diff options
| author | Robert Speicher <robert@gitlab.com> | 2016-08-18 23:18:58 +0000 |
|---|---|---|
| committer | Ruben Davila <rdavila84@gmail.com> | 2016-08-18 18:56:38 -0500 |
| commit | 02640809bc9056ca9cf5ca9b672ef348b39a071f (patch) | |
| tree | 187dd689edd6c0977d22bc635ec4ede7037aaa25 /spec | |
| parent | 220755f52ad6e3fdfa43c62e0a4a4051721246dc (diff) | |
| download | gitlab-ce-02640809bc9056ca9cf5ca9b672ef348b39a071f.tar.gz | |
Merge branch '2fa-check-git-http' into 'master'
2FA checks for Git over HTTP
## What does this MR do?
This MR allows the use of `PersonalAccessTokens` to access Git over HTTP and makes that the only allowed method if the user has 2FA enabled. If a user with 2FA enabled tries to access Git over HTTP using his username and password the request will be denied and the user will be presented with the following message:
```
remote: HTTP Basic: Access denied
remote: You have 2FA enabled, please use a personal access token for Git over HTTP.
remote: You can generate one at http://localhost:3000/profile/personal_access_tokens
fatal: Authentication failed for 'http://localhost:3000/documentcloud/underscore.git/'
```
## What are the relevant issue numbers?
Fixes #13568
See merge request !5764
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/requests/git_http_spec.rb | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/spec/requests/git_http_spec.rb b/spec/requests/git_http_spec.rb index 8537c252b58..afaf4b7cefb 100644 --- a/spec/requests/git_http_spec.rb +++ b/spec/requests/git_http_spec.rb @@ -198,6 +198,45 @@ describe 'Git HTTP requests', lib: true do end end + context 'when user has 2FA enabled' do + let(:user) { create(:user, :two_factor) } + let(:access_token) { create(:personal_access_token, user: user) } + + before do + project.team << [user, :master] + end + + context 'when username and password are provided' do + it 'rejects the clone attempt' do + download("#{project.path_with_namespace}.git", user: user.username, password: user.password) do |response| + expect(response).to have_http_status(401) + expect(response.body).to include('You have 2FA enabled, please use a personal access token for Git over HTTP') + end + end + + it 'rejects the push attempt' do + upload("#{project.path_with_namespace}.git", user: user.username, password: user.password) do |response| + expect(response).to have_http_status(401) + expect(response.body).to include('You have 2FA enabled, please use a personal access token for Git over HTTP') + end + end + end + + context 'when username and personal access token are provided' do + it 'allows clones' do + download("#{project.path_with_namespace}.git", user: user.username, password: access_token.token) do |response| + expect(response).to have_http_status(200) + end + end + + it 'allows pushes' do + upload("#{project.path_with_namespace}.git", user: user.username, password: access_token.token) do |response| + expect(response).to have_http_status(200) + end + end + end + end + context "when blank password attempts follow a valid login" do def attempt_login(include_password) password = include_password ? user.password : "" |