Merge branch '232671-default-enable-webauthn' into 'master'

Default enable webauthn feature flag See merge request gitlab-org/gitlab!50735

Merge branch '232671-default-enable-webauthn' into 'master'
Default enable webauthn feature flag See merge request gitlab-org/gitlab!50735
bc801c22 · Imre Farkas · c6d4c188 · 81a6ee38 · bc801c22 · bc801c22
Commit bc801c22 authored Dec 15, 2021 by Imre Farkas
10 changed files
--- a/app/controllers/concerns/authenticates_with_two_factor.rb
+++ b/app/controllers/concerns/authenticates_with_two_factor.rb
@@ -23,9 +23,9 @@ module AuthenticatesWithTwoFactor

    session[:otp_user_id] = user.id
    session[:user_password_hash] = Digest::SHA256.hexdigest(user.encrypted_password)
-    push_frontend_feature_flag(:webauthn)
+    push_frontend_feature_flag(:webauthn, default_enabled: :yaml)

-    if Feature.enabled?(:webauthn)
+    if Feature.enabled?(:webauthn, default_enabled: :yaml)
      setup_webauthn_authentication(user)
    else
      setup_u2f_authentication(user)

--- a/app/controllers/concerns/authenticates_with_two_factor_for_admin_mode.rb
+++ b/app/controllers/concerns/authenticates_with_two_factor_for_admin_mode.rb
@@ -11,7 +11,7 @@ module AuthenticatesWithTwoFactorForAdminMode
    return handle_locked_user(user) unless user.can?(:log_in)

    session[:otp_user_id] = user.id
-    push_frontend_feature_flag(:webauthn)
+    push_frontend_feature_flag(:webauthn, default_enabled: :yaml)

    if user.two_factor_webauthn_enabled?
      setup_webauthn_authentication(user)

--- a/app/controllers/profiles/two_factor_auths_controller.rb
+++ b/app/controllers/profiles/two_factor_auths_controller.rb
@@ -8,7 +8,7 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
  helper_method :current_password_required?

  before_action do
-    push_frontend_feature_flag(:webauthn)
+    push_frontend_feature_flag(:webauthn, default_enabled: :yaml)
  end

  feature_category :authentication_and_authorization
@@ -44,7 +44,7 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
    @qr_code = build_qr_code
    @account_string = account_string

-    if Feature.enabled?(:webauthn)
+    if Feature.enabled?(:webauthn, default_enabled: :yaml)
      setup_webauthn_registration
    else
      setup_u2f_registration
@@ -69,7 +69,7 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
      @error = { message: _('Invalid pin code.') }
      @qr_code = build_qr_code

-      if Feature.enabled?(:webauthn)
+      if Feature.enabled?(:webauthn, default_enabled: :yaml)
        setup_webauthn_registration
      else
        setup_u2f_registration

--- a/app/controllers/profiles_controller.rb
+++ b/app/controllers/profiles_controller.rb
@@ -8,7 +8,7 @@ class ProfilesController < Profiles::ApplicationController
  before_action :authorize_change_username!, only: :update_username
  skip_before_action :require_email, only: [:show, :update]
  before_action do
-    push_frontend_feature_flag(:webauthn)
+    push_frontend_feature_flag(:webauthn, default_enabled: :yaml)
  end

  feature_category :users

--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -32,7 +32,7 @@ class SessionsController < Devise::SessionsController
  before_action :load_recaptcha
  before_action :set_invite_params, only: [:new]
  before_action do
-    push_frontend_feature_flag(:webauthn)
+    push_frontend_feature_flag(:webauthn, default_enabled: :yaml)
  end

  after_action :log_failed_login, if: :action_new_and_failed_login?
@@ -305,9 +305,9 @@ class SessionsController < Devise::SessionsController
  def authentication_method
    if user_params[:otp_attempt]
      AuthenticationEvent::TWO_FACTOR
-    elsif user_params[:device_response] && Feature.enabled?(:webauthn)
+    elsif user_params[:device_response] && Feature.enabled?(:webauthn, default_enabled: :yaml)
      AuthenticationEvent::TWO_FACTOR_WEBAUTHN
-    elsif user_params[:device_response] && !Feature.enabled?(:webauthn)
+    elsif user_params[:device_response] && !Feature.enabled?(:webauthn, default_enabled: :yaml)
      AuthenticationEvent::TWO_FACTOR_U2F
    else
      AuthenticationEvent::STANDARD

--- a/app/models/members_preloader.rb
+++ b/app/models/members_preloader.rb
@@ -13,7 +13,7 @@ class MembersPreloader
    ActiveRecord::Associations::Preloader.new.preload(members, :created_by)
    ActiveRecord::Associations::Preloader.new.preload(members, user: :status)
    ActiveRecord::Associations::Preloader.new.preload(members, user: :u2f_registrations)
-    ActiveRecord::Associations::Preloader.new.preload(members, user: :webauthn_registrations) if Feature.enabled?(:webauthn)
+    ActiveRecord::Associations::Preloader.new.preload(members, user: :webauthn_registrations) if Feature.enabled?(:webauthn, default_enabled: :yaml)
  end
 end


--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -911,7 +911,7 @@ class User < ApplicationRecord
  end

  def two_factor_u2f_enabled?
-    return false if Feature.enabled?(:webauthn)
+    return false if Feature.enabled?(:webauthn, default_enabled: :yaml)

    if u2f_registrations.loaded?
      u2f_registrations.any?
@@ -925,7 +925,7 @@ class User < ApplicationRecord
  end

  def two_factor_webauthn_enabled?
-    return false unless Feature.enabled?(:webauthn)
+    return false unless Feature.enabled?(:webauthn, default_enabled: :yaml)

    (webauthn_registrations.loaded? && webauthn_registrations.any?) || (!webauthn_registrations.loaded? && webauthn_registrations.exists?)
  end

--- a/app/views/profiles/two_factor_auths/show.html.haml
+++ b/app/views/profiles/two_factor_auths/show.html.haml
@@ -2,7 +2,7 @@
 - page_title _('Two-Factor Authentication'), _('Account')
 - add_to_breadcrumbs _('Account'), profile_account_path
 - @content_class = "limit-container-width" unless fluid_layout
- webauthn_enabled = Feature.enabled?(:webauthn)
+- webauthn_enabled = Feature.enabled?(:webauthn, default_enabled: :yaml)

 .js-two-factor-auth{ 'data-two-factor-skippable' => "#{two_factor_skippable?}", 'data-two_factor_skip_url' => skip_profile_two_factor_auth_path }
  .row.gl-mt-3

--- a/config/feature_flags/development/webauthn.yml
+++ b/config/feature_flags/development/webauthn.yml
@@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/232671
 milestone: '13.4'
 type: development
 group: group::access
-default_enabled: false
+default_enabled: true
--- a/doc/user/profile/account/two_factor_authentication.md
+++ b/doc/user/profile/account/two_factor_authentication.md
@@ -20,8 +20,7 @@ password secret.
 NOTE:
 When you enable 2FA, don't forget to back up your [recovery codes](#recovery-codes)!

-In addition to time-based one time passwords (TOTP), GitLab supports U2F
-(universal 2nd factor) and WebAuthn (experimental) devices as the second factor
+In addition to time-based one time passwords (TOTP), GitLab supports WebAuthn devices as the second factor
 of authentication. After being enabled, in addition to supplying your username
 and password to sign in, you're prompted to activate your U2F / WebAuthn device
 (usually by pressing a button on it) which performs secure authentication on
@@ -269,11 +268,11 @@ Click on **Register U2F Device** to complete the process.

 ### WebAuthn device

-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/22506) in GitLab 13.4.
-> - It's [deployed behind a feature flag](../../feature_flags.md), disabled by default.
-> - It's disabled on GitLab.com.
-> - It's not recommended for production use.
-> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-webauthn).
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/22506) in GitLab 13.4 [with a flag](../../../administration/feature_flags.md) named `webauthn`. Disabled by default.
+> - [Enabled on GitLab.com and self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/232671) in GitLab 14.6.
+
+FLAG:
+On self-managed GitLab, by default this feature is available. To disable the feature, ask an administrator to [disable the feature flag](../../../administration/feature_flags.md) named `webauthn`. If you disable the WebAuthn feature flag after WebAuthn devices have been registered, these devices are not usable until you re-enable this feature. On GitLab.com, this feature is available.

 The WebAuthn workflow is [supported by](https://caniuse.com/#search=webauthn) the
 following desktop browsers:
@@ -350,7 +349,7 @@ request, and you're automatically signed in.
 ### Sign in by using a WebAuthn device

 In supported browsers you should be automatically prompted to activate your WebAuthn device
-(for example, by touching/pressing its button) after entering your credentials.
+(for example, by touching or pressing its button) after entering your credentials.

 A message displays, indicating that your device responded to the authentication
 request and you're automatically signed in.
@@ -495,25 +494,6 @@ request a GitLab global administrator disable two-factor authentication for your

 - To enforce 2FA at the system or group levels see [Enforce Two-factor Authentication](../../../security/two_factor_authentication.md).

-## Enable or disable WebAuthn **(FREE SELF)**
-
-Support for WebAuthn is under development and not ready for production use. It is
-deployed behind a feature flag that is **disabled by default**.
-[GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md)
-can enable it.
-
-To enable it:
-
-```ruby
-Feature.enable(:webauthn)
-```
-
-To disable it:
-
-```ruby
-Feature.disable(:webauthn)
-```
-
 ## Troubleshooting

 If you are receiving an `invalid pin code` error, this may indicate that there is a time sync issue between the authentication application and the GitLab instance itself.