Fixed codestyle and added 2FA documentation
This commit is contained in:
parent
6e3fb5024a
commit
1249289f89
|
@ -13,7 +13,7 @@ class ApplicationController < ActionController::Base
|
||||||
before_action :validate_user_service_ticket!
|
before_action :validate_user_service_ticket!
|
||||||
before_action :reject_blocked!
|
before_action :reject_blocked!
|
||||||
before_action :check_password_expiration
|
before_action :check_password_expiration
|
||||||
before_action :check_tfa_requirement
|
before_action :check_2fa_requirement
|
||||||
before_action :ldap_security_check
|
before_action :ldap_security_check
|
||||||
before_action :default_headers
|
before_action :default_headers
|
||||||
before_action :add_gon_variables
|
before_action :add_gon_variables
|
||||||
|
@ -224,7 +224,7 @@ class ApplicationController < ActionController::Base
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def check_tfa_requirement
|
def check_2fa_requirement
|
||||||
if two_factor_authentication_required? && current_user && !current_user.two_factor_enabled && !skip_two_factor?
|
if two_factor_authentication_required? && current_user && !current_user.two_factor_enabled && !skip_two_factor?
|
||||||
redirect_to new_profile_two_factor_auth_path
|
redirect_to new_profile_two_factor_auth_path
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,13 +1,15 @@
|
||||||
class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
|
class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
|
||||||
skip_before_action :check_tfa_requirement
|
skip_before_action :check_2fa_requirement
|
||||||
|
|
||||||
def new
|
def new
|
||||||
unless current_user.otp_secret
|
unless current_user.otp_secret
|
||||||
current_user.otp_secret = User.generate_otp_secret(32)
|
current_user.otp_secret = User.generate_otp_secret(32)
|
||||||
end
|
end
|
||||||
|
|
||||||
unless current_user.otp_grace_period_started_at && two_factor_grace_period
|
unless current_user.otp_grace_period_started_at && two_factor_grace_period
|
||||||
current_user.otp_grace_period_started_at = Time.current
|
current_user.otp_grace_period_started_at = Time.current
|
||||||
end
|
end
|
||||||
|
|
||||||
current_user.save! if current_user.changed?
|
current_user.save! if current_user.changed?
|
||||||
|
|
||||||
if two_factor_grace_period_expired?
|
if two_factor_grace_period_expired?
|
||||||
|
|
|
@ -6,3 +6,4 @@
|
||||||
- [Information exclusivity](information_exclusivity.md)
|
- [Information exclusivity](information_exclusivity.md)
|
||||||
- [Reset your root password](reset_root_password.md)
|
- [Reset your root password](reset_root_password.md)
|
||||||
- [User File Uploads](user_file_uploads.md)
|
- [User File Uploads](user_file_uploads.md)
|
||||||
|
- [Enforce Two-Factor authentication](two_factor_authentication.md)
|
||||||
|
|
|
@ -0,0 +1,38 @@
|
||||||
|
# Enforce Two-factor Authentication (2FA)
|
||||||
|
|
||||||
|
Two-factor Authentication (2FA) provides an additional level of security to your
|
||||||
|
users' GitLab account. Once enabled, in addition to supplying their username and
|
||||||
|
password to login, they'll be prompted for a code generated by an application on
|
||||||
|
their phone.
|
||||||
|
|
||||||
|
You can read more about it here:
|
||||||
|
[Two-factor Authentication (2FA)](doc/profile/two_factor_authentication.md)
|
||||||
|
|
||||||
|
## Enabling 2FA
|
||||||
|
|
||||||
|
Users on GitLab, can enable it without any admin's intervention. If you want to
|
||||||
|
enforce everyone to setup 2FA, you can choose from two different ways:
|
||||||
|
|
||||||
|
1. Enforce on next login
|
||||||
|
2. Suggest on next login, but allow a grace period before enforcing.
|
||||||
|
|
||||||
|
In the Admin area under **Settings** (`/admin/application_settings`), look for
|
||||||
|
the "Sign-in Restrictions" area, where you can configure both.
|
||||||
|
|
||||||
|
If you want 2FA enforcement to take effect on next login, change the grace
|
||||||
|
period to `0`
|
||||||
|
|
||||||
|
## Disabling 2FA for everyone
|
||||||
|
|
||||||
|
There may be some special situations where you want to disable 2FA for everyone
|
||||||
|
even when forced 2FA is disabled. There is a rake task for that:
|
||||||
|
|
||||||
|
```
|
||||||
|
# use this command if you've installed GitLab with the Omnibus package
|
||||||
|
sudo gitlab-rake gitlab:two_factor:disable_for_all_users
|
||||||
|
|
||||||
|
# if you've installed GitLab from source
|
||||||
|
sudo -u git -H bundle exec rake gitlab:two_factor:disable_for_all_users RAILS_ENV=production
|
||||||
|
```
|
||||||
|
|
||||||
|
**IMPORTANT: this is a permanent and irreversible action. Users will have to reactivate 2FA from scratch if they want to use it again.**
|
Loading…
Reference in New Issue