Class: Gitlab::Auth::TwoFactorAuthVerifier

Inherits:
Object
  • Object
show all
Defined in:
lib/gitlab/auth/two_factor_auth_verifier.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(current_user, request = nil) ⇒ TwoFactorAuthVerifier

Returns a new instance of TwoFactorAuthVerifier.



8
9
10
11
# File 'lib/gitlab/auth/two_factor_auth_verifier.rb', line 8

def initialize(current_user, request = nil)
  @current_user = current_user
  @request = request
end

Instance Attribute Details

#current_userObject (readonly)

Returns the value of attribute current_user.



6
7
8
# File 'lib/gitlab/auth/two_factor_auth_verifier.rb', line 6

def current_user
  @current_user
end

#requestObject (readonly)

Returns the value of attribute request.



6
7
8
# File 'lib/gitlab/auth/two_factor_auth_verifier.rb', line 6

def request
  @request
end

Instance Method Details

#allow_2fa_bypass_for_providerObject



57
58
59
60
61
# File 'lib/gitlab/auth/two_factor_auth_verifier.rb', line 57

def allow_2fa_bypass_for_provider
  return false if Feature.disabled?(:by_pass_two_factor_for_current_session)

  request.session[:provider_2FA].present? if request
end

#current_user_needs_to_setup_two_factor?Boolean

rubocop:enable Cop/UserAdmin

Returns:

  • (Boolean)


39
40
41
# File 'lib/gitlab/auth/two_factor_auth_verifier.rb', line 39

def current_user_needs_to_setup_two_factor?
  current_user && !current_user.temp_oauth_email? && !current_user.two_factor_enabled?
end

#two_factor_authentication_enforced?Boolean

Returns:

  • (Boolean)


13
14
15
# File 'lib/gitlab/auth/two_factor_auth_verifier.rb', line 13

def two_factor_authentication_enforced?
  two_factor_authentication_required? && two_factor_grace_period_expired?
end

#two_factor_authentication_reasonObject



26
27
28
29
30
31
32
33
34
35
36
# File 'lib/gitlab/auth/two_factor_auth_verifier.rb', line 26

def two_factor_authentication_reason
  if Gitlab::CurrentSettings.require_two_factor_authentication?
    :global
  elsif Gitlab::CurrentSettings.require_admin_two_factor_authentication && current_user&.admin?
    :admin_2fa
  elsif current_user&.require_two_factor_authentication_from_group?
    :group
  else
    false
  end
end

#two_factor_authentication_required?Boolean

rubocop:disable Cop/UserAdmin – Admin mode does not matter in the context of verifying for two factor statuses

Returns:

  • (Boolean)


18
19
20
21
22
23
24
# File 'lib/gitlab/auth/two_factor_auth_verifier.rb', line 18

def two_factor_authentication_required?
  return false if allow_2fa_bypass_for_provider

  Gitlab::CurrentSettings.require_two_factor_authentication? ||
    current_user&.require_two_factor_authentication_from_group? ||
    (Gitlab::CurrentSettings.require_admin_two_factor_authentication && current_user&.admin?) # rubocop:disable Cop/UserAdmin -- It should be applied to any administrator user regardless of admin mode
end

#two_factor_grace_periodObject



43
44
45
46
47
# File 'lib/gitlab/auth/two_factor_auth_verifier.rb', line 43

def two_factor_grace_period
  periods = [Gitlab::CurrentSettings.two_factor_grace_period]
  periods << current_user.two_factor_grace_period if current_user&.require_two_factor_authentication_from_group?
  periods.min
end

#two_factor_grace_period_expired?Boolean

Returns:

  • (Boolean)


49
50
51
52
53
54
55
# File 'lib/gitlab/auth/two_factor_auth_verifier.rb', line 49

def two_factor_grace_period_expired?
  time = current_user&.otp_grace_period_started_at

  return false unless time

  two_factor_grace_period.hours.since(time).past?
end