Module: AuthHelper

Extended by:
AuthHelper
Included in:
AuthHelper, OmniauthCallbacksController, Profiles::AccountsController
Defined in:
app/helpers/auth_helper.rb

Constant Summary collapse

PROVIDERS_WITH_ICONS =
%w[
  alicloud
  atlassian_oauth2
  auth0
  azure_activedirectory_v2
  azure_oauth2
  bitbucket
  github
  gitlab
  google_oauth2
  jwt
  openid_connect
  shibboleth
  twitter
].freeze
LDAP_PROVIDER =
/\Aldap/
%w[google_oauth2 github].freeze
SHA1_CHAR_PAIR_COUNT =
20
SHA256_CHAR_PAIR_COUNT =
32

Instance Method Summary collapse

Instance Method Details

#allow_admin_mode_password_authentication_for_web?Boolean

Returns:

  • (Boolean)


219
220
221
# File 'app/helpers/auth_helper.rb', line 219

def allow_admin_mode_password_authentication_for_web?
  current_user.allow_password_authentication_for_web? && !current_user.password_automatically_set?
end

#any_form_based_providers_enabled?Boolean

Returns:

  • (Boolean)


125
126
127
# File 'app/helpers/auth_helper.rb', line 125

def any_form_based_providers_enabled?
  form_based_providers.any? { |provider| form_enabled_for_sign_in?(provider) }
end

#auth_active?(provider) ⇒ Boolean

rubocop: disable CodeReuse/ActiveRecord

Returns:

  • (Boolean)


204
205
206
207
208
# File 'app/helpers/auth_helper.rb', line 204

def auth_active?(provider)
  return current_user.atlassian_identity.present? if provider == :atlassian_oauth2

  current_user.identities.exists?(provider: provider.to_s)
end

#auth_app_owner_text(owner) ⇒ Object



223
224
225
226
227
228
229
230
231
232
233
# File 'app/helpers/auth_helper.rb', line 223

def auth_app_owner_text(owner)
  return _('An administrator added this OAuth application ') unless owner

  if owner.is_a?(Group)
    group_link = link_to(owner.name, group_path(owner))
    safe_format(_("%{group_link} added this OAuth application "), group_link: group_link)
  else
    user_link = link_to(owner.name, user_path(owner))
    safe_format(_("%{user_link} added this OAuth application "), user_link: user_link)
  end
end

#auth_providersObject



73
74
75
# File 'app/helpers/auth_helper.rb', line 73

def auth_providers
  Gitlab::Auth::OAuth::Provider.providers
end

#button_based_providersObject



139
140
141
# File 'app/helpers/auth_helper.rb', line 139

def button_based_providers
  auth_providers.reject { |provider| form_based_provider?(provider) }
end

#button_based_providers_enabled?Boolean

Returns:

  • (Boolean)


164
165
166
# File 'app/helpers/auth_helper.rb', line 164

def button_based_providers_enabled?
  enabled_button_based_providers.any?
end

#certificate_fingerprint_algorithm(fingerprint) ⇒ Object



294
295
296
297
298
299
300
301
302
303
# File 'app/helpers/auth_helper.rb', line 294

def certificate_fingerprint_algorithm(fingerprint)
  case fingerprint.scan(/[0-9a-f]{2}/i).length
  when SHA1_CHAR_PAIR_COUNT
    # v2.x will change to RubySaml::XML::SHA1
    XMLSecurity::Document::SHA1
  when SHA256_CHAR_PAIR_COUNT
    # v2.x will change to RubySaml::XML::SHA256
    XMLSecurity::Document::SHA256
  end
end

#codes_two_factor_authentication_data(password_required) ⇒ Object



278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
# File 'app/helpers/auth_helper.rb', line 278

def codes_two_factor_authentication_data(password_required)
  message = if password_required
              _('Are you sure you want to regenerate recovery codes? ' \
                'Enter your password to continue.')
            else
              _('Are you sure you want to regenerate recovery codes?')
            end

  { button_text: _('Regenerate recovery codes'),
    message: message,
    method: 'post',
    path: codes_profile_two_factor_auth_path,
    password_required: password_required.to_s,
    variant: 'default' }
end

#crowd_enabled?Boolean

Returns:

  • (Boolean)


135
136
137
# File 'app/helpers/auth_helper.rb', line 135

def crowd_enabled?
  auth_providers.include? :crowd
end

#delete_otp_authenticator_data(password_required) ⇒ Object



235
236
237
238
239
240
241
242
243
244
245
246
247
# File 'app/helpers/auth_helper.rb', line 235

def delete_otp_authenticator_data(password_required)
  message = if password_required
              _('Are you sure you want to delete this one-time password authenticator? ' \
                'Enter your password to continue.')
            else
              _('Are you sure you want to delete this one-time password authenticator?')
            end

  { button_text: _('Delete one-time password authenticator'),
    message: message,
    path: destroy_otp_profile_two_factor_auth_path,
    password_required: password_required.to_s }
end

#delete_webauthn_device_data(password_required, path) ⇒ Object



249
250
251
252
253
254
255
256
257
258
259
260
261
262
# File 'app/helpers/auth_helper.rb', line 249

def delete_webauthn_device_data(password_required, path)
  message = if password_required
              _('Are you sure you want to delete this WebAuthn device? ' \
                'Enter your password to continue.')
            else
              _('Are you sure you want to delete this WebAuthn device?')
            end

  { button_text: _('Delete WebAuthn device'),
    icon: 'remove',
    message: message,
    path: path,
    password_required: password_required.to_s }
end

#disable_two_factor_authentication_data(password_required) ⇒ Object



264
265
266
267
268
269
270
271
272
273
274
275
276
# File 'app/helpers/auth_helper.rb', line 264

def disable_two_factor_authentication_data(password_required)
  message = if password_required
              _('Are you sure you want to invalidate your one-time password authenticator and WebAuthn devices? ' \
                'Enter your password to continue. This action cannot be undone.')
            else
              _('Are you sure you want to invalidate your one-time password authenticator and WebAuthn devices?')
            end

  { button_text: _('Disable two-factor authentication'),
    message: message,
    path: profile_two_factor_auth_path,
    password_required: password_required.to_s }
end

#display_providers_on_profile?Boolean

Returns:

  • (Boolean)


143
144
145
# File 'app/helpers/auth_helper.rb', line 143

def display_providers_on_profile?
  button_based_providers.any?
end

#enabled_button_based_providersObject



151
152
153
154
155
156
157
158
# File 'app/helpers/auth_helper.rb', line 151

def enabled_button_based_providers
  disabled_providers = Gitlab::CurrentSettings. || []

  providers = button_based_providers.map(&:to_s) - disabled_providers
  providers.sort_by do |provider|
    POPULAR_PROVIDERS.index(provider) || POPULAR_PROVIDERS.length
  end
end

#enabled_button_based_providers_for_signupObject



38
39
40
41
42
43
44
45
46
# File 'app/helpers/auth_helper.rb', line 38

def 
  if Gitlab.config.omniauth.allow_single_sign_on.is_a?(Array)
    enabled_button_based_providers & Gitlab.config.omniauth.allow_single_sign_on
  elsif Gitlab.config.omniauth.allow_single_sign_on
    enabled_button_based_providers
  else
    []
  end
end

#form_based_auth_provider_has_active_class?(provider) ⇒ Boolean

Returns:

  • (Boolean)


96
97
98
# File 'app/helpers/auth_helper.rb', line 96

def form_based_auth_provider_has_active_class?(provider)
  form_based_provider_with_highest_priority == provider
end

#form_based_provider?(name) ⇒ Boolean

Returns:

  • (Boolean)


100
101
102
# File 'app/helpers/auth_helper.rb', line 100

def form_based_provider?(name)
  [LDAP_PROVIDER, 'crowd'].any? { |pattern| pattern === name.to_s }
end

#form_based_provider_priorityObject



85
86
87
# File 'app/helpers/auth_helper.rb', line 85

def form_based_provider_priority
  ['crowd', /^ldap/]
end

#form_based_provider_with_highest_priorityObject



89
90
91
92
93
94
# File 'app/helpers/auth_helper.rb', line 89

def form_based_provider_with_highest_priority
  @form_based_provider_with_highest_priority ||= form_based_provider_priority.each do |provider_regexp|
    highest_priority = form_based_providers.find { |provider| provider.match?(provider_regexp) }
    break highest_priority unless highest_priority.nil?
  end
end

#form_based_providersObject



104
105
106
# File 'app/helpers/auth_helper.rb', line 104

def form_based_providers
  auth_providers.select { |provider| form_based_provider?(provider) }
end

#form_enabled_for_sign_in?(provider) ⇒ Boolean

Returns:

  • (Boolean)


129
130
131
132
133
# File 'app/helpers/auth_helper.rb', line 129

def form_enabled_for_sign_in?(provider)
  return true unless provider.to_s.match?(LDAP_PROVIDER)

  
end

#icon_for_provider(name) ⇒ Object



81
82
83
# File 'app/helpers/auth_helper.rb', line 81

def icon_for_provider(name)
  Gitlab::Auth::OAuth::Provider.icon_for(name)
end

#label_for_provider(name) ⇒ Object



77
78
79
# File 'app/helpers/auth_helper.rb', line 77

def label_for_provider(name)
  Gitlab::Auth::OAuth::Provider.label_for(name)
end

#ldap_enabled?Boolean

Returns:

  • (Boolean)


26
27
28
# File 'app/helpers/auth_helper.rb', line 26

def ldap_enabled?
  Gitlab::Auth::Ldap::Config.enabled?
end

#ldap_sign_in_enabled?Boolean

Returns:

  • (Boolean)


30
31
32
# File 'app/helpers/auth_helper.rb', line 30

def 
  Gitlab::Auth::Ldap::Config.
end

Returns:

  • (Boolean)


215
216
217
# File 'app/helpers/auth_helper.rb', line 215

def link_provider_allowed?(provider)
  IdentityProviderPolicy.new(current_user, provider).can?(:link)
end

#oidc_providersObject



116
117
118
119
120
121
122
123
# File 'app/helpers/auth_helper.rb', line 116

def oidc_providers
  providers = Gitlab.config.omniauth.providers.select do |provider|
    provider.name == 'openid_connect' || provider.dig('args',
      'strategy_class') == 'OmniAuth::Strategies::OpenIDConnect'
  end

  providers.map(&:name).map(&:to_sym)
end

#omniauth_enabled?Boolean

Returns:

  • (Boolean)


34
35
36
# File 'app/helpers/auth_helper.rb', line 34

def omniauth_enabled?
  Gitlab::Auth.omniauth_enabled?
end


160
161
162
# File 'app/helpers/auth_helper.rb', line 160

def popular_enabled_button_based_providers
  enabled_button_based_providers & POPULAR_PROVIDERS
end

#provider_has_builtin_icon?(name) ⇒ Boolean

Returns:

  • (Boolean)


56
57
58
# File 'app/helpers/auth_helper.rb', line 56

def provider_has_builtin_icon?(name)
  PROVIDERS_WITH_ICONS.include?(name.to_s)
end

#provider_has_custom_icon?(name) ⇒ Boolean

Returns:

  • (Boolean)


52
53
54
# File 'app/helpers/auth_helper.rb', line 52

def provider_has_custom_icon?(name)
  icon_for_provider(name.to_s)
end

#provider_has_icon?(name) ⇒ Boolean

Returns:

  • (Boolean)


60
61
62
# File 'app/helpers/auth_helper.rb', line 60

def provider_has_icon?(name)
  provider_has_builtin_icon?(name) || provider_has_custom_icon?(name)
end

#provider_image_tag(provider, size = 64) ⇒ Object



189
190
191
192
193
194
195
196
197
198
199
200
201
# File 'app/helpers/auth_helper.rb', line 189

def provider_image_tag(provider, size = 64)
  label = label_for_provider(provider)

  if provider_has_custom_icon?(provider)
    image_tag(icon_for_provider(provider), alt: label, title: "Sign in with #{label}", class: "gl-button-icon")
  elsif provider_has_builtin_icon?(provider)
    file_name = "#{provider.to_s.split('_').first}_#{size}.png"

    image_tag("auth_buttons/#{file_name}", alt: label, title: "Sign in with #{label}", class: "gl-button-icon")
  else
    label
  end
end

#providers_for_base_controllerObject



147
148
149
# File 'app/helpers/auth_helper.rb', line 147

def providers_for_base_controller
  auth_providers.reject { |provider| LDAP_PROVIDER === provider }
end

#saml_providersObject



108
109
110
111
112
113
114
# File 'app/helpers/auth_helper.rb', line 108

def saml_providers
  providers = Gitlab.config.omniauth.providers.select do |provider|
    provider.name == 'saml' || provider.dig('args', 'strategy_class') == 'OmniAuth::Strategies::SAML'
  end

  providers.map(&:name).map(&:to_sym)
end

#signup_button_based_providers_enabled?Boolean

Returns:

  • (Boolean)


48
49
50
# File 'app/helpers/auth_helper.rb', line 48

def 
  omniauth_enabled? && .any?
end

#step_up_auth_params(provider_name, step_up_auth_scope) ⇒ Object



168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
# File 'app/helpers/auth_helper.rb', line 168

def step_up_auth_params(provider_name, step_up_auth_scope)
  return {} if Feature.disabled?(:omniauth_step_up_auth_for_admin_mode, current_user)

  # Get provider configuration for step up auth scope
  provider_config = Gitlab::Auth::OAuth::Provider
    .config_for(provider_name)
    &.dig('step_up_auth', step_up_auth_scope.to_s)
    &.to_h

  return {} if provider_config.blank?

  base_params = { step_up_auth_scope: step_up_auth_scope }
  config_params = provider_config['params'].to_h

  base_params
    .merge!(config_params)
    .transform_values do |v|
      v.is_a?(Hash) ? v.to_json : v
    end
end

#test_id_for_provider(provider) ⇒ Object



64
65
66
67
68
69
70
71
# File 'app/helpers/auth_helper.rb', line 64

def test_id_for_provider(provider)
  {
    saml: 'saml-login-button',
    openid_connect: 'oidc-login-button',
    github: 'github-login-button',
    gitlab: 'gitlab-oauth-login-button'
  }[provider.to_sym]
end

rubocop: enable CodeReuse/ActiveRecord

Returns:

  • (Boolean)


211
212
213
# File 'app/helpers/auth_helper.rb', line 211

def unlink_provider_allowed?(provider)
  IdentityProviderPolicy.new(current_user, provider).can?(:unlink)
end