Add latest changes from gitlab-org/security/gitlab@14-3-stable-ee

1 files changed, 41 insertions, 5 deletions

diff --git a/spec/controllers/profiles/two_factor_auths_controller_spec.rb b/spec/controllers/profiles/two_factor_auths_controller_spec.rb
index 073180cbafd..a0e2cf671af 100644
--- a/spec/controllers/profiles/two_factor_auths_controller_spec.rb
+++ b/spec/controllers/profiles/two_factor_auths_controller_spec.rb
@@ -35,6 +35,27 @@ RSpec.describe Profiles::TwoFactorAuthsController do
     end
   end
 
+  shared_examples 'user must enter a valid current password' do
+    let(:current_password) { '123' }
+
+    it 'requires the current password', :aggregate_failures do
+      go
+
+      expect(response).to redirect_to(profile_two_factor_auth_path)
+      expect(flash[:alert]).to eq(_('You must provide a valid current password'))
+    end
+
+    context 'when the user is on the last sign in attempt' do
+      it do
+        user.update!(failed_attempts: User.maximum_attempts.pred)
+
+        go
+
+        expect(user.reload).to be_access_locked
+      end
+    end
+  end
+
   describe 'GET show' do
     let_it_be_with_reload(:user) { create(:user) }
 
@@ -69,9 +90,10 @@ RSpec.describe Profiles::TwoFactorAuthsController do
     let_it_be_with_reload(:user) { create(:user) }
 
     let(:pin) { 'pin-code' }
+    let(:current_password) { user.password }
 
     def go
-      post :create, params: { pin_code: pin }
+      post :create, params: { pin_code: pin, current_password: current_password }
     end
 
     context 'with valid pin' do
@@ -136,21 +158,25 @@ RSpec.describe Profiles::TwoFactorAuthsController do
       end
     end
 
+    it_behaves_like 'user must enter a valid current password'
+
     it_behaves_like 'user must first verify their primary email address'
   end
 
   describe 'POST codes' do
     let_it_be_with_reload(:user) { create(:user, :two_factor) }
 
+    let(:current_password) { user.password }
+
     it 'presents plaintext codes for the user to save' do
       expect(user).to receive(:generate_otp_backup_codes!).and_return(%w(a b c))
 
-      post :codes
+      post :codes, params: { current_password: current_password }
       expect(assigns[:codes]).to match_array %w(a b c)
     end
 
     it 'persists the generated codes' do
-      post :codes
+      post :codes, params: { current_password: current_password }
 
       user.reload
       expect(user.otp_backup_codes).not_to be_empty
@@ -159,12 +185,18 @@ RSpec.describe Profiles::TwoFactorAuthsController do
     it 'dismisses the `TWO_FACTOR_AUTH_RECOVERY_SETTINGS_CHECK` callout' do
       expect(controller.helpers).to receive(:dismiss_two_factor_auth_recovery_settings_check)
 
-      post :codes
+      post :codes, params: { current_password: current_password }
+    end
+
+    it_behaves_like 'user must enter a valid current password' do
+      let(:go) { post :codes, params: { current_password: current_password } }
     end
   end
 
   describe 'DELETE destroy' do
-    subject { delete :destroy }
+    subject { delete :destroy, params: { current_password: current_password } }
+
+    let(:current_password) { user.password }
 
     context 'for a user that has 2FA enabled' do
       let_it_be_with_reload(:user) { create(:user, :two_factor) }
@@ -187,6 +219,10 @@ RSpec.describe Profiles::TwoFactorAuthsController do
         expect(flash[:notice])
           .to eq _('Two-factor authentication has been disabled successfully!')
       end
+
+      it_behaves_like 'user must enter a valid current password' do
+        let(:go) { delete :destroy, params: { current_password: current_password } }
+      end
     end
 
     context 'for a user that does not have 2FA enabled' do