Merge branch '332455-password-expired-error-on-git-fetch-via-ssh-for-ldap-user-fix' into 'master'

Add another guard clause to password_expired_if_applicable See merge request gitlab-org/gitlab!65575

Merge branch '332455-password-expired-error-on-git-fetch-via-ssh-for-ldap-user-fix' into 'master'
Add another guard clause to password_expired_if_applicable See merge request gitlab-org/gitlab!65575
1ae5bb20 · Michael Kozono · 28fe704c · 366b1d74 · 1ae5bb20 · 1ae5bb20
Commit 1ae5bb20 authored Jul 08, 2021 by Michael Kozono
7 changed files
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1887,7 +1887,8 @@ class User < ApplicationRecord
  end
  def password_expired_if_applicable?
-    return false unless password_expired?
+    return false if bot?
+    return false unless password_expired? && password_automatically_set?
    return false unless allow_password_authentication?
    true

--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -435,7 +435,7 @@ RSpec.describe Gitlab::GitAccess do
    it 'disallows users with expired password to pull' do
      project.add_maintainer(user)
-      user.update!(password_expires_at: 2.minutes.ago)
+      user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)
      expect { pull_access_check }.to raise_forbidden("Your password expired. Please access GitLab from a web browser to update your password.")
    end
@@ -987,7 +987,7 @@ RSpec.describe Gitlab::GitAccess do
      end
      it 'disallows users with expired password to push' do
-        user.update!(password_expires_at: 2.minutes.ago)
+        user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)
        expect { push_access_check }.to raise_forbidden("Your password expired. Please access GitLab from a web browser to update your password.")
      end

--- a/spec/lib/gitlab/lfs_token_spec.rb
+++ b/spec/lib/gitlab/lfs_token_spec.rb
@@ -126,7 +126,7 @@ RSpec.describe Gitlab::LfsToken, :clean_gitlab_redis_shared_state do
        end
        context 'when the user password is expired' do
-          let(:actor) { create(:user, password_expires_at: 1.minute.ago) }
+          let(:actor) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true) }
          it 'returns false' do
            expect(lfs_token.token_valid?(lfs_token.token)).to be false

--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -5275,11 +5275,43 @@ RSpec.describe User do
  end
  describe '#password_expired_if_applicable?' do
-    let(:user) { build(:user, password_expires_at: password_expires_at) }
+    let(:user) { build(:user, password_expires_at: password_expires_at, password_automatically_set: set_automatically?) }
    subject { user.password_expired_if_applicable? }
    context 'when user is not ldap user' do
+      context 'when user has password set automatically' do
+        let(:set_automatically?) { true }
+        context 'when password_expires_at is not set' do
+          let(:password_expires_at) {}
+          it 'returns false' do
+            is_expected.to be_falsey
+          end
+        end
+        context 'when password_expires_at is in the past' do
+          let(:password_expires_at) { 1.minute.ago }
+          it 'returns true' do
+            is_expected.to be_truthy
+          end
+        end
+        context 'when password_expires_at is in the future' do
+          let(:password_expires_at) { 1.minute.from_now }
+          it 'returns false' do
+            is_expected.to be_falsey
+          end
+        end
+      end
+    end
+    context 'when user has password not set automatically' do
+      let(:set_automatically?) { false }
      context 'when password_expires_at is not set' do
        let(:password_expires_at) {}
@@ -5291,8 +5323,8 @@ RSpec.describe User do
      context 'when password_expires_at is in the past' do
        let(:password_expires_at) { 1.minute.ago }
-        it 'returns true' do
+        it 'returns false' do
-          is_expected.to be_truthy
+          is_expected.to be_falsey
        end
      end
@@ -5336,6 +5368,34 @@ RSpec.describe User do
        end
      end
    end
+    context 'when user is a project bot' do
+      let(:user) { build(:user, :project_bot, password_expires_at: password_expires_at) }
+      context 'when password_expires_at is not set' do
+        let(:password_expires_at) {}
+        it 'returns false' do
+          is_expected.to be_falsey
+        end
+      end
+      context 'when password_expires_at is in the past' do
+        let(:password_expires_at) { 1.minute.ago }
+        it 'returns false' do
+          is_expected.to be_falsey
+        end
+      end
+      context 'when password_expires_at is in the future' do
+        let(:password_expires_at) { 1.minute.from_now }
+        it 'returns false' do
+          is_expected.to be_falsey
+        end
+      end
+    end
  end
  describe '#read_only_attribute?' do

--- a/spec/policies/global_policy_spec.rb
+++ b/spec/policies/global_policy_spec.rb
@@ -249,7 +249,7 @@ RSpec.describe GlobalPolicy do
    context 'user with expired password' do
      before do
-        current_user.update!(password_expires_at: 2.minutes.ago)
+        current_user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)
      end
      it { is_expected.not_to be_allowed(:access_api) }
@@ -445,7 +445,7 @@ RSpec.describe GlobalPolicy do
    context 'user with expired password' do
      before do
-        current_user.update!(password_expires_at: 2.minutes.ago)
+        current_user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)
      end
      it { is_expected.not_to be_allowed(:access_git) }
@@ -537,7 +537,7 @@ RSpec.describe GlobalPolicy do
    context 'user with expired password' do
      before do
-        current_user.update!(password_expires_at: 2.minutes.ago)
+        current_user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)
      end
      it { is_expected.not_to be_allowed(:use_slash_commands) }

--- a/spec/requests/git_http_spec.rb
+++ b/spec/requests/git_http_spec.rb
@@ -61,7 +61,7 @@ RSpec.describe 'Git HTTP requests' do
  shared_examples 'operations are not allowed with expired password' do
    context "when password is expired" do
      it "responds to downloads with status 401 Unauthorized" do
-        user.update!(password_expires_at: 2.days.ago)
+        user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
        download(path, user: user.username, password: user.password) do |response|
          expect(response).to have_gitlab_http_status(:unauthorized)
@@ -69,7 +69,7 @@ RSpec.describe 'Git HTTP requests' do
      end
      it "responds to uploads with status 401 Unauthorized" do
-        user.update!(password_expires_at: 2.days.ago)
+        user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
        upload(path, user: user.username, password: user.password) do |response|
          expect(response).to have_gitlab_http_status(:unauthorized)
@@ -614,7 +614,7 @@ RSpec.describe 'Git HTTP requests' do
                context "when password is expired" do
                  it "responds to downloads with status 401 unauthorized" do
-                    user.update!(password_expires_at: 2.days.ago)
+                    user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
                    download(path, **env) do |response|
                      expect(response).to have_gitlab_http_status(:unauthorized)
@@ -697,7 +697,7 @@ RSpec.describe 'Git HTTP requests' do
                  context "when password is expired" do
                    it "responds to uploads with status 401 unauthorized" do
-                      user.update!(password_expires_at: 2.days.ago)
+                      user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
                      write_access_token = create(:personal_access_token, user: user, scopes: [:write_repository])
@@ -920,7 +920,7 @@ RSpec.describe 'Git HTTP requests' do
              context 'when users password is expired' do
                it 'rejects pulls with 401 unauthorized' do
-                  user.update!(password_expires_at: 2.days.ago)
+                  user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
                  download(path, user: 'gitlab-ci-token', password: build.token) do |response|
                    expect(response).to have_gitlab_http_status(:unauthorized)
@@ -1215,7 +1215,7 @@ RSpec.describe 'Git HTTP requests' do
                context "when password is expired" do
                  it "responds to downloads with status 401 unauthorized" do
-                    user.update!(password_expires_at: 2.days.ago)
+                    user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
                    download(path, **env) do |response|
                      expect(response).to have_gitlab_http_status(:unauthorized)
@@ -1298,7 +1298,7 @@ RSpec.describe 'Git HTTP requests' do
                  context "when password is expired" do
                    it "responds to uploads with status 401 unauthorized" do
-                      user.update!(password_expires_at: 2.days.ago)
+                      user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
                      write_access_token = create(:personal_access_token, user: user, scopes: [:write_repository])
@@ -1521,7 +1521,7 @@ RSpec.describe 'Git HTTP requests' do
              context 'when users password is expired' do
                it 'rejects pulls with 401 unauthorized' do
-                  user.update!(password_expires_at: 2.days.ago)
+                  user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
                  download(path, user: 'gitlab-ci-token', password: build.token) do |response|
                    expect(response).to have_gitlab_http_status(:unauthorized)

--- a/spec/requests/lfs_http_spec.rb
+++ b/spec/requests/lfs_http_spec.rb
@@ -126,7 +126,7 @@ RSpec.describe 'Git LFS API and storage' do
            it_behaves_like 'LFS http 200 blob response'
            context 'when user password is expired' do
-              let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago)}
+              let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true)}
              it_behaves_like 'LFS http 401 response'
            end
@@ -344,7 +344,7 @@ RSpec.describe 'Git LFS API and storage' do
            end
            context 'when user password is expired' do
-              let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago)}
+              let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true)}
              let(:role) { :reporter}
@@ -958,7 +958,7 @@ RSpec.describe 'Git LFS API and storage' do
              it_behaves_like 'LFS http 200 workhorse response'
              context 'when user password is expired' do
-                let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago)}
+                let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true) }
                it_behaves_like 'LFS http 401 response'
              end