From d7437af3f31f388bf59b23a06c9bff5c8c5fd157 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 30 Nov 2022 04:46:20 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@15-6-stable-ee

---
 .../api_authentication/token_resolver_spec.rb      | 12 ++++++++++
 spec/lib/gitlab/auth/auth_finders_spec.rb          |  9 +++++++
 spec/lib/gitlab/git_access_spec.rb                 | 28 ++++++++++++++++++++++
 3 files changed, 49 insertions(+)

(limited to 'spec/lib/gitlab')

diff --git a/spec/lib/gitlab/api_authentication/token_resolver_spec.rb b/spec/lib/gitlab/api_authentication/token_resolver_spec.rb
index bbc6bf0d481..9f86b95651a 100644
--- a/spec/lib/gitlab/api_authentication/token_resolver_spec.rb
+++ b/spec/lib/gitlab/api_authentication/token_resolver_spec.rb
@@ -114,6 +114,18 @@ RSpec.describe Gitlab::APIAuthentication::TokenResolver do
 
         it_behaves_like 'an unauthorized request'
       end
+
+      context 'when the external_authorization_service is enabled' do
+        before do
+          stub_application_setting(external_authorization_service_enabled: true)
+        end
+
+        context 'with a valid deploy token' do
+          let(:raw) { username_and_password(token.username, token.token) }
+
+          it_behaves_like 'an unauthorized request'
+        end
+      end
     end
 
     context 'with :personal_access_token' do
diff --git a/spec/lib/gitlab/auth/auth_finders_spec.rb b/spec/lib/gitlab/auth/auth_finders_spec.rb
index 05eca4cf70f..9283c31a207 100644
--- a/spec/lib/gitlab/auth/auth_finders_spec.rb
+++ b/spec/lib/gitlab/auth/auth_finders_spec.rb
@@ -389,6 +389,15 @@ RSpec.describe Gitlab::Auth::AuthFinders do
         it { is_expected.to be_nil }
       end
     end
+
+    context 'when the external_authorization_service is enabled' do
+      before do
+        stub_application_setting(external_authorization_service_enabled: true)
+        set_header(described_class::DEPLOY_TOKEN_HEADER, deploy_token.token)
+      end
+
+      it { is_expected.to be_nil }
+    end
   end
 
   describe '#find_user_from_access_token' do
diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb
index 7e3a1bf61bc..10a099af4f0 100644
--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -5,6 +5,7 @@ require 'spec_helper'
 RSpec.describe Gitlab::GitAccess, :aggregate_failures do
   include TermsHelper
   include AdminModeHelper
+  include ExternalAuthorizationServiceHelpers
 
   let(:user) { create(:user) }
   let(:actor) { user }
@@ -111,6 +112,19 @@ RSpec.describe Gitlab::GitAccess, :aggregate_failures do
               end
             end
           end
+
+          context 'when the external_authorization_service is enabled' do
+            before do
+              stub_application_setting(external_authorization_service_enabled: true)
+            end
+
+            it 'blocks push and pull with "not found"' do
+              aggregate_failures do
+                expect { push_access_check }.to raise_not_found
+                expect { pull_access_check }.to raise_not_found
+              end
+            end
+          end
         end
 
         context 'when actor is a User' do
@@ -176,6 +190,20 @@ RSpec.describe Gitlab::GitAccess, :aggregate_failures do
               expect { push_access_check }.to raise_not_found
             end
           end
+
+          context 'when the external_authorization_service is enabled' do
+            before do
+              stub_application_setting(external_authorization_service_enabled: true)
+            end
+
+            it 'blocks pull access' do
+              expect { pull_access_check }.to raise_not_found
+            end
+
+            it 'blocks the push' do
+              expect { push_access_check }.to raise_not_found
+            end
+          end
         end
       end
 
-- 
cgit v1.2.1