2 files changed, 71 insertions, 0 deletions

diff --git a/spec/requests/api/helpers_spec.rb b/spec/requests/api/helpers_spec.rb
index 837389451e8..d3ab44c0d7e 100644
--- a/spec/requests/api/helpers_spec.rb
+++ b/spec/requests/api/helpers_spec.rb
@@ -6,6 +6,7 @@ describe API::Helpers do
   include API::APIGuard::HelperMethods
   include described_class
   include SentryHelper
+  include TermsHelper
 
   let(:user) { create(:user) }
   let(:admin) { create(:admin) }
@@ -163,6 +164,23 @@ describe API::Helpers do
         expect { current_user }.to raise_error /403/
       end
 
+      context 'when terms are enforced' do
+        before do
+          enforce_terms
+          env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = personal_access_token.token
+        end
+
+        it 'returns a 403 when a user has not accepted the terms' do
+          expect { current_user }.to raise_error /You must accept the Terms of Service/
+        end
+
+        it 'sets the current user when the user accepted the terms' do
+          accept_terms(user)
+
+          expect(current_user).to eq(user)
+        end
+      end
+
       it "sets current_user" do
         env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = personal_access_token.token
         expect(current_user).to eq(user)
diff --git a/spec/requests/git_http_spec.rb b/spec/requests/git_http_spec.rb
index 494db30e8e0..2514dab1714 100644
--- a/spec/requests/git_http_spec.rb
+++ b/spec/requests/git_http_spec.rb
@@ -1,6 +1,7 @@
 require "spec_helper"
 
 describe 'Git HTTP requests' do
+  include TermsHelper
   include GitHttpHelpers
   include WorkhorseHelpers
   include UserActivitiesHelpers
@@ -824,4 +825,56 @@ describe 'Git HTTP requests' do
       end
     end
   end
+
+  context 'when terms are enforced' do
+    let(:project) { create(:project, :repository) }
+    let(:user) { create(:user) }
+    let(:path) { "#{project.full_path}.git" }
+    let(:env) { { user: user.username, password: user.password } }
+
+    before do
+      project.add_master(user)
+      enforce_terms
+    end
+
+    it 'blocks git access when the user did not accept terms', :aggregate_failures do
+      clone_get(path, env) do |response|
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+
+      download(path, env) do |response|
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+
+      upload(path, env) do |response|
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+    end
+
+    context 'when the user accepted the terms' do
+      before do
+        accept_terms(user)
+      end
+
+      it 'allows clones' do
+        clone_get(path, env) do |response|
+          expect(response).to have_gitlab_http_status(:ok)
+        end
+      end
+
+      it_behaves_like 'pulls are allowed'
+      it_behaves_like 'pushes are allowed'
+    end
+
+    context 'from CI' do
+      let(:build) { create(:ci_build, :running) }
+      let(:env) { { user: 'gitlab-ci-token', password: build.token } }
+
+      before do
+        build.update!(user: user, project: project)
+      end
+
+      it_behaves_like 'pulls are allowed'
+    end
+  end
 end