From d11ae7b617d429b7867fc32b03959d259eb1f95f Mon Sep 17 00:00:00 2001
From: massej <jonathan.j.masse@usherbrooke.ca>
Date: Mon, 23 Oct 2023 22:17:20 -0400
Subject: [PATCH 1/5] Added missing configuration variable
 OAUTH_ALLOW_BYPASS_TWO_FACTOR.

---
 README.md                                 | 4 ++++
 assets/runtime/config/gitlabhq/gitlab.yml | 2 +-
 assets/runtime/env-defaults               | 1 +
 assets/runtime/functions                  | 3 ++-
 contrib/docker-swarm/docker-compose.yml   | 1 +
 5 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index e7479d61..bb3ac5cc 100644
--- a/README.md
+++ b/README.md
@@ -2023,6 +2023,10 @@ Allow users with existing accounts to login and auto link their account via the
 
 Comma separated list if oauth providers to disallow access to `internal` projects. Users creating accounts via these providers will have access internal projects. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default.
 
+##### `OAUTH_ALLOW_BYPASS_TWO_FACTOR`
+
+Comma separated list of oauth providers where users can sign in without using two-factor authentication (2FA). Defaults to `[]`.
+
 ##### `OAUTH_CAS3_LABEL`
 
 The "Sign in with" button label. Defaults to "cas3".
diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml
index 35d4e4db..04a220cd 100644
--- a/assets/runtime/config/gitlabhq/gitlab.yml
+++ b/assets/runtime/config/gitlabhq/gitlab.yml
@@ -918,7 +918,7 @@ production: &base
     # This option should only be configured for providers which already have two factor.
     # This configration dose not apply to SAML.
     # (default: false)
-    allow_bypass_two_factor: null
+    allow_bypass_two_factor: [{{OAUTH_ALLOW_BYPASS_TWO_FACTOR}}]
 
     ## Auth providers
     # Uncomment the following lines and fill in the data of the auth provider you want to use
diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults
index fe49d61f..6f4e4a73 100644
--- a/assets/runtime/env-defaults
+++ b/assets/runtime/env-defaults
@@ -426,6 +426,7 @@ OAUTH_BLOCK_AUTO_CREATED_USERS=${OAUTH_BLOCK_AUTO_CREATED_USERS:-true}
 OAUTH_AUTO_LINK_LDAP_USER=${OAUTH_AUTO_LINK_LDAP_USER:-false}
 OAUTH_AUTO_LINK_SAML_USER=${OAUTH_AUTO_LINK_SAML_USER:-false}
 OAUTH_EXTERNAL_PROVIDERS=${OAUTH_EXTERNAL_PROVIDERS:-}
+OAUTH_ALLOW_BYPASS_TWO_FACTOR=${OAUTH_ALLOW_BYPASS_TWO_FACTOR:-}
 
 ### GOOGLE
 OAUTH_GOOGLE_API_KEY=${OAUTH_GOOGLE_API_KEY:-}
diff --git a/assets/runtime/functions b/assets/runtime/functions
index 9deaa2fc..8efd0a23 100644
--- a/assets/runtime/functions
+++ b/assets/runtime/functions
@@ -819,7 +819,8 @@ gitlab_configure_oauth() {
     OAUTH_AUTO_LINK_LDAP_USER \
     OAUTH_AUTO_LINK_SAML_USER \
     OAUTH_AUTO_LINK_USER \
-    OAUTH_EXTERNAL_PROVIDERS
+    OAUTH_EXTERNAL_PROVIDERS \
+    OAUTH_ALLOW_BYPASS_TWO_FACTOR
 
   case ${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER} in
     cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2|azure_activedirectory_v2|oauth2_generic|$OAUTH2_GENERIC_NAME)
diff --git a/contrib/docker-swarm/docker-compose.yml b/contrib/docker-swarm/docker-compose.yml
index 38145e48..28512b69 100644
--- a/contrib/docker-swarm/docker-compose.yml
+++ b/contrib/docker-swarm/docker-compose.yml
@@ -99,6 +99,7 @@ services:
     - OAUTH_AUTO_LINK_LDAP_USER=false
     - OAUTH_AUTO_LINK_SAML_USER=false
     - OAUTH_EXTERNAL_PROVIDERS=
+    - OAUTH_ALLOW_BYPASS_TWO_FACTOR=
 
     - OAUTH_CAS3_LABEL=cas3
     - OAUTH_CAS3_SERVER=

From 6021919e32368ec9a78f1e742606f489b708dc04 Mon Sep 17 00:00:00 2001
From: massej <jonathan.j.masse@usherbrooke.ca>
Date: Tue, 24 Oct 2023 08:21:28 -0400
Subject: [PATCH 2/5] Update docker-compose.yml

---
 contrib/docker-swarm/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contrib/docker-swarm/docker-compose.yml b/contrib/docker-swarm/docker-compose.yml
index 28512b69..9fa1f6d7 100644
--- a/contrib/docker-swarm/docker-compose.yml
+++ b/contrib/docker-swarm/docker-compose.yml
@@ -99,7 +99,7 @@ services:
     - OAUTH_AUTO_LINK_LDAP_USER=false
     - OAUTH_AUTO_LINK_SAML_USER=false
     - OAUTH_EXTERNAL_PROVIDERS=
-    - OAUTH_ALLOW_BYPASS_TWO_FACTOR=
+    - OAUTH_ALLOW_BYPASS_TWO_FACTOR=false
 
     - OAUTH_CAS3_LABEL=cas3
     - OAUTH_CAS3_SERVER=

From 00011258590c681d853aa6e2505175d1bc005d53 Mon Sep 17 00:00:00 2001
From: massej <jonathan.j.masse@usherbrooke.ca>
Date: Tue, 24 Oct 2023 08:22:08 -0400
Subject: [PATCH 3/5] Update env-defaults

---
 assets/runtime/env-defaults | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults
index 6f4e4a73..4c0a529f 100644
--- a/assets/runtime/env-defaults
+++ b/assets/runtime/env-defaults
@@ -426,7 +426,7 @@ OAUTH_BLOCK_AUTO_CREATED_USERS=${OAUTH_BLOCK_AUTO_CREATED_USERS:-true}
 OAUTH_AUTO_LINK_LDAP_USER=${OAUTH_AUTO_LINK_LDAP_USER:-false}
 OAUTH_AUTO_LINK_SAML_USER=${OAUTH_AUTO_LINK_SAML_USER:-false}
 OAUTH_EXTERNAL_PROVIDERS=${OAUTH_EXTERNAL_PROVIDERS:-}
-OAUTH_ALLOW_BYPASS_TWO_FACTOR=${OAUTH_ALLOW_BYPASS_TWO_FACTOR:-}
+OAUTH_ALLOW_BYPASS_TWO_FACTOR=${OAUTH_ALLOW_BYPASS_TWO_FACTOR:-false}
 
 ### GOOGLE
 OAUTH_GOOGLE_API_KEY=${OAUTH_GOOGLE_API_KEY:-}

From 9500ad163bbb4f80b8695ed34e48173f71f85e56 Mon Sep 17 00:00:00 2001
From: massej <jonathan.j.masse@usherbrooke.ca>
Date: Tue, 24 Oct 2023 08:23:00 -0400
Subject: [PATCH 4/5] Update README.md

Co-authored-by: Kazunori Kimura <33391846+kkimurak@users.noreply.github.com>
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index bb3ac5cc..965e5a60 100644
--- a/README.md
+++ b/README.md
@@ -2025,7 +2025,7 @@ Comma separated list if oauth providers to disallow access to `internal` project
 
 ##### `OAUTH_ALLOW_BYPASS_TWO_FACTOR`
 
-Comma separated list of oauth providers where users can sign in without using two-factor authentication (2FA). Defaults to `[]`.
+Specify oauth providers where users can sign in without using two-factor authentication (2FA). You can define this using an array of providers like `["twitter", "google_oauth2"]`. Setting this to `true` or `false` applies to all - allow all or none. Defaults to `false`.
 
 ##### `OAUTH_CAS3_LABEL`
 

From e574613c9e130f6628f717f362288e82ce0e5ef7 Mon Sep 17 00:00:00 2001
From: massej <jonathan.j.masse@usherbrooke.ca>
Date: Tue, 24 Oct 2023 08:23:11 -0400
Subject: [PATCH 5/5] Update assets/runtime/config/gitlabhq/gitlab.yml

Co-authored-by: Kazunori Kimura <33391846+kkimurak@users.noreply.github.com>
---
 assets/runtime/config/gitlabhq/gitlab.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml
index 04a220cd..226ced2e 100644
--- a/assets/runtime/config/gitlabhq/gitlab.yml
+++ b/assets/runtime/config/gitlabhq/gitlab.yml
@@ -918,7 +918,7 @@ production: &base
     # This option should only be configured for providers which already have two factor.
     # This configration dose not apply to SAML.
     # (default: false)
-    allow_bypass_two_factor: [{{OAUTH_ALLOW_BYPASS_TWO_FACTOR}}]
+    allow_bypass_two_factor: {{OAUTH_ALLOW_BYPASS_TWO_FACTOR}}
 
     ## Auth providers
     # Uncomment the following lines and fill in the data of the auth provider you want to use