feat: support omniauth for admin mode

Review changes
Download
Patches
Plain diff

Diego Louzán requested to merge siemens/gitlab:feat/support-omniauth-for-admin-mode into master Oct 07, 2019

Overview 175
Commits 48
Pipelines 58
Changes 28

What does this MR do?

Building on top of !16981 (merged), enable re-authentication for OmniAuth providers (see screenshots below).

To be able to support the OmniAuth flow:

Adds a new admin mode requested session field that is used to divide the flow in a first request admin mode step, and then the actual enable admin mode step
Allow non-web authentication flows to ignore the first step by providing a flag skip_request: to CurrentUserMode#enable_admin_mode! (default false)
Move current_user_mode helper in controllers to its own concern for code reuse
Add a new User#matches_identity? method to make sure that the user making the second OmniAuth authentication for admin mode is the same user that requested it originally

Protecting the admin session endpoints by adding them to the default ruleset of rack-attack is tracked independently in #36872 (closed)

Check approach with Gitlab's chaps
Improve UI
- hide password-form when user has no password in Gitlab, only external
- add notification message when grace period for admin mode enable expires
Add specs for omniauth_callbacks_controller_spec.rb
Hide everything behind feature flag
Review new code paths and add extra specs
Ensure that it works in other auth cases (ldap? oauth?)

Related #31326 (closed)

Security review #34190 (closed)

The development of this MR is sponsored by Siemens (/cc @bufferoverflow)

Screenshots

Does this MR meet the acceptance criteria?

Conformity

Changelog entry
Documentation created/updated or follow-up review issue created
Code review guidelines
Merge request performance guidelines
Style guides
Database guides
Separation of EE specific content

Performance and Testing

Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
Tested in all supported browsers

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

Label as security and @ mention @gitlab-com/gl-security/appsec
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
Security reports checked/validated by a reviewer from the AppSec team

Edited Oct 29, 2021 by 🤖 GitLab Bot 🤖

Merge request reports

Assignee

Reviewers

Request review from

Time tracking