Fixed codestyle and added 2FA documentation

1249289f · Gabriel Mazetto · 6e3fb502 · 1249289f · 1249289f · 1249289f
Commit 1249289f authored Dec 24, 2015 by Gabriel Mazetto
4 changed files
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -13,7 +13,7 @@ class ApplicationController < ActionController::Base
  before_action :validate_user_service_ticket!
  before_action :reject_blocked!
  before_action :check_password_expiration
-  before_action :check_tfa_requirement
+  before_action :check_2fa_requirement
  before_action :ldap_security_check
  before_action :default_headers
  before_action :add_gon_variables
@@ -224,7 +224,7 @@ class ApplicationController < ActionController::Base
    end
  end

-  def check_tfa_requirement
+  def check_2fa_requirement
    if two_factor_authentication_required? && current_user && !current_user.two_factor_enabled && !skip_two_factor?
      redirect_to new_profile_two_factor_auth_path
    end

--- a/app/controllers/profiles/two_factor_auths_controller.rb
+++ b/app/controllers/profiles/two_factor_auths_controller.rb
 class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
-  skip_before_action :check_tfa_requirement
+  skip_before_action :check_2fa_requirement

  def new
    unless current_user.otp_secret
      current_user.otp_secret = User.generate_otp_secret(32)
    end
+
    unless current_user.otp_grace_period_started_at && two_factor_grace_period
      current_user.otp_grace_period_started_at = Time.current
    end
+
    current_user.save! if current_user.changed?

    if two_factor_grace_period_expired?

--- a/doc/security/README.md
+++ b/doc/security/README.md
@@ -6,3 +6,4 @@
 - [Information exclusivity](information_exclusivity.md)
 - [Reset your root password](reset_root_password.md)
 - [User File Uploads](user_file_uploads.md)
+- [Enforce Two-Factor authentication](two_factor_authentication.md)
--- a/doc/security/two_factor_authentication.md
+++ b/doc/security/two_factor_authentication.md
+# Enforce Two-factor Authentication (2FA)
+
+Two-factor Authentication (2FA) provides an additional level of security to your
+users' GitLab account. Once enabled, in addition to supplying their username and
+password to login, they'll be prompted for a code generated by an application on
+their phone.
+
+You can read more about it here:
+[Two-factor Authentication (2FA)](doc/profile/two_factor_authentication.md)
+
+## Enabling 2FA
+
+Users on GitLab, can enable it without any admin's intervention. If you want to
+enforce everyone to setup 2FA, you can choose from two different ways:
+
+ 1. Enforce on next login
+ 2. Suggest on next login, but allow a grace period before enforcing.
+
+In the Admin area under **Settings** (`/admin/application_settings`), look for
+the "Sign-in Restrictions" area, where you can configure both.
+
+If you want 2FA enforcement to take effect on next login, change the grace
+period to `0`
+
+## Disabling 2FA for everyone
+
+There may be some special situations where you want to disable 2FA for everyone
+even when forced 2FA is disabled. There is a rake task for that:
+
+```
+# use this command if you've installed GitLab with the Omnibus package
+sudo gitlab-rake gitlab:two_factor:disable_for_all_users
+
+# if you've installed GitLab from source
+sudo -u git -H bundle exec rake gitlab:two_factor:disable_for_all_users RAILS_ENV=production
+```
+
+**IMPORTANT: this is a permanent and irreversible action. Users will have to reactivate 2FA from scratch if they want to use it again.**