :gravatar_enabled
         expose :sign_in_text
         expose :after_sign_up_text
diff --git a/lib/api/v3/settings.rb b/lib/api/v3/settings.rb
index 202011cfcbe..9b4ab7630fb 100644
--- a/lib/api/v3/settings.rb
+++ b/lib/api/v3/settings.rb
@@ -44,8 +44,8 @@ module API
           requires :domain_blacklist, type: String, desc: 'Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com'
         end
         optional :after_sign_up_text, type: String, desc: 'Text shown after sign up'
-        optional :password_authentication_enabled, type: Boolean, desc: 'Flag indicating if password authentication is enabled'
-        optional :signin_enabled, type: Boolean, desc: 'Flag indicating if password authentication is enabled'
+        optional :password_authentication_enabled, type: Boolean, desc: 'Flag indicating if password authentication is enabled for the web interface'
+        optional :signin_enabled, type: Boolean, desc: 'Flag indicating if password authentication is enabled for the web interface'
         mutually_exclusive :password_authentication_enabled, :signin_enabled
         optional :require_two_factor_authentication, type: Boolean, desc: 'Require all users to setup Two-factor authentication'
         given require_two_factor_authentication: ->(val) { val } do
@@ -131,7 +131,9 @@ module API
         attrs = declared_params(include_missing: false)
 
         if attrs.has_key?(:signin_enabled)
-          attrs[:password_authentication_enabled] = attrs.delete(:signin_enabled)
+          attrs[:password_authentication_enabled_for_web] = attrs.delete(:signin_enabled)
+        elsif attrs.has_key?(:password_authentication_enabled)
+          attrs[:password_authentication_enabled_for_web] = attrs.delete(:password_authentication_enabled)
         end
 
         if current_settings.update_attributes(attrs)
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index cbbc51db99e..9670207a105 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -34,7 +34,7 @@ module Gitlab
         rate_limit!(ip, success: result.success?, login: login)
         Gitlab::Auth::UniqueIpsLimiter.limit_user!(result.actor)
 
-        return result if result.success? || current_application_settings.password_authentication_enabled? || Gitlab::LDAP::Config.enabled?
+        return result if result.success? || authenticate_using_internal_or_ldap_password?
 
         # If sign-in is disabled and LDAP is not configured, recommend a
         # personal access token on failed auth attempts
@@ -45,6 +45,10 @@ module Gitlab
         # Avoid resource intensive login checks if password is not provided
         return unless password.present?
 
+        # Nothing to do here if internal auth is disabled and LDAP is
+        # not configured
+        return unless authenticate_using_internal_or_ldap_password?
+
         Gitlab::Auth::UniqueIpsLimiter.limit_user! do
           user = User.by_login(login)
 
@@ -52,10 +56,8 @@ module Gitlab
           #   LDAP users are only authenticated via LDAP
           if user.nil? || user.ldap_user?
             # Second chance - try LDAP authentication
-            return unless Gitlab::LDAP::Config.enabled?
-
             Gitlab::LDAP::Authentication.login(login, password)
-          else
+          elsif current_application_settings.password_authentication_enabled_for_git?
             user if user.active? && user.valid_password?(password)
           end
         end
@@ -84,6 +86,10 @@ module Gitlab
 
       private
 
+      def authenticate_using_internal_or_ldap_password?
+        current_application_settings.password_authentication_enabled_for_git? || Gitlab::LDAP::Config.enabled?
+      end
+
       def service_request_check(login, password, project)
         matched_login = /(?<service>^[a-zA-Z]*-ci)-token$/.match(login)
 
diff --git a/lib/gitlab/usage_data.rb b/lib/gitlab/usage_data.rb
index 112d4939582..2adcc9809b3 100644
--- a/lib/gitlab/usage_data.rb
+++ b/lib/gitlab/usage_data.rb
@@ -79,7 +79,7 @@ module Gitlab
 
       def features_usage_data_ce
         {
-          signup: current_application_settings.signup_enabled?,
+          signup: current_application_settings.allow_signup?,
           ldap: Gitlab.config.ldap.enabled,
           gravatar: current_application_settings.gravatar_enabled?,
           omniauth: Gitlab.config.omniauth.enabled,
author	Markus Koller <markus-koller@gmx.ch>	2017-11-23 13:16:14 +0000
committer	Douwe Maan <douwe@gitlab.com>	2017-11-23 13:16:14 +0000
commit	257fd5713485a05460a9170190100643199a7e48 (patch)
tree	afaaddcdc16ac407d72b7b4c0e96d951a141c268 /lib
parent	a6cafbcbe8d6802a81055c3469312f889cd73c9a (diff)
download	gitlab-ce-257fd5713485a05460a9170190100643199a7e48.tar.gz