User is asked to setup 2FA even if the subgroup that required 2FA is deleted

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Summary

When a user is part of a subgroup that had the 2FA requirement enabled, the user is asked to setup 2FA with the links to the subgroup missing in the message even after the subgroup is deleted.

Support Findings

Brief

User attribute require_two_factor_authentication_from_group? remains true when a subgroup the user is a member of is removed, and that sub-group enforced 2FA.

Proposal

Post-group destroy logic should re-evaluate 2FA requirements for user, as their require_two_factor_authentication_from_group? status may have changed after group deletion.

Prevention

To prevent this issue from happening, before deleting a subgroup, uncheck this at the subgroup level:

Require all users in this group to setup two-factor authentication

Workaround

Workaround 1) To remove the sub-group enforcement for 2FA, uncheck this at the parent-group level: Allow subgroups to set up their own two-factor authentication rules

Workaround 2) One of the customers got around the problem by having users remove their 2FA, reset password and then set up 2FA again.

Details

Code Investigation

When the sub-group is deleted, the user's attribute `require_two_factor_authentication_from_group?` remains true, even if there is no group membership enforcing 2FA after the deletion.

When the condition occurs, the two_factor_auths_controller show method executes. https://gitlab.com/gitlab-org/gitlab/-/blob/v14.5.2-ee/app/controllers/profiles/two_factor_auths_controller.rb#L16

It shows the flash message when 2FA is required, but the user does not have it enabled: https://gitlab.com/gitlab-org/gitlab/-/blob/v14.5.2-ee/app/controllers/profiles/two_factor_auths_controller.rb#L27

two_factor_authentication_reason method is executed in this circumstance. https://gitlab.com/gitlab-org/gitlab/-/blob/v14.5.2-ee/app/controllers/concerns/enforces_two_factor_authentication.rb#L40-49

The "two_factor_authentication_required?" method returns true, because the require_two_factor_authentication_from_group? is still true. https://gitlab.com/gitlab-org/gitlab/-/blob/v14.5.2-ee/lib/gitlab/auth/two_factor_auth_verifier.rb#L16-19

Then, groups_notification function is called with an empty groups object, because there are no existing groups associated with the user enforcing 2FA: https://gitlab.com/gitlab-org/gitlab/-/blob/v14.5.2-ee/app/controllers/profiles/two_factor_auths_controller.rb#L231-237

The flash message shows incomplete sentences because the groups object is blank.

The group settings for require you to enable Two-Factor Authentication for your account. You can . You need to do this before Sat, 18 Dec 2021 01:34:39 +0000.​​

The formatting of the alert string shows what should be displayed https://gitlab.com/gitlab-org/gitlab/-/blob/v14.5.2-ee/app/controllers/profiles/two_factor_auths_controller.rb#L236

Steps to reproduce

1. Set default deletion adjourned period to 0: Admin Area > Settings > General > Visibility and access controls > Default deletion delay = 0
2. Create a new user.
3. Login with that user and create a group.
4. Create a subgroup in that group.
5. Enable 2FA for the subgroup (Settings > Permissions, LFS, 2FA > Require all users in this group to setup Two-factor authentication)
6. Signout.
7. Delete the subgroup via api or the UI using an admin user. (I deleted via API)
8. Login again with the user created in step 2. The user is asked to enable 2FA on a group that does not exist. Notice that the alert message has the links to the subgroup missing: "The group settings for require you to enable Two-Factor Authentication for your account. You can . You need to do this before...."

What is the current bug behavior?

The user is asked to enable 2FA on a group that does not exist.

What is the expected correct behavior?

The user should be taken to the dashboard (home page) and not asked to enable 2FA.

Relevant logs and/or screenshots

Output of checks

(If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com)

This was found on GDK.

"version": "13.2.0-pre", "revision": "ead60430"

Possible workaround

1. In Group Settings, deselect Allow subgroups to set up their own two-factor authentication rules.
2. Save.
3. Select the option to turn back on.
4. Double check or turn on in relevant subgroups.

Alternate workaround Do the following in order for it to work on the parent group, because 2FA had already been disabled:

1. unchecked Allow subgroups to set up their own two-factor authentication rules ( we have done this)
2. re-enable 2FA enforcement
3. disable 2FA enforcement