diff options
| author | Roger Rüttimann <roger.ruettimann@gmail.com> | 2018-06-25 15:32:03 +0000 |
|---|---|---|
| committer | Douwe Maan <douwe@gitlab.com> | 2018-06-25 15:32:03 +0000 |
| commit | 2efe27ba181daa18db9e227b13be428ebdfc23f1 (patch) | |
| tree | eea8a62ad5159b63cec5e367f4be49bfd09aec97 /lib | |
| parent | 77fe416681a553005f9ec769113555830c8fb07c (diff) | |
| download | gitlab-ce-2efe27ba181daa18db9e227b13be428ebdfc23f1.tar.gz | |
Honor saml assurance level to allow 2FA bypassing
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/gitlab/auth/o_auth/user.rb | 4 | ||||
| -rw-r--r-- | lib/gitlab/auth/saml/auth_hash.rb | 15 | ||||
| -rw-r--r-- | lib/gitlab/auth/saml/config.rb | 4 | ||||
| -rw-r--r-- | lib/gitlab/auth/saml/user.rb | 4 |
4 files changed, 27 insertions, 0 deletions
diff --git a/lib/gitlab/auth/o_auth/user.rb b/lib/gitlab/auth/o_auth/user.rb index 6c5d0788a0a..e7283b2f9e8 100644 --- a/lib/gitlab/auth/o_auth/user.rb +++ b/lib/gitlab/auth/o_auth/user.rb @@ -74,6 +74,10 @@ module Gitlab gl_user end + def bypass_two_factor? + false + end + protected def should_save? diff --git a/lib/gitlab/auth/saml/auth_hash.rb b/lib/gitlab/auth/saml/auth_hash.rb index c345a7e3f6c..3bc5e2864df 100644 --- a/lib/gitlab/auth/saml/auth_hash.rb +++ b/lib/gitlab/auth/saml/auth_hash.rb @@ -6,6 +6,17 @@ module Gitlab Array.wrap(get_raw(Gitlab::Auth::Saml::Config.groups)) end + def authn_context + response_object = auth_hash.extra[:response_object] + return nil if response_object.blank? + + document = response_object.decrypted_document + document ||= response_object.document + return nil if document.blank? + + extract_authn_context(document) + end + private def get_raw(key) @@ -13,6 +24,10 @@ module Gitlab # otherwise just the first value is returned auth_hash.extra[:raw_info].all[key] end + + def extract_authn_context(document) + REXML::XPath.first(document, "//saml:AuthnStatement/saml:AuthnContext/saml:AuthnContextClassRef/text()").to_s + end end end end diff --git a/lib/gitlab/auth/saml/config.rb b/lib/gitlab/auth/saml/config.rb index 5fa9581f837..625dab7c6f4 100644 --- a/lib/gitlab/auth/saml/config.rb +++ b/lib/gitlab/auth/saml/config.rb @@ -7,6 +7,10 @@ module Gitlab Gitlab::Auth::OAuth::Provider.config_for('saml') end + def upstream_two_factor_authn_contexts + options.args[:upstream_two_factor_authn_contexts] + end + def groups options[:groups_attribute] end diff --git a/lib/gitlab/auth/saml/user.rb b/lib/gitlab/auth/saml/user.rb index b8c84c37cd5..6c3b75f3eb0 100644 --- a/lib/gitlab/auth/saml/user.rb +++ b/lib/gitlab/auth/saml/user.rb @@ -34,6 +34,10 @@ module Gitlab gl_user.changed? || gl_user.identities.any?(&:changed?) end + def bypass_two_factor? + saml_config.upstream_two_factor_authn_contexts&.include?(auth_hash.authn_context) + end + protected def saml_config |