Module: EnforcesTwoFactorAuthentication

Extended by:
ActiveSupport::Concern
Included in:
ApplicationController, Gitlab::BaseDoorkeeperController, Oauth::TokenInfoController, Oauth::TokensController
Defined in:
app/controllers/concerns/enforces_two_factor_authentication.rb

Overview

EnforcesTwoFactorAuthentication

Controller concern to enforce two-factor authentication requirements

Upon inclusion, adds ‘check_two_factor_requirement` as a before_action, and makes `two_factor_grace_period_expired?` and `two_factor_skippable?` available as view helpers.

Instance Method Summary collapse

Instance Method Details

#check_two_factor_requirementObject 



21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
 
# File 'app/controllers/concerns/enforces_two_factor_authentication.rb', line 21

def check_two_factor_requirement
  return unless respond_to?(:current_user)

  if two_factor_authentication_required? && current_user_requires_two_factor?
    case self
    when GraphqlController
      render_error(
        format(
          _("Authentication error: enable 2FA in your profile settings to continue using GitLab: %{mfa_help_page}"),
          mfa_help_page: mfa_help_page_url
        ),
        status: :unauthorized
      )
    else
      redirect_to profile_two_factor_auth_path
    end
  end
end

#current_user_requires_two_factor?Boolean

Returns:

  • (Boolean) 


44
45
46
 
# File 'app/controllers/concerns/enforces_two_factor_authentication.rb', line 44

def current_user_requires_two_factor?
  two_factor_verifier.current_user_needs_to_setup_two_factor? && !skip_two_factor?
end

#execute_action_for_2fa_reason(actions) ⇒ Object

rubocop: disable CodeReuse/ActiveRecord



49
50
51
52
53
54
 
# File 'app/controllers/concerns/enforces_two_factor_authentication.rb', line 49

def execute_action_for_2fa_reason(actions)
  reason = two_factor_verifier.two_factor_authentication_reason
  groups_enforcing_two_factor = current_user.source_groups_of_two_factor_authentication_requirement
                                            .reorder(name: :asc)
  actions[reason].call(groups_enforcing_two_factor)
end

#mfa_help_page_urlObject 



79
80
81
82
83
84
 
# File 'app/controllers/concerns/enforces_two_factor_authentication.rb', line 79

def mfa_help_page_url
  Rails.application.routes.url_helpers.help_page_url(
    'user/profile/account/two_factor_authentication.md',
    anchor: 'enable-two-factor-authentication'
  )
end

#skip_two_factor?Boolean

Returns:

  • (Boolean) 


71
72
73
 
# File 'app/controllers/concerns/enforces_two_factor_authentication.rb', line 71

def skip_two_factor?
  session[:skip_two_factor] && session[:skip_two_factor].future?
end

#two_factor_authentication_required?Boolean

Returns:

  • (Boolean) 


40
41
42
 
# File 'app/controllers/concerns/enforces_two_factor_authentication.rb', line 40

def two_factor_authentication_required?
  two_factor_verifier.two_factor_authentication_required?
end

#two_factor_grace_periodObject

rubocop: enable CodeReuse/ActiveRecord



57
58
59
 
# File 'app/controllers/concerns/enforces_two_factor_authentication.rb', line 57

def two_factor_grace_period
  two_factor_verifier.two_factor_grace_period
end

#two_factor_grace_period_expired?Boolean

Returns:

  • (Boolean) 


61
62
63
 
# File 'app/controllers/concerns/enforces_two_factor_authentication.rb', line 61

def two_factor_grace_period_expired?
  two_factor_verifier.two_factor_grace_period_expired?
end

#two_factor_skippable?Boolean

Returns:

  • (Boolean) 


65
66
67
68
69
 
# File 'app/controllers/concerns/enforces_two_factor_authentication.rb', line 65

def two_factor_skippable?
  two_factor_authentication_required? &&
    !current_user.two_factor_enabled? &&
    !two_factor_grace_period_expired?
end

#two_factor_verifierObject 



75
76
77
 
# File 'app/controllers/concerns/enforces_two_factor_authentication.rb', line 75

def two_factor_verifier
  @two_factor_verifier ||= Gitlab::Auth::TwoFactorAuthVerifier.new(current_user, request)
end