Commit 1ae5bb20 authored by Michael Kozono's avatar Michael Kozono

Merge branch '332455-password-expired-error-on-git-fetch-via-ssh-for-ldap-user-fix' into 'master'

Add another guard clause to password_expired_if_applicable

See merge request gitlab-org/gitlab!65575
parents 28fe704c 366b1d74
......@@ -1887,7 +1887,8 @@ class User < ApplicationRecord
end
def password_expired_if_applicable?
return false unless password_expired?
return false if bot?
return false unless password_expired? && password_automatically_set?
return false unless allow_password_authentication?
true
......
......@@ -435,7 +435,7 @@ RSpec.describe Gitlab::GitAccess do
it 'disallows users with expired password to pull' do
project.add_maintainer(user)
user.update!(password_expires_at: 2.minutes.ago)
user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)
expect { pull_access_check }.to raise_forbidden("Your password expired. Please access GitLab from a web browser to update your password.")
end
......@@ -987,7 +987,7 @@ RSpec.describe Gitlab::GitAccess do
end
it 'disallows users with expired password to push' do
user.update!(password_expires_at: 2.minutes.ago)
user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)
expect { push_access_check }.to raise_forbidden("Your password expired. Please access GitLab from a web browser to update your password.")
end
......
......@@ -126,7 +126,7 @@ RSpec.describe Gitlab::LfsToken, :clean_gitlab_redis_shared_state do
end
context 'when the user password is expired' do
let(:actor) { create(:user, password_expires_at: 1.minute.ago) }
let(:actor) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true) }
it 'returns false' do
expect(lfs_token.token_valid?(lfs_token.token)).to be false
......
......@@ -5275,11 +5275,14 @@ RSpec.describe User do
end
describe '#password_expired_if_applicable?' do
let(:user) { build(:user, password_expires_at: password_expires_at) }
let(:user) { build(:user, password_expires_at: password_expires_at, password_automatically_set: set_automatically?) }
subject { user.password_expired_if_applicable? }
context 'when user is not ldap user' do
context 'when user has password set automatically' do
let(:set_automatically?) { true }
context 'when password_expires_at is not set' do
let(:password_expires_at) {}
......@@ -5304,6 +5307,35 @@ RSpec.describe User do
end
end
end
end
context 'when user has password not set automatically' do
let(:set_automatically?) { false }
context 'when password_expires_at is not set' do
let(:password_expires_at) {}
it 'returns false' do
is_expected.to be_falsey
end
end
context 'when password_expires_at is in the past' do
let(:password_expires_at) { 1.minute.ago }
it 'returns false' do
is_expected.to be_falsey
end
end
context 'when password_expires_at is in the future' do
let(:password_expires_at) { 1.minute.from_now }
it 'returns false' do
is_expected.to be_falsey
end
end
end
context 'when user is ldap user' do
let(:user) { build(:user, password_expires_at: password_expires_at) }
......@@ -5336,6 +5368,34 @@ RSpec.describe User do
end
end
end
context 'when user is a project bot' do
let(:user) { build(:user, :project_bot, password_expires_at: password_expires_at) }
context 'when password_expires_at is not set' do
let(:password_expires_at) {}
it 'returns false' do
is_expected.to be_falsey
end
end
context 'when password_expires_at is in the past' do
let(:password_expires_at) { 1.minute.ago }
it 'returns false' do
is_expected.to be_falsey
end
end
context 'when password_expires_at is in the future' do
let(:password_expires_at) { 1.minute.from_now }
it 'returns false' do
is_expected.to be_falsey
end
end
end
end
describe '#read_only_attribute?' do
......
......@@ -249,7 +249,7 @@ RSpec.describe GlobalPolicy do
context 'user with expired password' do
before do
current_user.update!(password_expires_at: 2.minutes.ago)
current_user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)
end
it { is_expected.not_to be_allowed(:access_api) }
......@@ -445,7 +445,7 @@ RSpec.describe GlobalPolicy do
context 'user with expired password' do
before do
current_user.update!(password_expires_at: 2.minutes.ago)
current_user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)
end
it { is_expected.not_to be_allowed(:access_git) }
......@@ -537,7 +537,7 @@ RSpec.describe GlobalPolicy do
context 'user with expired password' do
before do
current_user.update!(password_expires_at: 2.minutes.ago)
current_user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)
end
it { is_expected.not_to be_allowed(:use_slash_commands) }
......
......@@ -61,7 +61,7 @@ RSpec.describe 'Git HTTP requests' do
shared_examples 'operations are not allowed with expired password' do
context "when password is expired" do
it "responds to downloads with status 401 Unauthorized" do
user.update!(password_expires_at: 2.days.ago)
user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
download(path, user: user.username, password: user.password) do |response|
expect(response).to have_gitlab_http_status(:unauthorized)
......@@ -69,7 +69,7 @@ RSpec.describe 'Git HTTP requests' do
end
it "responds to uploads with status 401 Unauthorized" do
user.update!(password_expires_at: 2.days.ago)
user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
upload(path, user: user.username, password: user.password) do |response|
expect(response).to have_gitlab_http_status(:unauthorized)
......@@ -614,7 +614,7 @@ RSpec.describe 'Git HTTP requests' do
context "when password is expired" do
it "responds to downloads with status 401 unauthorized" do
user.update!(password_expires_at: 2.days.ago)
user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
download(path, **env) do |response|
expect(response).to have_gitlab_http_status(:unauthorized)
......@@ -697,7 +697,7 @@ RSpec.describe 'Git HTTP requests' do
context "when password is expired" do
it "responds to uploads with status 401 unauthorized" do
user.update!(password_expires_at: 2.days.ago)
user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
write_access_token = create(:personal_access_token, user: user, scopes: [:write_repository])
......@@ -920,7 +920,7 @@ RSpec.describe 'Git HTTP requests' do
context 'when users password is expired' do
it 'rejects pulls with 401 unauthorized' do
user.update!(password_expires_at: 2.days.ago)
user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
download(path, user: 'gitlab-ci-token', password: build.token) do |response|
expect(response).to have_gitlab_http_status(:unauthorized)
......@@ -1215,7 +1215,7 @@ RSpec.describe 'Git HTTP requests' do
context "when password is expired" do
it "responds to downloads with status 401 unauthorized" do
user.update!(password_expires_at: 2.days.ago)
user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
download(path, **env) do |response|
expect(response).to have_gitlab_http_status(:unauthorized)
......@@ -1298,7 +1298,7 @@ RSpec.describe 'Git HTTP requests' do
context "when password is expired" do
it "responds to uploads with status 401 unauthorized" do
user.update!(password_expires_at: 2.days.ago)
user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
write_access_token = create(:personal_access_token, user: user, scopes: [:write_repository])
......@@ -1521,7 +1521,7 @@ RSpec.describe 'Git HTTP requests' do
context 'when users password is expired' do
it 'rejects pulls with 401 unauthorized' do
user.update!(password_expires_at: 2.days.ago)
user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
download(path, user: 'gitlab-ci-token', password: build.token) do |response|
expect(response).to have_gitlab_http_status(:unauthorized)
......
......@@ -126,7 +126,7 @@ RSpec.describe 'Git LFS API and storage' do
it_behaves_like 'LFS http 200 blob response'
context 'when user password is expired' do
let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago)}
let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true)}
it_behaves_like 'LFS http 401 response'
end
......@@ -344,7 +344,7 @@ RSpec.describe 'Git LFS API and storage' do
end
context 'when user password is expired' do
let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago)}
let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true)}
let(:role) { :reporter}
......@@ -958,7 +958,7 @@ RSpec.describe 'Git LFS API and storage' do
it_behaves_like 'LFS http 200 workhorse response'
context 'when user password is expired' do
let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago)}
let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true) }
it_behaves_like 'LFS http 401 response'
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment