#57815 Password authentication disabled for UltraAuth users

Disabled password authentication for the users registered using omniauth-ultraauth strategy

#57815 Password authentication disabled for UltraAuth users
Disabled password authentication for the users registered using omniauth-ultraauth strategy
53af3e6b · Kartikey Tanna · Kamil Trzciński · c8f18c50 · 53af3e6b · 53af3e6b
7 changed file
--- a/app/controllers/concerns/enforces_two_factor_authentication.rb
+++ b/app/controllers/concerns/enforces_two_factor_authentication.rb
@@ -23,7 +23,8 @@ module EnforcesTwoFactorAuthentication

  def two_factor_authentication_required?
    Gitlab::CurrentSettings.require_two_factor_authentication? ||
-      current_user.try(:require_two_factor_authentication_from_group?)
+      current_user.try(:require_two_factor_authentication_from_group?) ||
+      current_user.try(:ultraauth_user?)
  end

  # rubocop: disable CodeReuse/ActiveRecord

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -835,11 +835,11 @@ class User < ApplicationRecord
  end

  def allow_password_authentication_for_web?
-    Gitlab::CurrentSettings.password_authentication_enabled_for_web? && !ldap_user?
+    Gitlab::CurrentSettings.password_authentication_enabled_for_web? && !ldap_user? && !ultraauth_user?
  end

  def allow_password_authentication_for_git?
-    Gitlab::CurrentSettings.password_authentication_enabled_for_git? && !ldap_user?
+    Gitlab::CurrentSettings.password_authentication_enabled_for_git? && !ldap_user? && !ultraauth_user?
  end

  def can_change_username?
@@ -919,6 +919,14 @@ class User < ApplicationRecord
    end
  end

+  def ultraauth_user?
+    if identities.loaded?
+      identities.find { |identity| Gitlab::Auth::OAuth::Provider.ultraauth_provider?(identity.provider) && !identity.extern_uid.nil? }
+    else
+      identities.exists?(["provider = ? AND extern_uid IS NOT NULL", "ultraauth"])
+    end
+  end
+
  def ldap_identity
    @ldap_identity ||= identities.find_by(["provider LIKE ?", "ldap%"])
  end

--- a/changelogs/unreleased/57815.yml
+++ b/changelogs/unreleased/57815.yml
+---
+title: Enforced requirements for UltraAuth users
+merge_request: 28941
+author: Kartikey Tanna
+type: changed
--- a/doc/integration/ultra_auth.md
+++ b/doc/integration/ultra_auth.md
@@ -71,8 +71,8 @@ To get the credentials (a pair of Client ID and Client Secret), you must registe
 1.  [Reconfigure GitLab]( ../administration/restart_gitlab.md#omnibus-gitlab-reconfigure ) or [restart GitLab]( ../administration/restart_gitlab.md#installations-from-source ) for the changes to take effect if you
    installed GitLab via Omnibus or from source respectively.

-On the sign in page, there should now be a UltraAuth icon below the regular sign in form.
+On the sign in page, there should now be an UltraAuth icon below the regular sign in form.
 Click the icon to begin the authentication process. UltraAuth will ask the user to sign in and authorize the GitLab application.
 If everything goes well, the user will be returned to GitLab and will be signed in.

-**Note:** GitLab requires the email address of each new user. Once the user is logged in using UltraAuth, GitLab will redirect the user to the profile page where they will have to provide the email and verify the email.
+GitLab requires the email address of each new user. Once the user is logged in using UltraAuth, GitLab will redirect the user to the profile page where they will have to provide the email and verify the email. Password authentication will be disabled for UltraAuth users and two-factor authentication (2FA) will be enforced.
--- a/lib/gitlab/auth/o_auth/provider.rb
+++ b/lib/gitlab/auth/o_auth/provider.rb
@@ -40,6 +40,10 @@ module Gitlab
          name.to_s.start_with?('ldap')
        end

+        def self.ultraauth_provider?(name)
+          name.to_s.eql?('ultraauth')
+        end
+
        def self.sync_profile_from_provider?(provider)
          return true if ldap_provider?(provider)


--- a/spec/controllers/application_controller_spec.rb
+++ b/spec/controllers/application_controller_spec.rb
@@ -289,6 +289,13 @@ describe ApplicationController do

        expect(subject).to be_truthy
      end
+
+      it 'returns true if user has signed up using omniauth-ultraauth' do
+        user = create(:omniauth_user, provider: 'ultraauth')
+        allow(controller).to receive(:current_user).and_return(user)
+
+        expect(subject).to be_truthy
+      end
    end

    describe '#two_factor_grace_period' do

--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -1769,6 +1769,26 @@ describe User do
    end
  end

+  describe '#ultraauth_user?' do
+    it 'is true if provider is ultraauth' do
+      user = create(:omniauth_user, provider: 'ultraauth')
+
+      expect(user.ultraauth_user?).to be_truthy
+    end
+
+    it 'is false with othe provider' do
+      user = create(:omniauth_user, provider: 'not-ultraauth')
+
+      expect(user.ultraauth_user?).to be_falsey
+    end
+
+    it 'is false if no extern_uid is provided' do
+      user = create(:omniauth_user, extern_uid: nil)
+
+      expect(user.ldap_user?).to be_falsey
+    end
+  end
+
  describe '#full_website_url' do
    let(:user) { create(:user) }

@@ -2807,6 +2827,12 @@ describe User do

      expect(user.allow_password_authentication_for_web?).to be_falsey
    end
+
+    it 'returns false for ultraauth user' do
+      user = create(:omniauth_user, provider: 'ultraauth')
+
+      expect(user.allow_password_authentication_for_web?).to be_falsey
+    end
  end

  describe '#allow_password_authentication_for_git?' do
@@ -2829,6 +2855,12 @@ describe User do

      expect(user.allow_password_authentication_for_git?).to be_falsey
    end
+
+    it 'returns false for ultraauth user' do
+      user = create(:omniauth_user, provider: 'ultraauth')
+
+      expect(user.allow_password_authentication_for_git?).to be_falsey
+    end
  end

  describe '#assigned_open_merge_requests_count' do