Change method to display group that is source of 2fa requirement

Add changelog entry Add cr remarks

Change method to display group that is source of 2fa requirement
Add changelog entry Add cr remarks
3a3af0c6 · Małgorzata Ksionek · e5a5e54a · 3a3af0c6 · 3a3af0c6 · 3a3af0c6
Commit 3a3af0c6 authored Jul 30, 2020 by Małgorzata Ksionek
4 changed files
--- a/app/controllers/concerns/enforces_two_factor_authentication.rb
+++ b/app/controllers/concerns/enforces_two_factor_authentication.rb
@@ -43,7 +43,7 @@ module EnforcesTwoFactorAuthentication
      if Gitlab::CurrentSettings.require_two_factor_authentication?
        global.call
      else
-        groups = current_user.expanded_groups_requiring_two_factor_authentication.reorder(name: :asc)
+        groups = current_user.source_groups_of_two_factor_authentication_requirement.reorder(name: :asc)
        group.call(groups)
      end
    end

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -885,6 +885,12 @@ class User < ApplicationRecord
    all_expanded_groups.where(require_two_factor_authentication: true)
  end
+  def source_groups_of_two_factor_authentication_requirement
+    Gitlab::ObjectHierarchy.new(expanded_groups_requiring_two_factor_authentication)
+      .all_objects
+      .where(id: groups)
+  end
  # rubocop: disable CodeReuse/ServiceClass
  def refresh_authorized_projects
    Users::RefreshAuthorizedProjectsService.new(self).execute

--- a/changelogs/unreleased/security-199-show-actual-group.yml
+++ b/changelogs/unreleased/security-199-show-actual-group.yml
+---
+title: Show on two-factor authentication setup page groups that are the cause of this
+  requirement
+merge_request:
+author:
+type: security
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -3578,6 +3578,42 @@ RSpec.describe User do
    end
  end
+  describe '#source_groups_of_two_factor_authentication_requirement' do
+    let_it_be(:group_not_requiring_2FA) { create :group }
+    let(:user) { create :user }
+    before do
+      group.add_user(user, GroupMember::OWNER)
+      group_not_requiring_2FA.add_user(user, GroupMember::OWNER)
+    end
+    context 'when user is direct member of group requiring 2FA' do
+      let_it_be(:group) { create :group, require_two_factor_authentication: true }
+      it 'returns group requiring 2FA' do
+        expect(user.source_groups_of_two_factor_authentication_requirement).to contain_exactly(group)
+      end
+    end
+    context 'when user is member of group which parent requires 2FA' do
+      let_it_be(:parent_group) { create :group, require_two_factor_authentication: true }
+      let_it_be(:group) { create :group, parent: parent_group }
+      it 'returns group requiring 2FA' do
+        expect(user.source_groups_of_two_factor_authentication_requirement).to contain_exactly(group)
+      end
+    end
+    context 'when user is member of group which child requires 2FA' do
+      let_it_be(:group) { create :group }
+      let_it_be(:child_group) { create :group, require_two_factor_authentication: true, parent: group }
+      it 'returns group requiring 2FA' do
+        expect(user.source_groups_of_two_factor_authentication_requirement).to contain_exactly(group)
+      end
+    end
+  end
  describe '.active' do
    before do
      described_class.ghost