Deny Git over HTTP access to users that have 2FA enabled, unless they use a Personal Access Token.

author: Patricio Cano <suprnova32@gmail.com> 2016-08-10 19:04:25 -0500
committer: Patricio Cano <suprnova32@gmail.com> 2016-08-16 11:19:00 -0500
commit: 8bb1931ef2d25ee5dfc5352a3932b948656ddf94 (patch)
tree: 019925a25caeb5ccf223f63186def26d6484cbc5 /spec/requests/git_http_spec.rb
parent: c5a7a70d10cc59e940f85ce21bc25e392ab68978 (diff)
download: gitlab-ce-8bb1931ef2d25ee5dfc5352a3932b948656ddf94.tar.gz
1 files changed, 41 insertions, 0 deletions
diff --git a/spec/requests/git_http_spec.rb b/spec/requests/git_http_spec.rb
index 8537c252b58..37c2586bbe2 100644
--- a/spec/requests/git_http_spec.rb
+++ b/spec/requests/git_http_spec.rb
@@ -198,6 +198,47 @@ describe 'Git HTTP requests', lib: true do
               end
             end
 
+            context 'when user has 2FA enabled' do
+              before do
+                @user = create(:user, :two_factor)
+                project.team << [@user, :master]
+              end
+
+              context 'when username and password are provided' do
+                it 'rejects the clone attempt' do
+                  download("#{project.path_with_namespace}.git", user: @user.username, password: @user.password) do |response|
+                    expect(response).to have_http_status(401)
+                    expect(response.body).to include('You have 2FA enabled, please use a personal access token for Git over HTTP')
+                  end
+                end
+
+                it 'rejects the push attempt' do
+                  upload("#{project.path_with_namespace}.git", user: @user.username, password: @user.password) do |response|
+                    expect(response).to have_http_status(401)
+                    expect(response.body).to include('You have 2FA enabled, please use a personal access token for Git over HTTP')
+                  end
+                end
+              end
+
+              context 'when username and personal access token are provided' do
+                before do
+                  @token = create(:personal_access_token, user: @user)
+                end
+
+                it 'allows clones' do
+                  download("#{project.path_with_namespace}.git", user: @user.username, password: @token.token) do |response|
+                    expect(response).to have_http_status(200)
+                  end
+                end
+
+                it 'allows pushes' do
+                  upload("#{project.path_with_namespace}.git", user: @user.username, password: @token.token) do |response|
+                    expect(response).to have_http_status(200)
+                  end
+                end
+              end
+            end
+
             context "when blank password attempts follow a valid login" do
               def attempt_login(include_password)
                 password = include_password ? user.password : ""
author	Patricio Cano <suprnova32@gmail.com>	2016-08-10 19:04:25 -0500
committer	Patricio Cano <suprnova32@gmail.com>	2016-08-16 11:19:00 -0500
commit	8bb1931ef2d25ee5dfc5352a3932b948656ddf94 (patch)
tree	019925a25caeb5ccf223f63186def26d6484cbc5 /spec/requests/git_http_spec.rb
parent	c5a7a70d10cc59e940f85ce21bc25e392ab68978 (diff)
download	gitlab-ce-8bb1931ef2d25ee5dfc5352a3932b948656ddf94.tar.gz