Add latest changes from gitlab-org/gitlab@13-3-stable-ee

2 files changed, 137 insertions, 1 deletions

diff --git a/qa/qa/specs/features/browser_ui/1_manage/login/2fa_recovery_spec.rb b/qa/qa/specs/features/browser_ui/1_manage/login/2fa_recovery_spec.rb
new file mode 100644
index 00000000000..e83aed18b5f
--- /dev/null
+++ b/qa/qa/specs/features/browser_ui/1_manage/login/2fa_recovery_spec.rb
@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+module QA
+  context 'Manage', :requires_admin, :skip_live_env do
+    describe '2FA' do
+      let(:owner_user) do
+        Resource::User.fabricate_or_use(Runtime::Env.gitlab_qa_2fa_owner_username_1, Runtime::Env.gitlab_qa_2fa_owner_password_1)
+      end
+
+      let(:developer_user) do
+        Resource::User.fabricate_via_api! do |resource|
+          resource.api_client = admin_api_client
+        end
+      end
+
+      let(:sandbox_group) do
+        Resource::Sandbox.fabricate! do |sandbox_group|
+          sandbox_group.path = "gitlab-qa-2fa-recovery-sandbox-group-#{SecureRandom.hex(4)}"
+          sandbox_group.api_client = owner_api_client
+        end
+      end
+
+      let(:group) do
+        QA::Resource::Group.fabricate_via_api! do |group|
+          group.sandbox = sandbox_group
+          group.api_client = owner_api_client
+          group.require_two_factor_authentication = true
+        end
+      end
+
+      before do
+        group.add_member(developer_user, Resource::Members::AccessLevel::DEVELOPER)
+      end
+
+      it 'allows using 2FA recovery code once only' do
+        recovery_code = enable_2fa_for_user_and_fetch_recovery_code(developer_user)
+
+        Flow::Login.sign_in(as: developer_user, skip_page_validation: true)
+
+        Page::Main::TwoFactorAuth.perform do |two_fa_auth|
+          two_fa_auth.set_2fa_code(recovery_code)
+          two_fa_auth.click_verify_code_button
+        end
+
+        expect(Page::Main::Menu.perform(&:signed_in?)).to be_truthy
+
+        Page::Main::Menu.perform(&:sign_out)
+
+        Flow::Login.sign_in(as: developer_user, skip_page_validation: true)
+
+        Page::Main::TwoFactorAuth.perform do |two_fa_auth|
+          two_fa_auth.set_2fa_code(recovery_code)
+          two_fa_auth.click_verify_code_button
+        end
+
+        expect(page).to have_text('Invalid two-factor code')
+      end
+
+      after do
+        group.set_require_two_factor_authentication(value: 'false')
+        group.remove_via_api!
+        sandbox_group.remove_via_api!
+        developer_user.remove_via_api!
+      end
+
+      def admin_api_client
+        @admin_api_client ||= Runtime::API::Client.as_admin
+      end
+
+      def owner_api_client
+        @owner_api_client ||= Runtime::API::Client.new(:gitlab, user: owner_user)
+      end
+
+      def enable_2fa_for_user_and_fetch_recovery_code(user)
+        Flow::Login.while_signed_in(as: user) do
+          Page::Profile::TwoFactorAuth.perform do |two_fa_auth|
+            @otp = QA::Support::OTP.new(two_fa_auth.otp_secret_content)
+
+            two_fa_auth.set_pin_code(@otp.fresh_otp)
+            two_fa_auth.click_register_2fa_app_button
+
+            recovery_code = two_fa_auth.recovery_codes.sample
+
+            two_fa_auth.click_proceed_button
+
+            recovery_code
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/qa/qa/specs/features/browser_ui/1_manage/login/register_spec.rb b/qa/qa/specs/features/browser_ui/1_manage/login/register_spec.rb
index 9dfeec37869..bb01be9d86e 100644
--- a/qa/qa/specs/features/browser_ui/1_manage/login/register_spec.rb
+++ b/qa/qa/specs/features/browser_ui/1_manage/login/register_spec.rb
@@ -2,7 +2,7 @@
 
 module QA
   RSpec.shared_examples 'registration and login' do
-    it 'user registers and logs in' do
+    it 'allows the user to registers and login' do
       Runtime::Browser.visit(:gitlab, Page::Main::Login)
 
       Resource::User.fabricate_via_browser_ui!
@@ -16,6 +16,50 @@ module QA
   RSpec.describe 'Manage', :skip_signup_disabled do
     describe 'standard' do
       it_behaves_like 'registration and login'
+
+      context 'when user account is deleted', :requires_admin do
+        let(:user) do
+          Resource::User.fabricate_via_api! do |resource|
+            resource.api_client = admin_api_client
+          end
+        end
+
+        before do
+          # Use the UI instead of API to delete the account since
+          # this is the only test that exercise this UI.
+          # Other tests should use the API for this purpose.
+          Flow::Login.sign_in(as: user)
+          Page::Main::Menu.perform(&:click_settings_link)
+          Page::Profile::Menu.perform(&:click_account)
+          Page::Profile::Accounts::Show.perform do |show|
+            show.delete_account(user.password)
+          end
+        end
+
+        it 'allows recreating with same credentials' do
+          expect(Page::Main::Menu.perform(&:signed_in?)).to be_falsy
+
+          Flow::Login.sign_in(as: user, skip_page_validation: true)
+
+          expect(page).to have_text("Invalid Login or password")
+
+          @recreated_user = Resource::User.fabricate_via_browser_ui! do |resource|
+            resource.name = user.name
+            resource.username = user.username
+            resource.email = user.email
+          end
+
+          expect(Page::Main::Menu.perform(&:signed_in?)).to be_truthy
+        end
+
+        after do
+          @recreated_user.remove_via_api!
+        end
+
+        def admin_api_client
+          @admin_api_client ||= Runtime::API::Client.as_admin
+        end
+      end
     end
   end