User is asked to setup 2FA even if the subgroup that required 2FA is deleted
Summary
When a user is part of a subgroup that had the 2FA requirement enabled, the user is asked to setup 2FA with the links to the subgroup missing in the message even after the subgroup is deleted.
Support Findings
Brief
User attribute require_two_factor_authentication_from_group?
remains true
when a subgroup the user is a member of is removed, and that sub-group enforced 2FA.
Proposal
Post-group destroy logic should re-evaluate 2FA requirements for user, as their require_two_factor_authentication_from_group?
status may have changed after group deletion.
Prevention
To prevent this issue from happening, before deleting a subgroup, uncheck this at the subgroup level:
Require all users in this group to setup two-factor authentication
Workaround
Workaround 1) To remove the sub-group enforcement for 2FA, uncheck this at the parent-group level:
Allow subgroups to set up their own two-factor authentication rules
Workaround 2) One of the customers got around the problem by having users remove their 2FA, reset password and then set up 2FA again.
Details
Code Investigation
When the sub-group is deleted, the user's attribute `require_two_factor_authentication_from_group?` remains true, even if there is no group membership enforcing 2FA after the deletion.When the condition occurs, the two_factor_auths_controller
show
method executes.
https://gitlab.com/gitlab-org/gitlab/-/blob/v14.5.2-ee/app/controllers/profiles/two_factor_auths_controller.rb#L16
It shows the flash message when 2FA is required, but the user does not have it enabled: https://gitlab.com/gitlab-org/gitlab/-/blob/v14.5.2-ee/app/controllers/profiles/two_factor_auths_controller.rb#L27
two_factor_authentication_reason
method is executed in this circumstance.
https://gitlab.com/gitlab-org/gitlab/-/blob/v14.5.2-ee/app/controllers/concerns/enforces_two_factor_authentication.rb#L40-49
The "two_factor_authentication_required?" method returns true, because the require_two_factor_authentication_from_group?
is still true.
https://gitlab.com/gitlab-org/gitlab/-/blob/v14.5.2-ee/lib/gitlab/auth/two_factor_auth_verifier.rb#L16-19
Then, groups_notification
function is called with an empty groups
object, because there are no existing groups associated with the user enforcing 2FA:
https://gitlab.com/gitlab-org/gitlab/-/blob/v14.5.2-ee/app/controllers/profiles/two_factor_auths_controller.rb#L231-237
The flash message shows incomplete sentences because the groups object is blank.
The group settings for require you to enable Two-Factor Authentication for your account. You can . You need to do this before Sat, 18 Dec 2021 01:34:39 +0000.
The formatting of the alert string shows what should be displayed https://gitlab.com/gitlab-org/gitlab/-/blob/v14.5.2-ee/app/controllers/profiles/two_factor_auths_controller.rb#L236
Steps to reproduce
- Set default deletion adjourned period to 0: Admin Area > Settings > General > Visibility and access controls > Default deletion delay = 0
- Create a new user.
- Login with that user and create a group.
- Create a subgroup in that group.
- Enable 2FA for the subgroup (Settings > Permissions, LFS, 2FA > Require all users in this group to setup Two-factor authentication)
- Signout.
- Delete the subgroup via api or the UI using an admin user. (I deleted via API)
- Login again with the user created in step 2. The user is asked to enable 2FA on a group that does not exist. Notice that the alert message has the links to the subgroup missing: "The group settings for require you to enable Two-Factor Authentication for your account. You can . You need to do this before...."
What is the current bug behavior?
The user is asked to enable 2FA on a group that does not exist.
What is the expected correct behavior?
The user should be taken to the dashboard (home page) and not asked to enable 2FA.
Relevant logs and/or screenshots
Output of checks
(If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com)
This was found on GDK.
"version": "13.2.0-pre", "revision": "ead60430"
Possible workaround
- In Group Settings, deselect
Allow subgroups to set up their own two-factor authentication rules
. - Save.
- Select the option to turn back on.
- Double check or turn on in relevant subgroups.
Alternate workaround Do the following in order for it to work on the parent group, because 2FA had already been disabled:
- unchecked Allow subgroups to set up their own two-factor authentication rules ( we have done this)
- re-enable 2FA enforcement
- disable 2FA enforcement