Adds a new "UI and gem signin" mfa_level to allow API Keys to skip MF…

…A check

Fixes rubygems#2500

app/models/user.rb

@@ -54,7 +54,7 @@ class User < ApplicationRecord
     unless: :skip_password_validation?
   validate :unconfirmed_email_uniqueness
 
-  enum mfa_level: { disabled: 0, ui_only: 1, ui_and_api: 2 }, _prefix: :mfa
+  enum mfa_level: { disabled: 0, ui_only: 1, ui_and_api: 2, ui_and_gem_signin: 3 }, _prefix: :mfa
 
   def self.authenticate(who, password)
     user = find_by(email: who.downcase) || find_by(handle: who)

app/views/settings/edit.html.erb

@@ -8,6 +8,7 @@
       <%= label_tag :level, t(".mfa.level.title"), class: "form__label" %>
       <%= select_tag :level, options_for_select([
         [t(".mfa.level.ui_and_api"), "ui_and_api"],
+        [t(".mfa.level.ui_and_gem_signin"), "ui_and_gem_signin"],
         [t(".mfa.level.ui_only"), "ui_only"],
         [t(".mfa.level.disabled"), "disabled"]], @user.mfa_level), class: "form__input form__select" %>
       <div class="text_field">

config/locales/de.yml

@@ -305,6 +305,7 @@ de:
           disabled:
           ui_only:
           ui_and_api:
+          ui_and_gem_signin:
   profiles:
     edit:
       change_avatar:

config/locales/en.yml

@@ -340,6 +340,7 @@ en:
           disabled: Disabled
           ui_only: UI Only
           ui_and_api: UI and API
+          ui_and_gem_signin: UI and gem signin
   profiles:
     edit:
       change_avatar: Change Avatar

config/locales/es.yml

@@ -313,6 +313,7 @@ es:
           disabled: Desactivada
           ui_only: Solo Interfaz de Usuario
           ui_and_api: Interfaz de Usuario y API
+          ui_and_gem_signin: Interfaz de Usario y gem signin
   profiles:
     edit:
       change_avatar:

config/locales/fr.yml

@@ -305,6 +305,7 @@ fr:
           disabled:
           ui_only:
           ui_and_api:
+          ui_and_gem_signin:
   profiles:
     edit:
       change_avatar:

config/locales/ja.yml

@@ -305,6 +305,7 @@ ja:
           disabled:
           ui_only:
           ui_and_api:
+          ui_and_gem_signin:
   profiles:
     edit:
       change_avatar:

config/locales/nl.yml

@@ -305,6 +305,7 @@ nl:
           disabled:
           ui_only:
           ui_and_api:
+          ui_and_gem_signin:
   profiles:
     edit:
       change_avatar:

config/locales/pt-BR.yml

@@ -305,6 +305,7 @@ pt-BR:
           disabled:
           ui_only:
           ui_and_api:
+          ui_and_gem_signin:
   profiles:
     edit:
       change_avatar:

config/locales/zh-CN.yml

@@ -305,6 +305,7 @@ zh-CN:
           disabled:
           ui_only:
           ui_and_api:
+          ui_and_gem_signin:
   profiles:
     edit:
       change_avatar:

config/locales/zh-TW.yml

@@ -330,6 +330,7 @@ zh-TW:
           disabled:
           ui_only:
           ui_and_api:
+          ui_and_gem_signin:
   profiles:
     edit:
       change_avatar:

test/functional/api/v1/rubygems_controller_test.rb

@@ -235,6 +235,30 @@ def self.should_respond_to(format)
       end
     end
 
+    context "When mfa for UI and gem signin is enabled" do
+      setup do
+        @user.enable_mfa!(ROTP::Base32.random_base32, :ui_and_gem_signin)
+      end
+
+      context "On POST to create for new gem" do
+        setup do
+          post :create, body: gem_file.read
+        end
+        should respond_with :success
+        should "register new gem" do
+          assert_equal 1, Rubygem.count
+          assert_equal @user, Rubygem.last.versions.first.pusher
+          assert_equal "Successfully registered gem: test (0.0.0)", @response.body
+        end
+        should "add user as confirmed owner" do
+          ownership = Rubygem.last.ownerships.first
+
+          assert_equal @user, ownership.user
+          assert ownership.confirmed?
+        end
+      end
+    end
+
     context "On POST to create for new gem" do
       setup do
         post :create, body: gem_file.read
@@ -300,13 +324,13 @@ def self.should_respond_to(format)
 
         @date = 1.year.ago
         @version = create(:version,
-          rubygem: rubygem,
-          number: "0.0.0",
-          updated_at: @date,
-          created_at: @date,
-          summary: "Freewill",
-          authors: ["Geddy Lee"],
-          built_at: @date)
+                          rubygem: rubygem,
+                          number: "0.0.0",
+                          updated_at: @date,
+                          created_at: @date,
+                          summary: "Freewill",
+                          authors: ["Geddy Lee"],
+                          built_at: @date)
 
         post :create, body: gem_file.read
       end
@@ -377,13 +401,13 @@ def self.should_respond_to(format)
       setup do
         rubygem = create(:rubygem, name: "test")
         create(:ownership,
-          rubygem: rubygem,
-          user: @user)
+               rubygem: rubygem,
+               user: @user)
         create(:version,
-          rubygem: rubygem,
-          number: "0.0.0",
-          updated_at: 1.year.ago,
-          created_at: 1.year.ago)
+               rubygem: rubygem,
+               number: "0.0.0",
+               updated_at: 1.year.ago,
+               created_at: 1.year.ago)
       end
       should "POST to create for existing gem should not fail" do
         requires_toxiproxy
@@ -407,7 +431,7 @@ def self.should_respond_to(format)
       should "deny access" do
         assert_response 401
         assert_equal "Access Denied. Please sign up for an account at https://rubygems.org",
-          @response.body
+                     @response.body
       end
     end
 
@@ -450,12 +474,12 @@ def self.should_respond_to(format)
 
   context "on GET to reverse_dependencies" do
     setup do
-      @dependency   = create(:rubygem)
-      @gem_one      = create(:rubygem)
-      @gem_two      = create(:rubygem)
-      @gem_three    = create(:rubygem)
-      version_one   = create(:version, rubygem: @gem_one)
-      version_two   = create(:version, rubygem: @gem_two)
+      @dependency = create(:rubygem)
+      @gem_one = create(:rubygem)
+      @gem_two = create(:rubygem)
+      @gem_three = create(:rubygem)
+      version_one = create(:version, rubygem: @gem_one)
+      version_two = create(:version, rubygem: @gem_two)
       version_three = create(:version, rubygem: @gem_three)
 
       create(:dependency, :runtime, version: version_one, rubygem: @dependency)
@@ -477,9 +501,9 @@ def self.should_respond_to(format)
     context "with only=development" do
       should "only return names of reverse development dependencies" do
         get :reverse_dependencies,
-          params: { id: @dependency.to_param,
-                    only: "development",
-                    format: "json" }
+            params: { id: @dependency.to_param,
+                      only: "development",
+                      format: "json" }
 
         gems = JSON.load(@response.body)
 
@@ -492,9 +516,9 @@ def self.should_respond_to(format)
     context "with only=runtime" do
       should "only return names of reverse development dependencies" do
         get :reverse_dependencies,
-          params: { id: @dependency.to_param,
-                    only: "runtime",
-                    format: "json" }
+            params: { id: @dependency.to_param,
+                      only: "runtime",
+                      format: "json" }
 
         gems = JSON.load(@response.body)
 

test/functional/multifactor_auths_controller_test.rb

@@ -99,6 +99,18 @@ class MultifactorAuthsControllerTest < ActionController::TestCase
             assert @user.reload.mfa_ui_and_api?
           end
         end
+
+        context "on updating to ui_and_gem_signin" do
+          setup do
+            put :update, params: { otp: ROTP::TOTP.new(@user.mfa_seed).now, level: "ui_and_gem_signin" }
+          end
+
+          should respond_with :redirect
+          should redirect_to("the settings page") { edit_settings_path }
+          should "update make mfa level to mfa_ui_and_gem_signin now" do
+            assert @user.reload.mfa_ui_and_gem_signin?
+          end
+        end
       end
     end