Add latest changes from gitlab-org/security/gitlab@13-3-stable-ee

5 files changed, 69 insertions, 3 deletions

diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb
index 59978962b1d..46b69214877 100644
--- a/lib/api/api_guard.rb
+++ b/lib/api/api_guard.rb
@@ -69,7 +69,7 @@ module API
           deploy_token_from_request ||
             find_user_from_bearer_token ||
             find_user_from_job_token ||
-            find_user_from_warden
+            user_from_warden
         end
       end
 
@@ -103,6 +103,25 @@ module API
       def user_allowed_or_deploy_token?(user)
         Gitlab::UserAccess.new(user).allowed? || user.is_a?(DeployToken)
       end
+
+      def user_from_warden
+        user = find_user_from_warden
+
+        return unless user
+        return if two_factor_required_but_not_setup?(user)
+
+        user
+      end
+
+      def two_factor_required_but_not_setup?(user)
+        verifier = Gitlab::Auth::TwoFactorAuthVerifier.new(user)
+
+        if verifier.two_factor_authentication_required? && verifier.current_user_needs_to_setup_two_factor?
+          verifier.two_factor_grace_period_expired?
+        else
+          false
+        end
+      end
     end
 
     class_methods do
diff --git a/lib/gitlab/application_rate_limiter.rb b/lib/gitlab/application_rate_limiter.rb
index ed963476524..4eeec534fc0 100644
--- a/lib/gitlab/application_rate_limiter.rb
+++ b/lib/gitlab/application_rate_limiter.rb
@@ -25,11 +25,13 @@ module Gitlab
           project_repositories_archive: { threshold: 5, interval: 1.minute },
           project_generate_new_export:  { threshold: -> { application_settings.project_export_limit }, interval: 1.minute },
           project_import:               { threshold: -> { application_settings.project_import_limit }, interval: 1.minute },
+          project_testing_hook:         { threshold: 5, interval: 1.minute },
           play_pipeline_schedule:       { threshold: 1, interval: 1.minute },
           show_raw_controller:          { threshold: -> { application_settings.raw_blob_request_limit }, interval: 1.minute },
           group_export:                 { threshold: -> { application_settings.group_export_limit }, interval: 1.minute },
           group_download_export:        { threshold: -> { application_settings.group_download_export_limit }, interval: 1.minute },
-          group_import:                 { threshold: -> { application_settings.group_import_limit }, interval: 1.minute }
+          group_import:                 { threshold: -> { application_settings.group_import_limit }, interval: 1.minute },
+          group_testing_hook:           { threshold: 5, interval: 1.minute }
         }.freeze
       end
 
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index 332d0bc1478..0c6ed6924bf 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -222,6 +222,8 @@ module Gitlab
 
         # Registry access (with jwt) does not have access to project
         return if project && !token.has_access_to?(project)
+        # When repository is disabled, no resources are accessible via Deploy Token
+        return if project&.repository_access_level == ::ProjectFeature::DISABLED
 
         scopes = abilities_for_scopes(token.scopes)
 
diff --git a/lib/gitlab/auth/two_factor_auth_verifier.rb b/lib/gitlab/auth/two_factor_auth_verifier.rb
new file mode 100644
index 00000000000..86552ef1267
--- /dev/null
+++ b/lib/gitlab/auth/two_factor_auth_verifier.rb
@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Auth
+    class TwoFactorAuthVerifier
+      attr_reader :current_user
+
+      def initialize(current_user)
+        @current_user = current_user
+      end
+
+      def two_factor_authentication_required?
+        Gitlab::CurrentSettings.require_two_factor_authentication? ||
+          current_user&.require_two_factor_authentication_from_group?
+      end
+
+      def current_user_needs_to_setup_two_factor?
+        current_user && !current_user.temp_oauth_email? && !current_user.two_factor_enabled?
+      end
+
+      def two_factor_grace_period
+        periods = [Gitlab::CurrentSettings.two_factor_grace_period]
+        periods << current_user.two_factor_grace_period if current_user&.require_two_factor_authentication_from_group?
+        periods.min
+      end
+
+      def two_factor_grace_period_expired?
+        time = current_user&.otp_grace_period_started_at
+
+        return false unless time
+
+        two_factor_grace_period.hours.since(time) < Time.current
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
index f3b53a2ba0b..b67b3a37440 100644
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -98,6 +98,13 @@ module Gitlab
       Guest.can?(download_ability, container)
     end
 
+    def deploy_key_can_download_code?
+      authentication_abilities.include?(:download_code) &&
+        deploy_key? &&
+        deploy_key.has_access_to?(container) &&
+        (project? && project&.repository_access_level != ::Featurable::DISABLED)
+    end
+
     def user_can_download_code?
       authentication_abilities.include?(:download_code) &&
         user_access.can_do_action?(download_ability)
@@ -257,7 +264,7 @@ module Gitlab
     end
 
     def check_download_access!
-      passed = deploy_key? ||
+      passed = deploy_key_can_download_code? ||
         deploy_token? ||
         user_can_download_code? ||
         build_can_download_code? ||