Merge branch 'oauth_bypass_two_factor' into 'master'

Add option to allow OAuth providers to bypass two factor Closes #56059 See merge request gitlab-org/gitlab-ce!31996

Merge branch 'oauth_bypass_two_factor' into 'master'
Add option to allow OAuth providers to bypass two factor Closes #56059 See merge request gitlab-org/gitlab-ce!31996
be97241a · Michael Kozono · 5e59c919 · 6e2032f2 · be97241a · be97241a
Commit be97241a authored Aug 27, 2019 by Michael Kozono
7 changed files
--- a/changelogs/unreleased/oauth_bypass_two_factor.yml
+++ b/changelogs/unreleased/oauth_bypass_two_factor.yml
+---
+title: Add option to allow OAuth providers to bypass two factor
+merge_request: 31996
+author: Dodocat
+type: added
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -780,6 +780,14 @@ production: &base
    # (default: [])
    external_providers: []

+    # CAUTION!
+    # This allows users to login with the specified providers without two factor. Define the allowed providers
+    # using an array, e.g. ["twitter", 'google_oauth2'], or as true/false to allow all providers or none.
+    # This option should only be configured for providers which already have two factor. 
+    # This configration dose not apply to SAML.
+    # (default: false)
+    allow_bypass_two_factor: ["twitter", 'google_oauth2']
+
    ## Auth providers
    # Uncomment the following lines and fill in the data of the auth provider you want to use
    # If your favorite auth provider is not listed you can use others:

--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -84,6 +84,7 @@ Settings['omniauth'] ||= Settingslogic.new({})
 Settings.omniauth['enabled'] = true if Settings.omniauth['enabled'].nil?
 Settings.omniauth['auto_sign_in_with_provider'] = false if Settings.omniauth['auto_sign_in_with_provider'].nil?
 Settings.omniauth['allow_single_sign_on'] = false if Settings.omniauth['allow_single_sign_on'].nil?
+Settings.omniauth['allow_bypass_two_factor'] = false if Settings.omniauth['allow_bypass_two_factor'].nil?
 Settings.omniauth['external_providers'] = [] if Settings.omniauth['external_providers'].nil?
 Settings.omniauth['block_auto_created_users'] = true if Settings.omniauth['block_auto_created_users'].nil?
 Settings.omniauth['auto_link_ldap_user'] = false if Settings.omniauth['auto_link_ldap_user'].nil?

--- a/doc/integration/omniauth.md
+++ b/doc/integration/omniauth.md
@@ -277,3 +277,23 @@ omniauth:
  sync_profile_from_provider: ['twitter', 'google_oauth2']
  sync_profile_attributes: ['email', 'location']
 ```
+## Bypassing two factor authentication
+
+Starting with GitLab 12.3, this allows users to login with the specified
+providers without two factor authentication.
+
+Define the allowed providers using an array, e.g. `["twitter", 'google_oauth2']`, or as
+`true`/`false` to allow all providers or none. This option should only be configured
+for providers which already have two factor authentication (default: false).
+This configration dose not apply to SAML.
+
+```ruby
+gitlab_rails['omniauth_allow_bypass_two_factor'] = ['twitter', 'google_oauth2']
+```
+
+**For installations from source**
+
+```yaml
+omniauth:
+  allow_bypass_two_factor: ['twitter', 'google_oauth2']
+```
--- a/lib/gitlab/auth/o_auth/user.rb
+++ b/lib/gitlab/auth/o_auth/user.rb
@@ -77,7 +77,12 @@ module Gitlab
        end

        def bypass_two_factor?
-          false
+          providers = Gitlab.config.omniauth.allow_bypass_two_factor
+          if providers.is_a?(Array)
+            providers.include?(auth_hash.provider)
+          else
+            providers
+          end
        end

        protected

--- a/spec/features/oauth_login_spec.rb
+++ b/spec/features/oauth_login_spec.rb
@@ -55,6 +55,18 @@ describe 'OAuth Login', :js, :allow_forgery_protection do

          expect(current_path).to eq root_path
        end
+
+        it 'when bypass-two-factor is enabled' do
+          allow(Gitlab.config.omniauth).to receive_messages(allow_bypass_two_factor: true)
+          login_via(provider.to_s, user, uid, remember_me: false)
+          expect(current_path).to eq root_path
+        end
+
+        it 'when bypass-two-factor is disabled' do
+          allow(Gitlab.config.omniauth).to receive_messages(allow_bypass_two_factor: false)
+          login_with_provider(provider, enter_two_factor: true)
+          expect(current_path).to eq root_path
+        end
      end

      context 'when "remember me" is checked' do

--- a/spec/lib/gitlab/auth/o_auth/user_spec.rb
+++ b/spec/lib/gitlab/auth/o_auth/user_spec.rb
@@ -787,11 +787,25 @@ describe Gitlab::Auth::OAuth::User do
    end
  end

-  describe '#bypass_two_factor?' do
-    subject { oauth_user.bypass_two_factor? }
+  describe "#bypass_two_factor?" do
+    it "when with allow_bypass_two_factor disabled (Default)" do
+      stub_omniauth_config(allow_bypass_two_factor: false)
+      expect(oauth_user.bypass_two_factor?).to be_falsey
+    end
+
+    it "when with allow_bypass_two_factor enabled" do
+      stub_omniauth_config(allow_bypass_two_factor: true)
+      expect(oauth_user.bypass_two_factor?).to be_truthy
+    end
+
+    it "when provider in allow_bypass_two_factor array" do
+      stub_omniauth_config(allow_bypass_two_factor: [provider])
+      expect(oauth_user.bypass_two_factor?).to be_truthy
+    end

-    it 'returns always false' do
-      is_expected.to be_falsey
+    it "when provider not in allow_bypass_two_factor array" do
+      stub_omniauth_config(allow_bypass_two_factor: ["foo"])
+      expect(oauth_user.bypass_two_factor?).to be_falsey
    end
  end
 end