Add latest changes from gitlab-org/gitlab@master

Author: GitLab Bot

app/assets/javascripts/authentication/mount_2fa.js

@@ -1,12 +1,12 @@
 import $ from 'jquery';
 import initU2F from './u2f';
 import U2FRegister from './u2f/register';
-import initWebauthn from './webauthn';
+import initWebauthnAuthentication from './webauthn';
 import WebAuthnRegister from './webauthn/register';
 
 export const mount2faAuthentication = () => {
   if (gon.webauthn) {
-    initWebauthn();
+    initWebauthnAuthentication();
   } else {
     initU2F();
   }

app/assets/javascripts/authentication/webauthn/components/registration.vue

@@ -0,0 +1,226 @@
+<script>
+import {
+  GlAlert,
+  GlButton,
+  GlForm,
+  GlFormInput,
+  GlFormGroup,
+  GlLink,
+  GlLoadingIcon,
+  GlSprintf,
+} from '@gitlab/ui';
+import {
+  I18N_BUTTON_REGISTER,
+  I18N_BUTTON_SETUP,
+  I18N_BUTTON_TRY_AGAIN,
+  I18N_DEVICE_NAME,
+  I18N_DEVICE_NAME_DESCRIPTION,
+  I18N_DEVICE_NAME_PLACEHOLDER,
+  I18N_ERROR_HTTP,
+  I18N_ERROR_UNSUPPORTED_BROWSER,
+  I18N_INFO_TEXT,
+  I18N_NOTICE,
+  I18N_PASSWORD,
+  I18N_PASSWORD_DESCRIPTION,
+  I18N_STATUS_SUCCESS,
+  I18N_STATUS_WAITING,
+  STATE_ERROR,
+  STATE_READY,
+  STATE_SUCCESS,
+  STATE_UNSUPPORTED,
+  STATE_WAITING,
+  WEBAUTHN_DOCUMENTATION_PATH,
+} from '~/authentication/webauthn/constants';
+import WebAuthnError from '~/authentication/webauthn/error';
+import {
+  FLOW_REGISTER,
+  convertCreateParams,
+  convertCreateResponse,
+  isHTTPS,
+  supported,
+} from '~/authentication/webauthn/util';
+import csrf from '~/lib/utils/csrf';
+
+export default {
+  name: 'WebAuthnRegistration',
+  components: {
+    GlAlert,
+    GlButton,
+    GlForm,
+    GlFormInput,
+    GlFormGroup,
+    GlLink,
+    GlLoadingIcon,
+    GlSprintf,
+  },
+  I18N_BUTTON_REGISTER,
+  I18N_BUTTON_SETUP,
+  I18N_BUTTON_TRY_AGAIN,
+  I18N_DEVICE_NAME,
+  I18N_DEVICE_NAME_DESCRIPTION,
+  I18N_DEVICE_NAME_PLACEHOLDER,
+  I18N_ERROR_HTTP,
+  I18N_ERROR_UNSUPPORTED_BROWSER,
+  I18N_INFO_TEXT,
+  I18N_NOTICE,
+  I18N_PASSWORD,
+  I18N_PASSWORD_DESCRIPTION,
+  I18N_STATUS_SUCCESS,
+  I18N_STATUS_WAITING,
+  STATE_ERROR,
+  STATE_READY,
+  STATE_SUCCESS,
+  STATE_UNSUPPORTED,
+  STATE_WAITING,
+  WEBAUTHN_DOCUMENTATION_PATH,
+  inject: ['initialError', 'passwordRequired', 'targetPath'],
+  data() {
+    return {
+      csrfToken: csrf.token,
+      form: { deviceName: '', password: '' },
+      state: STATE_UNSUPPORTED,
+      errorMessage: this.initialError,
+      credentials: null,
+    };
+  },
+  computed: {
+    disabled() {
+      const isEmptyDeviceName = this.form.deviceName.trim() === '';
+      const isEmptyPassword = this.form.password.trim() === '';
+
+      if (this.passwordRequired === false) {
+        return isEmptyDeviceName;
+      }
+
+      return isEmptyDeviceName || isEmptyPassword;
+    },
+  },
+  created() {
+    if (this.errorMessage) {
+      this.state = STATE_ERROR;
+      return;
+    }
+
+    if (isHTTPS() && supported()) {
+      this.state = STATE_READY;
+      return;
+    }
+
+    this.errorMessage = isHTTPS() ? I18N_ERROR_UNSUPPORTED_BROWSER : I18N_ERROR_HTTP;
+  },
+  methods: {
+    isCurrentState(state) {
+      return this.state === state;
+    },
+    async onRegister() {
+      this.state = STATE_WAITING;
+
+      try {
+        const credentials = await navigator.credentials.create({
+          publicKey: convertCreateParams(gon.webauthn.options),
+        });
+
+        this.credentials = JSON.stringify(convertCreateResponse(credentials));
+        this.state = STATE_SUCCESS;
+      } catch (error) {
+        this.errorMessage = new WebAuthnError(error, FLOW_REGISTER).message();
+        this.state = STATE_ERROR;
+      }
+    },
+  },
+};
+</script>
+
+<template>
+  <div>
+    <template v-if="isCurrentState($options.STATE_UNSUPPORTED)">
+      <gl-alert variant="danger" :dismissible="false">{{ errorMessage }}</gl-alert>
+    </template>
+
+    <template v-else-if="isCurrentState($options.STATE_READY)">
+      <div class="row">
+        <div class="col-md-5">
+          <gl-button variant="confirm" @click="onRegister">{{
+            $options.I18N_BUTTON_SETUP
+          }}</gl-button>
+        </div>
+        <div class="col-md-7">
+          <p>{{ $options.I18N_INFO_TEXT }}</p>
+        </div>
+      </div>
+    </template>
+
+    <template v-else-if="isCurrentState($options.STATE_WAITING)">
+      <gl-alert :dismissible="false">
+        {{ $options.I18N_STATUS_WAITING }}
+        <gl-loading-icon />
+      </gl-alert>
+    </template>
+
+    <template v-else-if="isCurrentState($options.STATE_SUCCESS)">
+      <p>{{ $options.I18N_STATUS_SUCCESS }}</p>
+      <gl-alert :dismissible="false" class="gl-mb-5">
+        <gl-sprintf :message="$options.I18N_NOTICE">
+          <template #link="{ content }">
+            <gl-link :href="$options.WEBAUTHN_DOCUMENTATION_PATH" target="_blank">{{
+              content
+            }}</gl-link>
+          </template>
+        </gl-sprintf>
+      </gl-alert>
+
+      <div class="row">
+        <gl-form method="post" :action="targetPath" class="col-md-9" data-testid="create-webauthn">
+          <gl-form-group
+            v-if="passwordRequired"
+            :description="$options.I18N_PASSWORD_DESCRIPTION"
+            :label="$options.I18N_PASSWORD"
+            label-for="webauthn-registration-current-password"
+          >
+            <gl-form-input
+              id="webauthn-registration-current-password"
+              v-model="form.password"
+              name="current_password"
+              type="password"
+              autocomplete="current-password"
+              data-testid="current-password-input"
+            />
+          </gl-form-group>
+
+          <gl-form-group
+            :description="$options.I18N_DEVICE_NAME_DESCRIPTION"
+            :label="$options.I18N_DEVICE_NAME"
+            label-for="device-name"
+          >
+            <gl-form-input
+              id="device-name"
+              v-model="form.deviceName"
+              name="device_registration[name]"
+              :placeholder="$options.I18N_DEVICE_NAME_PLACEHOLDER"
+              data-testid="device-name-input"
+            />
+          </gl-form-group>
+
+          <input type="hidden" name="device_registration[device_response]" :value="credentials" />
+          <input :value="csrfToken" type="hidden" name="authenticity_token" />
+
+          <gl-button type="submit" :disabled="disabled" variant="confirm">{{
+            $options.I18N_BUTTON_REGISTER
+          }}</gl-button>
+        </gl-form>
+      </div>
+    </template>
+
+    <template v-else-if="isCurrentState($options.STATE_ERROR)">
+      <gl-alert
+        variant="danger"
+        :dismissible="false"
+        class="gl-mb-5"
+        :secondary-button-text="$options.I18N_BUTTON_TRY_AGAIN"
+        @secondaryAction="onRegister"
+      >
+        {{ errorMessage }}
+      </gl-alert>
+    </template>
+  </div>
+</template>

app/assets/javascripts/authentication/webauthn/constants.js

@@ -0,0 +1,44 @@
+import { __ } from '~/locale';
+import { helpPagePath } from '~/helpers/help_page_helper';
+
+export const I18N_BUTTON_REGISTER = __('Register device');
+export const I18N_BUTTON_SETUP = __('Set up new device');
+export const I18N_BUTTON_TRY_AGAIN = __('Try again?');
+export const I18N_DEVICE_NAME = __('Device name');
+export const I18N_DEVICE_NAME_DESCRIPTION = __(
+  'Excluding USB security keys, you should include the browser name together with the device name.',
+);
+export const I18N_DEVICE_NAME_PLACEHOLDER = __('Macbook Touch ID on Edge');
+export const I18N_ERROR_HTTP = __(
+  'WebAuthn only works with HTTPS-enabled websites. Contact your administrator for more details.',
+);
+export const I18N_ERROR_UNSUPPORTED_BROWSER = __(
+  "Your browser doesn't support WebAuthn. Please use a supported browser, e.g. Chrome (67+) or Firefox (60+).",
+);
+export const I18N_INFO_TEXT = __(
+  'Your device needs to be set up. Plug it in (if needed) and click the button on the left.',
+);
+export const I18N_NOTICE = __(
+  'You must save your recovery codes after you first register a two-factor authenticator, so you do not lose access to your account. %{linkStart}See the documentation on managing your WebAuthn device for more information.%{linkEnd}',
+);
+export const I18N_PASSWORD = __('Current password');
+export const I18N_PASSWORD_DESCRIPTION = __(
+  'Your current password is required to register a new device.',
+);
+export const I18N_STATUS_SUCCESS = __(
+  'Your device was successfully set up! Give it a name and register it with the GitLab server.',
+);
+export const I18N_STATUS_WAITING = __(
+  'Trying to communicate with your device. Plug it in (if needed) and press the button on the device now.',
+);
+
+export const STATE_ERROR = 'error';
+export const STATE_READY = 'ready';
+export const STATE_SUCCESS = 'success';
+export const STATE_UNSUPPORTED = 'unsupported';
+export const STATE_WAITING = 'waiting';
+
+export const WEBAUTHN_DOCUMENTATION_PATH = helpPagePath(
+  'user/profile/account/two_factor_authentication',
+  { anchor: 'set-up-a-webauthn-device' },
+);

app/assets/javascripts/authentication/webauthn/index.js

@@ -1,5 +1,5 @@
 import $ from 'jquery';
-import WebAuthnAuthenticate from './authenticate';
+import WebAuthnAuthenticate from '~/authentication/webauthn/authenticate';
 
 export default () => {
   const webauthnAuthenticate = new WebAuthnAuthenticate(

app/assets/javascripts/authentication/webauthn/registration.js

@@ -0,0 +1,22 @@
+import Vue from 'vue';
+import WebAuthnRegistration from '~/authentication/webauthn/components/registration.vue';
+import { parseBoolean } from '~/lib/utils/common_utils';
+
+export const initWebAuthnRegistration = () => {
+  const el = document.querySelector('#js-device-registration');
+
+  if (!el) {
+    return null;
+  }
+
+  const { initialError, passwordRequired, targetPath } = el.dataset;
+
+  return new Vue({
+    el,
+    name: 'WebAuthnRegistrationRoot',
+    provide: { initialError, passwordRequired: parseBoolean(passwordRequired), targetPath },
+    render(h) {
+      return h(WebAuthnRegistration);
+    },
+  });
+};

app/assets/javascripts/pages/profiles/two_factor_auths/index.js

@@ -1,4 +1,5 @@
 import { mount2faRegistration } from '~/authentication/mount_2fa';
+import { initWebAuthnRegistration } from '~/authentication/webauthn/registration';
 import { initRecoveryCodes, initManageTwoFactorForm } from '~/authentication/two_factor_auth';
 import { parseBoolean } from '~/lib/utils/common_utils';
 
@@ -15,6 +16,7 @@ if (skippable) {
 }
 
 mount2faRegistration();
+initWebAuthnRegistration();
 
 initRecoveryCodes();
 

app/helpers/device_registration_helper.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module DeviceRegistrationHelper
+  def device_registration_data(current_password_required:, target_path:, webauthn_error:)
+    {
+      initial_error: webauthn_error && webauthn_error[:message],
+      target_path: target_path,
+      password_required: current_password_required.to_s
+    }
+  end
+end

app/models/oauth_access_token.rb

@@ -4,6 +4,8 @@ class OauthAccessToken < Doorkeeper::AccessToken
   belongs_to :resource_owner, class_name: 'User'
   belongs_to :application, class_name: 'Doorkeeper::Application'
 
+  validates :expires_in, presence: true
+
   alias_attribute :user, :resource_owner
 
   scope :latest_per_application, -> { select('distinct on(application_id) *').order(application_id: :desc, created_at: :desc) }