diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-09-29 12:57:02 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-09-29 12:57:02 +0000 |
| commit | e0ab280b774e34fcfd6fd031616247714230ca68 (patch) | |
| tree | 472ee2dcef05f242e1b861caa47a0a5179e92f4c /spec/lib | |
| parent | 60b56b48afb89ed1890409b6c425f16549c4d28b (diff) | |
| download | gitlab-ce-e0ab280b774e34fcfd6fd031616247714230ca68.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@14-3-stable-ee
Diffstat (limited to 'spec/lib')
| -rw-r--r-- | spec/lib/gitlab/auth/two_factor_auth_verifier_spec.rb | 61 | ||||
| -rw-r--r-- | spec/lib/gitlab/auth_spec.rb | 59 | ||||
| -rw-r--r-- | spec/lib/gitlab/git_access_spec.rb | 35 | ||||
| -rw-r--r-- | spec/lib/gitlab/import_export/project/tree_restorer_spec.rb | 4 | ||||
| -rw-r--r-- | spec/lib/gitlab/import_export/safe_model_attributes.yml | 10 | ||||
| -rw-r--r-- | spec/lib/gitlab/legacy_github_import/client_spec.rb | 9 | ||||
| -rw-r--r-- | spec/lib/gitlab/lfs_token_spec.rb | 14 |
7 files changed, 121 insertions, 71 deletions
diff --git a/spec/lib/gitlab/auth/two_factor_auth_verifier_spec.rb b/spec/lib/gitlab/auth/two_factor_auth_verifier_spec.rb index f906870195a..876c23a91bd 100644 --- a/spec/lib/gitlab/auth/two_factor_auth_verifier_spec.rb +++ b/spec/lib/gitlab/auth/two_factor_auth_verifier_spec.rb @@ -3,33 +3,50 @@ require 'spec_helper' RSpec.describe Gitlab::Auth::TwoFactorAuthVerifier do - let(:user) { create(:user) } + using RSpec::Parameterized::TableSyntax - subject { described_class.new(user) } + subject(:verifier) { described_class.new(user) } - describe '#two_factor_authentication_required?' do - describe 'when it is required on application level' do - it 'returns true' do - stub_application_setting require_two_factor_authentication: true + let(:user) { build_stubbed(:user, otp_grace_period_started_at: Time.zone.now) } - expect(subject.two_factor_authentication_required?).to be_truthy - end - end + describe '#two_factor_authentication_enforced?' do + subject { verifier.two_factor_authentication_enforced? } - describe 'when it is required on group level' do - it 'returns true' do - allow(user).to receive(:require_two_factor_authentication_from_group?).and_return(true) + where(:instance_level_enabled, :group_level_enabled, :grace_period_expired, :should_be_enforced) do + false | false | true | false + true | false | false | false + true | false | true | true + false | true | false | false + false | true | true | true + end - expect(subject.two_factor_authentication_required?).to be_truthy + with_them do + before do + stub_application_setting(require_two_factor_authentication: instance_level_enabled) + allow(user).to receive(:require_two_factor_authentication_from_group?).and_return(group_level_enabled) + stub_application_setting(two_factor_grace_period: grace_period_expired ? 0 : 1.month.in_hours) end + + it { is_expected.to eq(should_be_enforced) } end + end - describe 'when it is not required' do - it 'returns false when not required on group level' do - allow(user).to receive(:require_two_factor_authentication_from_group?).and_return(false) + describe '#two_factor_authentication_required?' do + subject { verifier.two_factor_authentication_required? } + + where(:instance_level_enabled, :group_level_enabled, :should_be_required) do + true | false | true + false | true | true + false | false | false + end - expect(subject.two_factor_authentication_required?).to be_falsey + with_them do + before do + stub_application_setting(require_two_factor_authentication: instance_level_enabled) + allow(user).to receive(:require_two_factor_authentication_from_group?).and_return(group_level_enabled) end + + it { is_expected.to eq(should_be_required) } end end @@ -85,25 +102,21 @@ RSpec.describe Gitlab::Auth::TwoFactorAuthVerifier do end describe '#two_factor_grace_period_expired?' do - before do - allow(user).to receive(:otp_grace_period_started_at).and_return(4.hours.ago) - end - it 'returns true if the grace period has expired' do - allow(subject).to receive(:two_factor_grace_period).and_return(2) + stub_application_setting two_factor_grace_period: 0 expect(subject.two_factor_grace_period_expired?).to be_truthy end it 'returns false if the grace period has not expired' do - allow(subject).to receive(:two_factor_grace_period).and_return(6) + stub_application_setting two_factor_grace_period: 1.month.in_hours expect(subject.two_factor_grace_period_expired?).to be_falsey end context 'when otp_grace_period_started_at is nil' do it 'returns false' do - allow(user).to receive(:otp_grace_period_started_at).and_return(nil) + user.otp_grace_period_started_at = nil expect(subject.two_factor_grace_period_expired?).to be_falsey end diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb index cc592bb8f24..5ec6e23774a 100644 --- a/spec/lib/gitlab/auth_spec.rb +++ b/spec/lib/gitlab/auth_spec.rb @@ -386,7 +386,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do shared_examples 'with an invalid access token' do it 'fails for a non-member' do expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: project, ip: 'ip')) - .to have_attributes(auth_failure ) + .to have_attributes(auth_failure) end context 'when project bot user is blocked' do @@ -396,7 +396,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do it 'fails for a blocked project bot' do expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: project, ip: 'ip')) - .to have_attributes(auth_failure ) + .to have_attributes(auth_failure) end end end @@ -466,6 +466,41 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do .to have_attributes(auth_failure) end + context 'when 2fa is enabled globally' do + let_it_be(:user) do + create(:user, username: 'normal_user', password: 'my-secret', otp_grace_period_started_at: 1.day.ago) + end + + before do + stub_application_setting(require_two_factor_authentication: true) + end + + it 'fails if grace period expired' do + stub_application_setting(two_factor_grace_period: 0) + + expect { gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip') } + .to raise_error(Gitlab::Auth::MissingPersonalAccessTokenError) + end + + it 'goes through if grace period is not expired yet' do + stub_application_setting(two_factor_grace_period: 72) + + expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip')) + .to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities) + end + end + + context 'when 2fa is enabled personally' do + let(:user) do + create(:user, :two_factor, username: 'normal_user', password: 'my-secret', otp_grace_period_started_at: 1.day.ago) + end + + it 'fails' do + expect { gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip') } + .to raise_error(Gitlab::Auth::MissingPersonalAccessTokenError) + end + end + it 'goes through lfs authentication' do user = create( :user, @@ -757,16 +792,16 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do describe 'find_with_user_password' do let!(:user) do create(:user, - username: username, - password: password, - password_confirmation: password) + username: username, + password: password, + password_confirmation: password) end let(:username) { 'John' } # username isn't lowercase, test this let(:password) { 'my-secret' } it "finds user by valid login/password" do - expect( gl_auth.find_with_user_password(username, password) ).to eql user + expect(gl_auth.find_with_user_password(username, password)).to eql user end it 'finds user by valid email/password with case-insensitive email' do @@ -779,12 +814,12 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do it "does not find user with invalid password" do password = 'wrong' - expect( gl_auth.find_with_user_password(username, password) ).not_to eql user + expect(gl_auth.find_with_user_password(username, password)).not_to eql user end it "does not find user with invalid login" do user = 'wrong' - expect( gl_auth.find_with_user_password(username, password) ).not_to eql user + expect(gl_auth.find_with_user_password(username, password)).not_to eql user end include_examples 'user login operation with unique ip limit' do @@ -796,13 +831,13 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do it 'finds the user in deactivated state' do user.deactivate! - expect( gl_auth.find_with_user_password(username, password) ).to eql user + expect(gl_auth.find_with_user_password(username, password)).to eql user end it "does not find user in blocked state" do user.block - expect( gl_auth.find_with_user_password(username, password) ).not_to eql user + expect(gl_auth.find_with_user_password(username, password)).not_to eql user end it 'does not find user in locked state' do @@ -814,13 +849,13 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do it "does not find user in ldap_blocked state" do user.ldap_block - expect( gl_auth.find_with_user_password(username, password) ).not_to eql user + expect(gl_auth.find_with_user_password(username, password)).not_to eql user end it 'does not find user in blocked_pending_approval state' do user.block_pending_approval - expect( gl_auth.find_with_user_password(username, password) ).not_to eql user + expect(gl_auth.find_with_user_password(username, password)).not_to eql user end context 'with increment_failed_attempts' do diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb index bf682e4e4c6..bf2e3c7f5f8 100644 --- a/spec/lib/gitlab/git_access_spec.rb +++ b/spec/lib/gitlab/git_access_spec.rb @@ -435,17 +435,19 @@ RSpec.describe Gitlab::GitAccess do it 'disallows users with expired password to pull' do project.add_maintainer(user) - user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true) + user.update!(password_expires_at: 2.minutes.ago) expect { pull_access_check }.to raise_forbidden("Your password expired. Please access GitLab from a web browser to update your password.") end - it 'allows ldap users with expired password to pull' do - project.add_maintainer(user) - user.update!(password_expires_at: 2.minutes.ago) - allow(user).to receive(:ldap_user?).and_return(true) + context 'with an ldap user' do + let(:user) { create(:omniauth_user, provider: 'ldap', password_expires_at: 2.minutes.ago) } - expect { pull_access_check }.not_to raise_error + it 'allows ldap users with expired password to pull' do + project.add_maintainer(user) + + expect { pull_access_check }.not_to raise_error + end end context 'when the project repository does not exist' do @@ -987,24 +989,23 @@ RSpec.describe Gitlab::GitAccess do end it 'disallows users with expired password to push' do - user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true) + user.update!(password_expires_at: 2.minutes.ago) expect { push_access_check }.to raise_forbidden("Your password expired. Please access GitLab from a web browser to update your password.") end - it 'allows ldap users with expired password to push' do - user.update!(password_expires_at: 2.minutes.ago) - allow(user).to receive(:ldap_user?).and_return(true) + context 'with an ldap user' do + let(:user) { create(:omniauth_user, provider: 'ldap', password_expires_at: 2.minutes.ago) } - expect { push_access_check }.not_to raise_error - end + it 'allows ldap users with expired password to push' do + expect { push_access_check }.not_to raise_error + end - it 'disallows blocked ldap users with expired password to push' do - user.block - user.update!(password_expires_at: 2.minutes.ago) - allow(user).to receive(:ldap_user?).and_return(true) + it 'disallows blocked ldap users with expired password to push' do + user.block - expect { push_access_check }.to raise_forbidden("Your account has been blocked.") + expect { push_access_check }.to raise_forbidden("Your account has been blocked.") + end end it 'cleans up the files' do diff --git a/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb b/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb index 82f465c4f9e..518a9337826 100644 --- a/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb +++ b/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb @@ -445,8 +445,8 @@ RSpec.describe Gitlab::ImportExport::Project::TreeRestorer do expect(@project.merge_requests.size).to eq(9) end - it 'only restores valid triggers' do - expect(@project.triggers.size).to eq(1) + it 'does not restore triggers' do + expect(@project.triggers.size).to eq(0) end it 'has the correct number of pipelines and statuses' do diff --git a/spec/lib/gitlab/import_export/safe_model_attributes.yml b/spec/lib/gitlab/import_export/safe_model_attributes.yml index a9efa32f986..287be24d11f 100644 --- a/spec/lib/gitlab/import_export/safe_model_attributes.yml +++ b/spec/lib/gitlab/import_export/safe_model_attributes.yml @@ -401,15 +401,6 @@ Ci::Variable: - encrypted_value - encrypted_value_salt - encrypted_value_iv -Ci::Trigger: -- id -- token -- project_id -- created_at -- updated_at -- owner_id -- description -- ref Ci::PipelineSchedule: - id - description @@ -556,7 +547,6 @@ Project: - disable_overriding_approvers_per_merge_request - merge_requests_ff_only_enabled - issues_template -- repository_size_limit - sync_time - service_desk_enabled - last_repository_updated_at diff --git a/spec/lib/gitlab/legacy_github_import/client_spec.rb b/spec/lib/gitlab/legacy_github_import/client_spec.rb index 0929b90d1f4..83ba5858d81 100644 --- a/spec/lib/gitlab/legacy_github_import/client_spec.rb +++ b/spec/lib/gitlab/legacy_github_import/client_spec.rb @@ -86,6 +86,15 @@ RSpec.describe Gitlab::LegacyGithubImport::Client do it 'builds a endpoint with the given options' do expect(client.api.api_endpoint).to eq 'https://try.gitea.io/api/v3/' end + + context 'and hostname' do + subject(:client) { described_class.new(token, host: 'https://167.99.148.217/', api_version: 'v1', hostname: 'try.gitea.io') } + + it 'builds a endpoint with the given options' do + expect(client.api.connection_options.dig(:headers, :host)).to eq 'try.gitea.io' + expect(client.api.api_endpoint).to eq 'https://167.99.148.217/api/v1/' + end + end end end diff --git a/spec/lib/gitlab/lfs_token_spec.rb b/spec/lib/gitlab/lfs_token_spec.rb index a8472062f03..3bc0bd385a7 100644 --- a/spec/lib/gitlab/lfs_token_spec.rb +++ b/spec/lib/gitlab/lfs_token_spec.rb @@ -126,7 +126,7 @@ RSpec.describe Gitlab::LfsToken, :clean_gitlab_redis_shared_state do end context 'when the user password is expired' do - let(:actor) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true) } + let(:actor) { create(:user, password_expires_at: 1.minute.ago) } it 'returns false' do expect(lfs_token.token_valid?(lfs_token.token)).to be false @@ -135,12 +135,12 @@ RSpec.describe Gitlab::LfsToken, :clean_gitlab_redis_shared_state do end context 'when the actor is an ldap user' do - before do - allow(actor).to receive(:ldap_user?).and_return(true) - end + let(:actor) { create(:omniauth_user, provider: 'ldap') } context 'when the user is blocked' do - let(:actor) { create(:user, :blocked) } + before do + actor.block! + end it 'returns false' do expect(lfs_token.token_valid?(lfs_token.token)).to be false @@ -148,7 +148,9 @@ RSpec.describe Gitlab::LfsToken, :clean_gitlab_redis_shared_state do end context 'when the user password is expired' do - let(:actor) { create(:user, password_expires_at: 1.minute.ago) } + before do + actor.update!(password_expires_at: 1.minute.ago) + end it 'returns true' do expect(lfs_token.token_valid?(lfs_token.token)).to be true |