Module: AuthHelper
- Extended by:
- AuthHelper
- Included in:
- AuthHelper, OmniauthCallbacksController, Profiles::AccountsController
- Defined in:
- app/helpers/auth_helper.rb
Constant Summary collapse
- PROVIDERS_WITH_ICONS =
%w[ alicloud atlassian_oauth2 auth0 azure_activedirectory_v2 azure_oauth2 bitbucket github gitlab google_oauth2 jwt openid_connect shibboleth twitter ].freeze
- LDAP_PROVIDER =
/\Aldap/
- POPULAR_PROVIDERS =
%w[google_oauth2 github].freeze
- SHA1_CHAR_PAIR_COUNT =
20
- SHA256_CHAR_PAIR_COUNT =
32
Instance Method Summary collapse
- #allow_admin_mode_password_authentication_for_web? ⇒ Boolean
- #any_form_based_providers_enabled? ⇒ Boolean
-
#auth_active?(provider) ⇒ Boolean
rubocop: disable CodeReuse/ActiveRecord.
- #auth_app_owner_text(owner) ⇒ Object
- #auth_providers ⇒ Object
- #button_based_providers ⇒ Object
- #button_based_providers_enabled? ⇒ Boolean
- #certificate_fingerprint_algorithm(fingerprint) ⇒ Object
- #codes_two_factor_authentication_data(password_required) ⇒ Object
- #crowd_enabled? ⇒ Boolean
- #delete_otp_authenticator_data(password_required) ⇒ Object
- #delete_webauthn_device_data(password_required, path) ⇒ Object
- #disable_two_factor_authentication_data(password_required) ⇒ Object
- #display_providers_on_profile? ⇒ Boolean
- #enabled_button_based_providers ⇒ Object
- #enabled_button_based_providers_for_signup ⇒ Object
- #form_based_auth_provider_has_active_class?(provider) ⇒ Boolean
- #form_based_provider?(name) ⇒ Boolean
- #form_based_provider_priority ⇒ Object
- #form_based_provider_with_highest_priority ⇒ Object
- #form_based_providers ⇒ Object
- #form_enabled_for_sign_in?(provider) ⇒ Boolean
- #icon_for_provider(name) ⇒ Object
- #label_for_provider(name) ⇒ Object
- #ldap_enabled? ⇒ Boolean
- #ldap_sign_in_enabled? ⇒ Boolean
- #link_provider_allowed?(provider) ⇒ Boolean
- #oidc_providers ⇒ Object
- #omniauth_enabled? ⇒ Boolean
- #popular_enabled_button_based_providers ⇒ Object
- #provider_has_builtin_icon?(name) ⇒ Boolean
- #provider_has_custom_icon?(name) ⇒ Boolean
- #provider_has_icon?(name) ⇒ Boolean
- #provider_image_tag(provider, size = 64) ⇒ Object
- #providers_for_base_controller ⇒ Object
- #saml_providers ⇒ Object
- #signup_button_based_providers_enabled? ⇒ Boolean
- #step_up_auth_params(provider_name, step_up_auth_scope) ⇒ Object
- #test_id_for_provider(provider) ⇒ Object
-
#unlink_provider_allowed?(provider) ⇒ Boolean
rubocop: enable CodeReuse/ActiveRecord.
Instance Method Details
#allow_admin_mode_password_authentication_for_web? ⇒ Boolean
219 220 221 |
# File 'app/helpers/auth_helper.rb', line 219 def allow_admin_mode_password_authentication_for_web? current_user.allow_password_authentication_for_web? && !current_user.password_automatically_set? end |
#any_form_based_providers_enabled? ⇒ Boolean
125 126 127 |
# File 'app/helpers/auth_helper.rb', line 125 def any_form_based_providers_enabled? form_based_providers.any? { |provider| form_enabled_for_sign_in?(provider) } end |
#auth_active?(provider) ⇒ Boolean
rubocop: disable CodeReuse/ActiveRecord
204 205 206 207 208 |
# File 'app/helpers/auth_helper.rb', line 204 def auth_active?(provider) return current_user.atlassian_identity.present? if provider == :atlassian_oauth2 current_user.identities.exists?(provider: provider.to_s) end |
#auth_app_owner_text(owner) ⇒ Object
223 224 225 226 227 228 229 230 231 232 233 |
# File 'app/helpers/auth_helper.rb', line 223 def auth_app_owner_text(owner) return _('An administrator added this OAuth application ') unless owner if owner.is_a?(Group) group_link = link_to(owner.name, group_path(owner)) safe_format(_("%{group_link} added this OAuth application "), group_link: group_link) else user_link = link_to(owner.name, user_path(owner)) safe_format(_("%{user_link} added this OAuth application "), user_link: user_link) end end |
#auth_providers ⇒ Object
73 74 75 |
# File 'app/helpers/auth_helper.rb', line 73 def auth_providers Gitlab::Auth::OAuth::Provider.providers end |
#button_based_providers ⇒ Object
139 140 141 |
# File 'app/helpers/auth_helper.rb', line 139 def auth_providers.reject { |provider| form_based_provider?(provider) } end |
#button_based_providers_enabled? ⇒ Boolean
164 165 166 |
# File 'app/helpers/auth_helper.rb', line 164 def .any? end |
#certificate_fingerprint_algorithm(fingerprint) ⇒ Object
294 295 296 297 298 299 300 301 302 303 |
# File 'app/helpers/auth_helper.rb', line 294 def certificate_fingerprint_algorithm(fingerprint) case fingerprint.scan(/[0-9a-f]{2}/i).length when SHA1_CHAR_PAIR_COUNT # v2.x will change to RubySaml::XML::SHA1 XMLSecurity::Document::SHA1 when SHA256_CHAR_PAIR_COUNT # v2.x will change to RubySaml::XML::SHA256 XMLSecurity::Document::SHA256 end end |
#codes_two_factor_authentication_data(password_required) ⇒ Object
278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 |
# File 'app/helpers/auth_helper.rb', line 278 def codes_two_factor_authentication_data(password_required) = if password_required _('Are you sure you want to regenerate recovery codes? ' \ 'Enter your password to continue.') else _('Are you sure you want to regenerate recovery codes?') end { button_text: _('Regenerate recovery codes'), message: , method: 'post', path: codes_profile_two_factor_auth_path, password_required: password_required.to_s, variant: 'default' } end |
#crowd_enabled? ⇒ Boolean
135 136 137 |
# File 'app/helpers/auth_helper.rb', line 135 def crowd_enabled? auth_providers.include? :crowd end |
#delete_otp_authenticator_data(password_required) ⇒ Object
235 236 237 238 239 240 241 242 243 244 245 246 247 |
# File 'app/helpers/auth_helper.rb', line 235 def delete_otp_authenticator_data(password_required) = if password_required _('Are you sure you want to delete this one-time password authenticator? ' \ 'Enter your password to continue.') else _('Are you sure you want to delete this one-time password authenticator?') end { button_text: _('Delete one-time password authenticator'), message: , path: destroy_otp_profile_two_factor_auth_path, password_required: password_required.to_s } end |
#delete_webauthn_device_data(password_required, path) ⇒ Object
249 250 251 252 253 254 255 256 257 258 259 260 261 262 |
# File 'app/helpers/auth_helper.rb', line 249 def delete_webauthn_device_data(password_required, path) = if password_required _('Are you sure you want to delete this WebAuthn device? ' \ 'Enter your password to continue.') else _('Are you sure you want to delete this WebAuthn device?') end { button_text: _('Delete WebAuthn device'), icon: 'remove', message: , path: path, password_required: password_required.to_s } end |
#disable_two_factor_authentication_data(password_required) ⇒ Object
264 265 266 267 268 269 270 271 272 273 274 275 276 |
# File 'app/helpers/auth_helper.rb', line 264 def disable_two_factor_authentication_data(password_required) = if password_required _('Are you sure you want to invalidate your one-time password authenticator and WebAuthn devices? ' \ 'Enter your password to continue. This action cannot be undone.') else _('Are you sure you want to invalidate your one-time password authenticator and WebAuthn devices?') end { button_text: _('Disable two-factor authentication'), message: , path: profile_two_factor_auth_path, password_required: password_required.to_s } end |
#display_providers_on_profile? ⇒ Boolean
143 144 145 |
# File 'app/helpers/auth_helper.rb', line 143 def display_providers_on_profile? .any? end |
#enabled_button_based_providers ⇒ Object
151 152 153 154 155 156 157 158 |
# File 'app/helpers/auth_helper.rb', line 151 def disabled_providers = Gitlab::CurrentSettings.disabled_oauth_sign_in_sources || [] providers = .map(&:to_s) - disabled_providers providers.sort_by do |provider| POPULAR_PROVIDERS.index(provider) || POPULAR_PROVIDERS.length end end |
#enabled_button_based_providers_for_signup ⇒ Object
38 39 40 41 42 43 44 45 46 |
# File 'app/helpers/auth_helper.rb', line 38 def if Gitlab.config.omniauth.allow_single_sign_on.is_a?(Array) & Gitlab.config.omniauth.allow_single_sign_on elsif Gitlab.config.omniauth.allow_single_sign_on else [] end end |
#form_based_auth_provider_has_active_class?(provider) ⇒ Boolean
96 97 98 |
# File 'app/helpers/auth_helper.rb', line 96 def form_based_auth_provider_has_active_class?(provider) form_based_provider_with_highest_priority == provider end |
#form_based_provider?(name) ⇒ Boolean
100 101 102 |
# File 'app/helpers/auth_helper.rb', line 100 def form_based_provider?(name) [LDAP_PROVIDER, 'crowd'].any? { |pattern| pattern === name.to_s } end |
#form_based_provider_priority ⇒ Object
85 86 87 |
# File 'app/helpers/auth_helper.rb', line 85 def form_based_provider_priority ['crowd', /^ldap/] end |
#form_based_provider_with_highest_priority ⇒ Object
89 90 91 92 93 94 |
# File 'app/helpers/auth_helper.rb', line 89 def form_based_provider_with_highest_priority @form_based_provider_with_highest_priority ||= form_based_provider_priority.each do |provider_regexp| highest_priority = form_based_providers.find { |provider| provider.match?(provider_regexp) } break highest_priority unless highest_priority.nil? end end |
#form_based_providers ⇒ Object
104 105 106 |
# File 'app/helpers/auth_helper.rb', line 104 def form_based_providers auth_providers.select { |provider| form_based_provider?(provider) } end |
#form_enabled_for_sign_in?(provider) ⇒ Boolean
129 130 131 132 133 |
# File 'app/helpers/auth_helper.rb', line 129 def form_enabled_for_sign_in?(provider) return true unless provider.to_s.match?(LDAP_PROVIDER) ldap_sign_in_enabled? end |
#icon_for_provider(name) ⇒ Object
81 82 83 |
# File 'app/helpers/auth_helper.rb', line 81 def icon_for_provider(name) Gitlab::Auth::OAuth::Provider.icon_for(name) end |
#label_for_provider(name) ⇒ Object
77 78 79 |
# File 'app/helpers/auth_helper.rb', line 77 def label_for_provider(name) Gitlab::Auth::OAuth::Provider.label_for(name) end |
#ldap_enabled? ⇒ Boolean
26 27 28 |
# File 'app/helpers/auth_helper.rb', line 26 def ldap_enabled? Gitlab::Auth::Ldap::Config.enabled? end |
#ldap_sign_in_enabled? ⇒ Boolean
30 31 32 |
# File 'app/helpers/auth_helper.rb', line 30 def ldap_sign_in_enabled? Gitlab::Auth::Ldap::Config.sign_in_enabled? end |
#link_provider_allowed?(provider) ⇒ Boolean
215 216 217 |
# File 'app/helpers/auth_helper.rb', line 215 def link_provider_allowed?(provider) IdentityProviderPolicy.new(current_user, provider).can?(:link) end |
#oidc_providers ⇒ Object
116 117 118 119 120 121 122 123 |
# File 'app/helpers/auth_helper.rb', line 116 def oidc_providers providers = Gitlab.config.omniauth.providers.select do |provider| provider.name == 'openid_connect' || provider.dig('args', 'strategy_class') == 'OmniAuth::Strategies::OpenIDConnect' end providers.map(&:name).map(&:to_sym) end |
#omniauth_enabled? ⇒ Boolean
34 35 36 |
# File 'app/helpers/auth_helper.rb', line 34 def omniauth_enabled? Gitlab::Auth.omniauth_enabled? end |
#popular_enabled_button_based_providers ⇒ Object
160 161 162 |
# File 'app/helpers/auth_helper.rb', line 160 def & POPULAR_PROVIDERS end |
#provider_has_builtin_icon?(name) ⇒ Boolean
56 57 58 |
# File 'app/helpers/auth_helper.rb', line 56 def provider_has_builtin_icon?(name) PROVIDERS_WITH_ICONS.include?(name.to_s) end |
#provider_has_custom_icon?(name) ⇒ Boolean
52 53 54 |
# File 'app/helpers/auth_helper.rb', line 52 def provider_has_custom_icon?(name) icon_for_provider(name.to_s) end |
#provider_has_icon?(name) ⇒ Boolean
60 61 62 |
# File 'app/helpers/auth_helper.rb', line 60 def provider_has_icon?(name) provider_has_builtin_icon?(name) || provider_has_custom_icon?(name) end |
#provider_image_tag(provider, size = 64) ⇒ Object
189 190 191 192 193 194 195 196 197 198 199 200 201 |
# File 'app/helpers/auth_helper.rb', line 189 def provider_image_tag(provider, size = 64) label = label_for_provider(provider) if provider_has_custom_icon?(provider) image_tag(icon_for_provider(provider), alt: label, title: "Sign in with #{label}", class: "gl-button-icon") elsif provider_has_builtin_icon?(provider) file_name = "#{provider.to_s.split('_').first}_#{size}.png" image_tag("auth_buttons/#{file_name}", alt: label, title: "Sign in with #{label}", class: "gl-button-icon") else label end end |
#providers_for_base_controller ⇒ Object
147 148 149 |
# File 'app/helpers/auth_helper.rb', line 147 def providers_for_base_controller auth_providers.reject { |provider| LDAP_PROVIDER === provider } end |
#saml_providers ⇒ Object
108 109 110 111 112 113 114 |
# File 'app/helpers/auth_helper.rb', line 108 def saml_providers providers = Gitlab.config.omniauth.providers.select do |provider| provider.name == 'saml' || provider.dig('args', 'strategy_class') == 'OmniAuth::Strategies::SAML' end providers.map(&:name).map(&:to_sym) end |
#signup_button_based_providers_enabled? ⇒ Boolean
48 49 50 |
# File 'app/helpers/auth_helper.rb', line 48 def omniauth_enabled? && .any? end |
#step_up_auth_params(provider_name, step_up_auth_scope) ⇒ Object
168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 |
# File 'app/helpers/auth_helper.rb', line 168 def step_up_auth_params(provider_name, step_up_auth_scope) return {} if Feature.disabled?(:omniauth_step_up_auth_for_admin_mode, current_user) # Get provider configuration for step up auth scope provider_config = Gitlab::Auth::OAuth::Provider .config_for(provider_name) &.dig('step_up_auth', step_up_auth_scope.to_s) &.to_h return {} if provider_config.blank? base_params = { step_up_auth_scope: step_up_auth_scope } config_params = provider_config['params'].to_h base_params .merge!(config_params) .transform_values do |v| v.is_a?(Hash) ? v.to_json : v end end |
#test_id_for_provider(provider) ⇒ Object
64 65 66 67 68 69 70 71 |
# File 'app/helpers/auth_helper.rb', line 64 def test_id_for_provider(provider) { saml: 'saml-login-button', openid_connect: 'oidc-login-button', github: 'github-login-button', gitlab: 'gitlab-oauth-login-button' }[provider.to_sym] end |
#unlink_provider_allowed?(provider) ⇒ Boolean
rubocop: enable CodeReuse/ActiveRecord
211 212 213 |
# File 'app/helpers/auth_helper.rb', line 211 def unlink_provider_allowed?(provider) IdentityProviderPolicy.new(current_user, provider).can?(:unlink) end |