Allow password authentication to be disabled entirely

app/controllers/application_controller.rb

@@ -196,7 +196,7 @@ class ApplicationController < ActionController::Base
   end
   def check_password_expiration
-    return if session[:impersonator_id] || current_user&.ldap_user?
+    return if session[:impersonator_id] || !current_user&.allow_password_authentication?
     password_expires_at = current_user&.password_expires_at

app/controllers/invites_controller.rb

@@ -51,7 +51,7 @@ class InvitesController < ApplicationController
     return if current_user
     notice = "To accept this invitation, sign in"
-    notice << " or create an account" if current_application_settings.signup_enabled?
+    notice << " or create an account" if current_application_settings.allow_signup?
     notice << "."
     store_location_for :user, request.fullpath

app/controllers/omniauth_callbacks_controller.rb

@@ -140,7 +140,7 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
     label = Gitlab::OAuth::Provider.label_for(oauth['provider'])
     message = "Signing in using your #{label} account without a pre-existing GitLab account is not allowed."
-    if current_application_settings.signup_enabled?
+    if current_application_settings.allow_signup?
       message << " Create a GitLab account first, and then connect it to your #{label} account."
     end

app/controllers/passwords_controller.rb

 class PasswordsController < Devise::PasswordsController
+  include Gitlab::CurrentSettings
+
   before_action :resource_from_email, only: [:create]
-  before_action :prevent_ldap_reset, only: [:create]
+  before_action :check_password_authentication_available, only: [:create]
   before_action :throttle_reset,      only: [:create]
   def edit
@@ -25,7 +27,7 @@ class PasswordsController < Devise::PasswordsController
   def update
     super do |resource|
-      if resource.valid? && resource.require_password_creation?
+      if resource.valid? && resource.password_automatically_set?
         resource.update_attribute(:password_automatically_set, false)
       end
     end
@@ -38,11 +40,15 @@ class PasswordsController < Devise::PasswordsController
     self.resource = resource_class.find_by_email(email)
   end
-  def prevent_ldap_reset
-    return unless resource&.ldap_user?
+  def check_password_authentication_available
+    if resource
+      return if resource.allow_password_authentication?
+    else
+      return if current_application_settings.password_authentication_enabled?
+    end
     redirect_to after_sending_reset_password_instructions_path_for(resource_name),
-      alert: "Cannot reset password for LDAP user."
+      alert: "Password authentication is unavailable."
   end
   def throttle_reset

app/controllers/profiles/passwords_controller.rb

@@ -77,7 +77,7 @@ class Profiles::PasswordsController < Profiles::ApplicationController
   end
   def authorize_change_password!
-    render_404 if @user.ldap_user?
+    render_404 unless @user.allow_password_authentication?
   end
   def user_params

app/controllers/sessions_controller.rb

@@ -63,7 +63,7 @@ class SessionsController < Devise::SessionsController
     user = User.admins.last
-    return unless user && user.require_password_creation?
+    return unless user && user.require_password_creation_for_web?
     Users::UpdateService.new(current_user, user: user).execute do |user|
       @token = user.generate_reset_token

app/helpers/application_settings_helper.rb

@@ -3,9 +3,9 @@ module ApplicationSettingsHelper
   include Gitlab::CurrentSettings
-  delegate  :gravatar_enabled?,
-            :signup_enabled?,
-            :password_authentication_enabled?,
+  delegate  :allow_signup?,
+            :gravatar_enabled?,
+            :password_authentication_enabled_for_web?,
             :akismet_enabled?,
             :koding_enabled?,
             to: :current_application_settings
@@ -203,7 +203,7 @@ module ApplicationSettingsHelper
       :metrics_port,
       :metrics_sample_interval,
       :metrics_timeout,
-      :password_authentication_enabled,
+      :password_authentication_enabled_for_web,
       :performance_bar_allowed_group_id,
       :performance_bar_enabled,
       :plantuml_enabled,

app/helpers/button_helper.rb

@@ -58,12 +58,12 @@ module ButtonHelper
   def http_clone_button(project, placement = 'right', append_link: true)
     klass = 'http-selector'
-    klass << ' has-tooltip' if current_user.try(:require_password_creation?) || current_user.try(:require_personal_access_token_creation_for_git_auth?)
+    klass << ' has-tooltip' if current_user.try(:require_extra_setup_for_git_auth?)
     protocol = gitlab_config.protocol.upcase
     tooltip_title =
-      if current_user.try(:require_password_creation?)
+      if current_user.try(:require_password_creation_for_git?)
         _("Set a password on your account to pull or push via %{protocol}.") % { protocol: protocol }
       else
         _("Create a personal access token on your account to pull or push via %{protocol}.") % { protocol: protocol }

app/helpers/projects_helper.rb

@@ -234,11 +234,11 @@ module ProjectsHelper
   def show_no_password_message?
     cookies[:hide_no_password_message].blank? && !current_user.hide_no_password &&
-      ( current_user.require_password_creation? || current_user.require_personal_access_token_creation_for_git_auth? )
+      current_user.require_extra_setup_for_git_auth?
   end
   def link_to_set_password
-    if current_user.require_password_creation?
+    if current_user.require_password_creation_for_git?
       link_to s_('SetPasswordToCloneLink|set a password'), edit_profile_password_path
     else
       link_to s_('CreateTokenToCloneLink|create a personal access token'), profile_personal_access_tokens_path

app/models/application_setting.rb

@@ -276,7 +276,8 @@ class ApplicationSetting < ActiveRecord::Base
       koding_url: nil,
       max_artifacts_size: Settings.artifacts['max_size'],
       max_attachment_size: Settings.gitlab['max_attachment_size'],
-      password_authentication_enabled: Settings.gitlab['password_authentication_enabled'],
+      password_authentication_enabled_for_web: Settings.gitlab['signin_enabled'],
+      password_authentication_enabled_for_git: true,
       performance_bar_allowed_group_id: nil,
       rsa_key_restriction: 0,
       plantuml_enabled: false,
@@ -474,6 +475,14 @@ class ApplicationSetting < ActiveRecord::Base
     has_attribute?(attr_name) ? public_send(attr_name) : FORBIDDEN_KEY_VALUE # rubocop:disable GitlabSecurity/PublicSend
   end
+  def allow_signup?
+    signup_enabled? && password_authentication_enabled_for_web?
+  end
+
+  def password_authentication_enabled?
+    password_authentication_enabled_for_web? || password_authentication_enabled_for_git?
+  end
+
   private
   def ensure_uuid!

app/models/user.rb

@@ -633,18 +633,34 @@ class User < ActiveRecord::Base
     count.zero? && Gitlab::ProtocolAccess.allowed?('ssh')
   end
-  def require_password_creation?
-    password_automatically_set? && allow_password_authentication?
+  def require_password_creation_for_web?
+    allow_password_authentication_for_web? && password_automatically_set?
+  end
+
+  def require_password_creation_for_git?
+    allow_password_authentication_for_git? && password_automatically_set?
   end
   def require_personal_access_token_creation_for_git_auth?
-    return false if current_application_settings.password_authentication_enabled? || ldap_user?
+    return false if allow_password_authentication_for_git? || ldap_user?
     PersonalAccessTokensFinder.new(user: self, impersonation: false, state: 'active').execute.none?
   end
+  def require_extra_setup_for_git_auth?
+    require_password_creation_for_git? || require_personal_access_token_creation_for_git_auth?
+  end
+
   def allow_password_authentication?
-    !ldap_user? && current_application_settings.password_authentication_enabled?
+    allow_password_authentication_for_web? || allow_password_authentication_for_git?
+  end
+
+  def allow_password_authentication_for_web?
+    current_application_settings.password_authentication_enabled_for_web? && !ldap_user?
+  end
+
+  def allow_password_authentication_for_git?
+    current_application_settings.password_authentication_enabled_for_git? && !ldap_user?
   end
   def can_change_username?

app/services/users/build_service.rb

@@ -34,7 +34,7 @@ module Users
     private
     def can_create_user?
-      (current_user.nil? && current_application_settings.signup_enabled?) || current_user&.admin?
+      (current_user.nil? && current_application_settings.allow_signup?) || current_user&.admin?
     end
     # Allowed params for creating a user (admins only)

app/views/admin/application_settings/_form.html.haml

@@ -160,9 +160,22 @@
     .form-group
       .col-sm-offset-2.col-sm-10
         .checkbox
-          = f.label :password_authentication_enabled do
-            = f.check_box :password_authentication_enabled
-            Sign-in enabled
+          = f.label :password_authentication_enabled_for_web do
+            = f.check_box :password_authentication_enabled_for_web
+            Password authentication enabled for web interface
+            .help-block
+              When disabled, an external authentication provider must be used.
+    .form-group
+      .col-sm-offset-2.col-sm-10
+        .checkbox
+          = f.label :password_authentication_enabled_for_git do
+            = f.check_box :password_authentication_enabled_for_git
+            Password authentication enabled for Git over HTTP(S)
+            .help-block
+              When disabled, a Personal Access Token
+              - if Gitlab::LDAP::Config.enabled?
+                or LDAP password
+              must be used to authenticate.
     - if omniauth_enabled? && button_based_providers.any?
       .form-group
         = f.label :enabled_oauth_sign_in_sources, 'Enabled OAuth sign-in sources', class: 'control-label col-sm-2'

app/views/admin/dashboard/index.html.haml

@@ -45,10 +45,10 @@
           .well-segment.admin-well.admin-well-features
             %h4 Features
             - sign_up = "Sign up"
-            %p{ "aria-label" => "#{sign_up}: status " + (signup_enabled? ? "on" : "off") }
+            %p{ "aria-label" => "#{sign_up}: status " + (allow_signup? ? "on" : "off") }
               = sign_up
               %span.light.pull-right
-                = boolean_to_icon signup_enabled?
+                = boolean_to_icon allow_signup?
             - ldap = "LDAP"
             %p{ "aria-label" => "#{ldap}: status " + (Gitlab.config.ldap.enabled ? "on" : "off") }
               = ldap

app/views/devise/sessions/new.html.haml

@@ -6,15 +6,15 @@
   - else
     = render 'devise/shared/tabs_normal'
   .tab-content
-    - if password_authentication_enabled? || ldap_enabled? || crowd_enabled?
+    - if password_authentication_enabled_for_web? || ldap_enabled? || crowd_enabled?
       = render 'devise/shared/signin_box'
     -# Signup only makes sense if you can also sign-in
-    - if password_authentication_enabled? && signup_enabled?
+    - if allow_signup?
       = render 'devise/shared/signup_box'
   -# Show a message if none of the mechanisms above are enabled
-  - if !password_authentication_enabled? && !ldap_enabled? && !(omniauth_enabled? && devise_mapping.omniauthable?)
+  - if !password_authentication_enabled_for_web? && !ldap_enabled? && !(omniauth_enabled? && devise_mapping.omniauthable?)
     %div
       No authentication methods configured.

app/views/devise/shared/_links.erb

@@ -2,7 +2,7 @@
   <%= link_to "Sign in", new_session_path(resource_name), class: "btn" %><br />
 <% end -%>
-<%- if devise_mapping.registerable? && controller_name != 'registrations' && gitlab_config.signup_enabled %>
+<%- if devise_mapping.registerable? && controller_name != 'registrations' && allow_signup? %>
   <%= link_to "Sign up", new_registration_path(resource_name) %><br />
 <% end -%>

app/views/devise/shared/_signin_box.html.haml

@@ -7,12 +7,12 @@
     .login-box.tab-pane{ id: "#{server['provider_name']}", role: 'tabpanel', class: active_when(i.zero? && !crowd_enabled?) }
       .login-body
         = render 'devise/sessions/new_ldap', server: server
-  - if password_authentication_enabled?
+  - if password_authentication_enabled_for_web?
     .login-box.tab-pane{ id: 'ldap-standard', role: 'tabpanel' }
       .login-body
         = render 'devise/sessions/new_base'
-- elsif password_authentication_enabled?
+- elsif password_authentication_enabled_for_web?
   .login-box.tab-pane.active{ id: 'login-pane', role: 'tabpanel' }
     .login-body
       = render 'devise/sessions/new_base'

app/views/devise/shared/_tabs_ldap.html.haml

@@ -5,9 +5,9 @@
   - @ldap_servers.each_with_index do |server, i|
     %li{ class: active_when(i.zero? && !crowd_enabled?) }
       = link_to server['label'], "##{server['provider_name']}",  'data-toggle' => 'tab'
-  - if password_authentication_enabled?
+  - if password_authentication_enabled_for_web?
     %li
       = link_to 'Standard', '#ldap-standard', 'data-toggle' => 'tab'
-  - if password_authentication_enabled? && signup_enabled?
+  - if allow_signup?
     %li
       = link_to 'Register', '#register-pane', 'data-toggle' => 'tab'

app/views/devise/shared/_tabs_normal.html.haml

 %ul.nav-links.new-session-tabs.nav-tabs{ role: 'tablist' }
   %li.active{ role: 'presentation' }
     %a{ href: '#login-pane', data: { toggle: 'tab' }, role: 'tab' } Sign in
-  - if password_authentication_enabled? && signup_enabled?
+  - if allow_signup?
     %li{ role: 'presentation' }
       %a{ href: '#register-pane', data: { toggle: 'tab' }, role: 'tab' } Register

app/views/layouts/nav/sidebar/_profile.html.haml

@@ -73,7 +73,7 @@
             = link_to profile_emails_path do
               %strong.fly-out-top-item-name
                 #{ _('Emails') }
-      - unless current_user.ldap_user?
+      - if current_user.allow_password_authentication?
         = nav_link(controller: :passwords) do
           = link_to edit_profile_password_path do
             .nav-icon-container