Add latest changes from gitlab-org/security/gitlab@13-12-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-05-31 11:42:18 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-05-31 11:42:44 +0000
commit: 15c040a6bd71894260b66a90685070c0babfee76 (patch)
tree: 27021108f64428697744973cddaede55930f4ef7 /spec/requests
parent: 6e4e4023b46c786a99e1cfe8832fa5eff2728e0d (diff)
download: gitlab-ce-15c040a6bd71894260b66a90685070c0babfee76.tar.gz
2 files changed, 62 insertions, 3 deletions
diff --git a/spec/requests/git_http_spec.rb b/spec/requests/git_http_spec.rb
index a1e28c18769..279c65fc2f4 100644
--- a/spec/requests/git_http_spec.rb
+++ b/spec/requests/git_http_spec.rb
@@ -35,6 +35,26 @@ RSpec.describe 'Git HTTP requests' do
             expect(response.header['WWW-Authenticate']).to start_with('Basic ')
           end
         end
+
+        context "when password is expired" do
+          it "responds to downloads with status 401 Unauthorized" do
+            user.update!(password_expires_at: 2.days.ago)
+
+            download(path, user: user.username, password: user.password) do |response|
+              expect(response).to have_gitlab_http_status(:unauthorized)
+            end
+          end
+        end
+
+        context "when user is blocked" do
+          let(:user) { create(:user, :blocked) }
+
+          it "responds to downloads with status 401 Unauthorized" do
+            download(path, user: user.username, password: user.password) do |response|
+              expect(response).to have_gitlab_http_status(:unauthorized)
+            end
+          end
+        end
       end
 
       context "when authentication succeeds" do
@@ -75,6 +95,15 @@ RSpec.describe 'Git HTTP requests' do
             expect(response.header['WWW-Authenticate']).to start_with('Basic ')
           end
         end
+
+        context "when password is expired" do
+          it "responds to uploads with status 401 Unauthorized" do
+            user.update!(password_expires_at: 2.days.ago)
+            upload(path, user: user.username, password: user.password) do |response|
+              expect(response).to have_gitlab_http_status(:unauthorized)
+            end
+          end
+        end
       end
 
       context "when authentication succeeds" do
@@ -576,6 +605,16 @@ RSpec.describe 'Git HTTP requests' do
 
                 it_behaves_like 'pulls are allowed'
                 it_behaves_like 'pushes are allowed'
+
+                context "when password is expired" do
+                  it "responds to downloads with status 401 unauthorized" do
+                    user.update!(password_expires_at: 2.days.ago)
+
+                    download(path, **env) do |response|
+                      expect(response).to have_gitlab_http_status(:unauthorized)
+                    end
+                  end
+                end
               end
 
               context 'when user has 2FA enabled' do
@@ -649,6 +688,18 @@ RSpec.describe 'Git HTTP requests' do
                       expect(response).to have_gitlab_http_status(:ok)
                     end
                   end
+
+                  context "when password is expired" do
+                    it "responds to uploads with status 401 unauthorized" do
+                      user.update!(password_expires_at: 2.days.ago)
+
+                      write_access_token = create(:personal_access_token, user: user, scopes: [:write_repository])
+
+                      upload(path, user: user.username, password: write_access_token.token) do |response|
+                        expect(response).to have_gitlab_http_status(:unauthorized)
+                      end
+                    end
+                  end
                 end
               end
 
@@ -860,6 +911,16 @@ RSpec.describe 'Git HTTP requests' do
 
                 expect(response).to have_gitlab_http_status(:not_found)
               end
+
+              context 'when users password is expired' do
+                it 'rejects pulls with 401 unauthorized' do
+                  user.update!(password_expires_at: 2.days.ago)
+
+                  download(path, user: 'gitlab-ci-token', password: build.token) do |response|
+                    expect(response).to have_gitlab_http_status(:unauthorized)
+                  end
+                end
+              end
             end
           end
         end
diff --git a/spec/requests/lfs_http_spec.rb b/spec/requests/lfs_http_spec.rb
index 4e18c9cb4ca..0e3a0252638 100644
--- a/spec/requests/lfs_http_spec.rb
+++ b/spec/requests/lfs_http_spec.rb
@@ -346,9 +346,7 @@ RSpec.describe 'Git LFS API and storage' do
               let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago)}
               let(:role) { :reporter}
 
-              # TODO: This should return a 404 response
-              # https://gitlab.com/gitlab-org/gitlab/-/issues/292006
-              it_behaves_like 'LFS http 200 response'
+              it_behaves_like 'LFS http 401 response'
             end
 
             context 'when user is blocked' do
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-05-31 11:42:18 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-05-31 11:42:44 +0000
commit	15c040a6bd71894260b66a90685070c0babfee76 (patch)
tree	27021108f64428697744973cddaede55930f4ef7 /spec/requests
parent	6e4e4023b46c786a99e1cfe8832fa5eff2728e0d (diff)
download	gitlab-ce-15c040a6bd71894260b66a90685070c0babfee76.tar.gz