Class: Gitlab::Auth::TwoFactorAuthVerifier

Inherits:

Object

• Object
• Gitlab::Auth::TwoFactorAuthVerifier

Defined in:

lib/gitlab/auth/two_factor_auth_verifier.rb

Instance Attribute Summary

• #current_user ⇒ Object readonly

  Returns the value of attribute current_user.

• #request ⇒ Object readonly

  Returns the value of attribute request.

• #treat_email_otp_as_2fa ⇒ Object readonly

  Returns the value of attribute treat_email_otp_as_2fa.

Instance Method Summary

• #allow_2fa_bypass_for_provider ⇒ Object
• #current_user_needs_to_setup_two_factor? ⇒ Boolean
• #initialize(current_user, request = nil, treat_email_otp_as_2fa: false) ⇒ TwoFactorAuthVerifier constructor

  Parameters current_user: User The current user request: Default: nil treat_email_otp_as_2fa: Boolean.

• #two_factor_authentication_enforced? ⇒ Boolean
• #two_factor_authentication_reason ⇒ Object
• #two_factor_authentication_required? ⇒ Boolean

  – Admin mode does not matter in the context of verifying for two factor statuses.

• #two_factor_grace_period ⇒ Object
• #two_factor_grace_period_expired? ⇒ Boolean

Constructor Details

#initialize(current_user, request = nil, treat_email_otp_as_2fa: false) ⇒ TwoFactorAuthVerifier

Parameters

current_user: User

The current user

request: Default: nil treat_email_otp_as_2fa: Boolean. Default: false

If a user is enrolled in email-based OTP and this attribute is true, we
treat Email-based OTP like 2FA. This is useful when we want to block
things like password-authenticatable endpoints. Fails secure.
Conversely when the attribute is false, Email-OTP does not  count.
This is useful when we want high assurance, like  Instance / Group 2FA
enforcement settings.

# File 'lib/gitlab/auth/two_factor_auth_verifier.rb', line 19

def initialize(current_user, request = nil, treat_email_otp_as_2fa: false)
  @current_user = current_user
  @request = request
  @treat_email_otp_as_2fa = treat_email_otp_as_2fa
end

Instance Attribute Details

#current_user ⇒ Object (readonly)

Returns the value of attribute current_user.

# File 'lib/gitlab/auth/two_factor_auth_verifier.rb', line 6

def current_user
  @current_user
end

#request ⇒ Object (readonly)

Returns the value of attribute request.

# File 'lib/gitlab/auth/two_factor_auth_verifier.rb', line 6

def request
  @request
end

#treat_email_otp_as_2fa ⇒ Object (readonly)

Returns the value of attribute treat_email_otp_as_2fa.

# File 'lib/gitlab/auth/two_factor_auth_verifier.rb', line 6

def treat_email_otp_as_2fa
  @treat_email_otp_as_2fa
end

Instance Method Details

#allow_2fa_bypass_for_provider ⇒ Object

# File 'lib/gitlab/auth/two_factor_auth_verifier.rb', line 69

def allow_2fa_bypass_for_provider
  request.session[:provider_2FA].present? if request
end

#current_user_needs_to_setup_two_factor? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/gitlab/auth/two_factor_auth_verifier.rb', line 51

def current_user_needs_to_setup_two_factor?
  current_user && !current_user.temp_oauth_email? && !current_user.two_factor_enabled?
end

#two_factor_authentication_enforced? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/gitlab/auth/two_factor_auth_verifier.rb', line 25

def two_factor_authentication_enforced?
  (two_factor_authentication_required? && two_factor_grace_period_expired?) ||
    (treat_email_otp_as_2fa && current_user&.email_based_otp_required?)
end

#two_factor_authentication_reason ⇒ Object

# File 'lib/gitlab/auth/two_factor_auth_verifier.rb', line 39

def two_factor_authentication_reason
  if Gitlab::CurrentSettings.require_two_factor_authentication?
    :global
  elsif Gitlab::CurrentSettings.require_admin_two_factor_authentication && current_user&.can_access_admin_area?
    :admin_2fa
  elsif current_user&.require_two_factor_authentication_from_group?
    :group
  else
    false
  end
end

#two_factor_authentication_required? ⇒ Boolean

– Admin mode does not matter in the context of verifying for two factor statuses

Returns:

• (Boolean)

# File 'lib/gitlab/auth/two_factor_auth_verifier.rb', line 31

def two_factor_authentication_required?
  return false if allow_2fa_bypass_for_provider

  Gitlab::CurrentSettings.require_two_factor_authentication? ||
    current_user&.require_two_factor_authentication_from_group? ||
    (Gitlab::CurrentSettings.require_admin_two_factor_authentication && current_user&.can_access_admin_area?)
end

#two_factor_grace_period ⇒ Object

# File 'lib/gitlab/auth/two_factor_auth_verifier.rb', line 55

def two_factor_grace_period
  periods = [Gitlab::CurrentSettings.two_factor_grace_period]
  periods << current_user.two_factor_grace_period if current_user&.require_two_factor_authentication_from_group?
  periods.min
end

#two_factor_grace_period_expired? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/gitlab/auth/two_factor_auth_verifier.rb', line 61

def two_factor_grace_period_expired?
  time = current_user&.otp_grace_period_started_at

  return false unless time

  two_factor_grace_period.hours.since(time).past?
end