Merge branch '332455-password-expired-error-on-git-fetch-via-ssh-for-ldap-user-fix' into 'master'

Add another guard clause to password_expired_if_applicable See merge request gitlab-org/gitlab!65575

Merge branch '332455-password-expired-error-on-git-fetch-via-ssh-for-ldap-user-fix' into 'master'
Add another guard clause to password_expired_if_applicable See merge request gitlab-org/gitlab!65575
1ae5bb20 · Michael Kozono · 28fe704c · 366b1d74 · 1ae5bb20 · 1ae5bb20
Commit 1ae5bb20 authored Jul 08, 2021 by Michael Kozono
7 changed files
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1887,7 +1887,8 @@ class User < ApplicationRecord
  end

  def password_expired_if_applicable?
-    return false unless password_expired?
+    return false if bot?
+    return false unless password_expired? && password_automatically_set?
    return false unless allow_password_authentication?

    true

--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -435,7 +435,7 @@ RSpec.describe Gitlab::GitAccess do

    it 'disallows users with expired password to pull' do
      project.add_maintainer(user)
-      user.update!(password_expires_at: 2.minutes.ago)
+      user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)

      expect { pull_access_check }.to raise_forbidden("Your password expired. Please access GitLab from a web browser to update your password.")
    end
@@ -987,7 +987,7 @@ RSpec.describe Gitlab::GitAccess do
      end

      it 'disallows users with expired password to push' do
-        user.update!(password_expires_at: 2.minutes.ago)
+        user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)

        expect { push_access_check }.to raise_forbidden("Your password expired. Please access GitLab from a web browser to update your password.")
      end

--- a/spec/lib/gitlab/lfs_token_spec.rb
+++ b/spec/lib/gitlab/lfs_token_spec.rb
@@ -126,7 +126,7 @@ RSpec.describe Gitlab::LfsToken, :clean_gitlab_redis_shared_state do
        end

        context 'when the user password is expired' do
-          let(:actor) { create(:user, password_expires_at: 1.minute.ago) }
+          let(:actor) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true) }

          it 'returns false' do
            expect(lfs_token.token_valid?(lfs_token.token)).to be false

--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -5275,11 +5275,43 @@ RSpec.describe User do
  end

  describe '#password_expired_if_applicable?' do
-    let(:user) { build(:user, password_expires_at: password_expires_at) }
+    let(:user) { build(:user, password_expires_at: password_expires_at, password_automatically_set: set_automatically?) }

    subject { user.password_expired_if_applicable? }

    context 'when user is not ldap user' do
+      context 'when user has password set automatically' do
+        let(:set_automatically?) { true }
+
+        context 'when password_expires_at is not set' do
+          let(:password_expires_at) {}
+
+          it 'returns false' do
+            is_expected.to be_falsey
+          end
+        end
+
+        context 'when password_expires_at is in the past' do
+          let(:password_expires_at) { 1.minute.ago }
+
+          it 'returns true' do
+            is_expected.to be_truthy
+          end
+        end
+
+        context 'when password_expires_at is in the future' do
+          let(:password_expires_at) { 1.minute.from_now }
+
+          it 'returns false' do
+            is_expected.to be_falsey
+          end
+        end
+      end
+    end
+
+    context 'when user has password not set automatically' do
+      let(:set_automatically?) { false }
+
      context 'when password_expires_at is not set' do
        let(:password_expires_at) {}

@@ -5291,8 +5323,8 @@ RSpec.describe User do
      context 'when password_expires_at is in the past' do
        let(:password_expires_at) { 1.minute.ago }

-        it 'returns true' do
-          is_expected.to be_truthy
+        it 'returns false' do
+          is_expected.to be_falsey
        end
      end

@@ -5336,6 +5368,34 @@ RSpec.describe User do
        end
      end
    end
+
+    context 'when user is a project bot' do
+      let(:user) { build(:user, :project_bot, password_expires_at: password_expires_at) }
+
+      context 'when password_expires_at is not set' do
+        let(:password_expires_at) {}
+
+        it 'returns false' do
+          is_expected.to be_falsey
+        end
+      end
+
+      context 'when password_expires_at is in the past' do
+        let(:password_expires_at) { 1.minute.ago }
+
+        it 'returns false' do
+          is_expected.to be_falsey
+        end
+      end
+
+      context 'when password_expires_at is in the future' do
+        let(:password_expires_at) { 1.minute.from_now }
+
+        it 'returns false' do
+          is_expected.to be_falsey
+        end
+      end
+    end
  end

  describe '#read_only_attribute?' do

--- a/spec/policies/global_policy_spec.rb
+++ b/spec/policies/global_policy_spec.rb
@@ -249,7 +249,7 @@ RSpec.describe GlobalPolicy do

    context 'user with expired password' do
      before do
-        current_user.update!(password_expires_at: 2.minutes.ago)
+        current_user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)
      end

      it { is_expected.not_to be_allowed(:access_api) }
@@ -445,7 +445,7 @@ RSpec.describe GlobalPolicy do

    context 'user with expired password' do
      before do
-        current_user.update!(password_expires_at: 2.minutes.ago)
+        current_user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)
      end

      it { is_expected.not_to be_allowed(:access_git) }
@@ -537,7 +537,7 @@ RSpec.describe GlobalPolicy do

    context 'user with expired password' do
      before do
-        current_user.update!(password_expires_at: 2.minutes.ago)
+        current_user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)
      end

      it { is_expected.not_to be_allowed(:use_slash_commands) }

--- a/spec/requests/git_http_spec.rb
+++ b/spec/requests/git_http_spec.rb
@@ -61,7 +61,7 @@ RSpec.describe 'Git HTTP requests' do
  shared_examples 'operations are not allowed with expired password' do
    context "when password is expired" do
      it "responds to downloads with status 401 Unauthorized" do
-        user.update!(password_expires_at: 2.days.ago)
+        user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)

        download(path, user: user.username, password: user.password) do |response|
          expect(response).to have_gitlab_http_status(:unauthorized)
@@ -69,7 +69,7 @@ RSpec.describe 'Git HTTP requests' do
      end

      it "responds to uploads with status 401 Unauthorized" do
-        user.update!(password_expires_at: 2.days.ago)
+        user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)

        upload(path, user: user.username, password: user.password) do |response|
          expect(response).to have_gitlab_http_status(:unauthorized)
@@ -614,7 +614,7 @@ RSpec.describe 'Git HTTP requests' do

                context "when password is expired" do
                  it "responds to downloads with status 401 unauthorized" do
-                    user.update!(password_expires_at: 2.days.ago)
+                    user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)

                    download(path, **env) do |response|
                      expect(response).to have_gitlab_http_status(:unauthorized)
@@ -697,7 +697,7 @@ RSpec.describe 'Git HTTP requests' do

                  context "when password is expired" do
                    it "responds to uploads with status 401 unauthorized" do
-                      user.update!(password_expires_at: 2.days.ago)
+                      user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)

                      write_access_token = create(:personal_access_token, user: user, scopes: [:write_repository])

@@ -920,7 +920,7 @@ RSpec.describe 'Git HTTP requests' do

              context 'when users password is expired' do
                it 'rejects pulls with 401 unauthorized' do
-                  user.update!(password_expires_at: 2.days.ago)
+                  user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)

                  download(path, user: 'gitlab-ci-token', password: build.token) do |response|
                    expect(response).to have_gitlab_http_status(:unauthorized)
@@ -1215,7 +1215,7 @@ RSpec.describe 'Git HTTP requests' do

                context "when password is expired" do
                  it "responds to downloads with status 401 unauthorized" do
-                    user.update!(password_expires_at: 2.days.ago)
+                    user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)

                    download(path, **env) do |response|
                      expect(response).to have_gitlab_http_status(:unauthorized)
@@ -1298,7 +1298,7 @@ RSpec.describe 'Git HTTP requests' do

                  context "when password is expired" do
                    it "responds to uploads with status 401 unauthorized" do
-                      user.update!(password_expires_at: 2.days.ago)
+                      user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)

                      write_access_token = create(:personal_access_token, user: user, scopes: [:write_repository])

@@ -1521,7 +1521,7 @@ RSpec.describe 'Git HTTP requests' do

              context 'when users password is expired' do
                it 'rejects pulls with 401 unauthorized' do
-                  user.update!(password_expires_at: 2.days.ago)
+                  user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)

                  download(path, user: 'gitlab-ci-token', password: build.token) do |response|
                    expect(response).to have_gitlab_http_status(:unauthorized)

--- a/spec/requests/lfs_http_spec.rb
+++ b/spec/requests/lfs_http_spec.rb
@@ -126,7 +126,7 @@ RSpec.describe 'Git LFS API and storage' do
            it_behaves_like 'LFS http 200 blob response'

            context 'when user password is expired' do
-              let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago)}
+              let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true)}

              it_behaves_like 'LFS http 401 response'
            end
@@ -344,7 +344,7 @@ RSpec.describe 'Git LFS API and storage' do
            end

            context 'when user password is expired' do
-              let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago)}
+              let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true)}

              let(:role) { :reporter}

@@ -958,7 +958,7 @@ RSpec.describe 'Git LFS API and storage' do
              it_behaves_like 'LFS http 200 workhorse response'

              context 'when user password is expired' do
-                let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago)}
+                let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true) }

                it_behaves_like 'LFS http 401 response'
              end