Merge remote-tracking branch 'dev/13-3-stable' into 13-3-stable

6 files changed, 58 insertions, 14 deletions

diff --git a/lib/gitlab/application_rate_limiter.rb b/lib/gitlab/application_rate_limiter.rb
index ed963476524..4eeec534fc0 100644
--- a/lib/gitlab/application_rate_limiter.rb
+++ b/lib/gitlab/application_rate_limiter.rb
@@ -25,11 +25,13 @@ module Gitlab
           project_repositories_archive: { threshold: 5, interval: 1.minute },
           project_generate_new_export:  { threshold: -> { application_settings.project_export_limit }, interval: 1.minute },
           project_import:               { threshold: -> { application_settings.project_import_limit }, interval: 1.minute },
+          project_testing_hook:         { threshold: 5, interval: 1.minute },
           play_pipeline_schedule:       { threshold: 1, interval: 1.minute },
           show_raw_controller:          { threshold: -> { application_settings.raw_blob_request_limit }, interval: 1.minute },
           group_export:                 { threshold: -> { application_settings.group_export_limit }, interval: 1.minute },
           group_download_export:        { threshold: -> { application_settings.group_download_export_limit }, interval: 1.minute },
-          group_import:                 { threshold: -> { application_settings.group_import_limit }, interval: 1.minute }
+          group_import:                 { threshold: -> { application_settings.group_import_limit }, interval: 1.minute },
+          group_testing_hook:           { threshold: 5, interval: 1.minute }
         }.freeze
       end
 
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index 332d0bc1478..0c6ed6924bf 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -222,6 +222,8 @@ module Gitlab
 
         # Registry access (with jwt) does not have access to project
         return if project && !token.has_access_to?(project)
+        # When repository is disabled, no resources are accessible via Deploy Token
+        return if project&.repository_access_level == ::ProjectFeature::DISABLED
 
         scopes = abilities_for_scopes(token.scopes)
 
diff --git a/lib/gitlab/auth/auth_finders.rb b/lib/gitlab/auth/auth_finders.rb
index f3d0c053880..ccf52bae9a5 100644
--- a/lib/gitlab/auth/auth_finders.rb
+++ b/lib/gitlab/auth/auth_finders.rb
@@ -69,9 +69,7 @@ module Gitlab
           current_request.env[JOB_TOKEN_HEADER].presence
         return unless token
 
-        job = ::Ci::Build.find_by_token(token)
-        raise UnauthorizedError unless job
-
+        job = find_valid_running_job_by_token!(token)
         @current_authenticated_job = job # rubocop:disable Gitlab/ModuleWithInstanceVariables
 
         job.user
@@ -84,9 +82,7 @@ module Gitlab
         return unless login.present? && password.present?
         return unless ::Gitlab::Auth::CI_JOB_USER == login
 
-        job = ::Ci::Build.find_by_token(password)
-        raise UnauthorizedError unless job
-
+        job = find_valid_running_job_by_token!(password)
         job.user
       end
 
@@ -179,7 +175,7 @@ module Gitlab
         token = parsed_oauth_token
         return unless token
 
-        job = ::Ci::Build.find_by_token(token)
+        job = ::Ci::AuthJobFinder.new(token: token).execute
         return unless job
 
         @current_authenticated_job = job # rubocop:disable Gitlab/ModuleWithInstanceVariables
@@ -304,6 +300,12 @@ module Gitlab
       def blob_request?
         current_request.path.include?('/raw/')
       end
+
+      def find_valid_running_job_by_token!(token)
+        ::Ci::AuthJobFinder.new(token: token).execute.tap do |job|
+          raise UnauthorizedError unless job
+        end
+      end
     end
   end
 end
diff --git a/lib/gitlab/auth/two_factor_auth_verifier.rb b/lib/gitlab/auth/two_factor_auth_verifier.rb
new file mode 100644
index 00000000000..86552ef1267
--- /dev/null
+++ b/lib/gitlab/auth/two_factor_auth_verifier.rb
@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Auth
+    class TwoFactorAuthVerifier
+      attr_reader :current_user
+
+      def initialize(current_user)
+        @current_user = current_user
+      end
+
+      def two_factor_authentication_required?
+        Gitlab::CurrentSettings.require_two_factor_authentication? ||
+          current_user&.require_two_factor_authentication_from_group?
+      end
+
+      def current_user_needs_to_setup_two_factor?
+        current_user && !current_user.temp_oauth_email? && !current_user.two_factor_enabled?
+      end
+
+      def two_factor_grace_period
+        periods = [Gitlab::CurrentSettings.two_factor_grace_period]
+        periods << current_user.two_factor_grace_period if current_user&.require_two_factor_authentication_from_group?
+        periods.min
+      end
+
+      def two_factor_grace_period_expired?
+        time = current_user&.otp_grace_period_started_at
+
+        return false unless time
+
+        two_factor_grace_period.hours.since(time) < Time.current
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
index f3b53a2ba0b..b67b3a37440 100644
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -98,6 +98,13 @@ module Gitlab
       Guest.can?(download_ability, container)
     end
 
+    def deploy_key_can_download_code?
+      authentication_abilities.include?(:download_code) &&
+        deploy_key? &&
+        deploy_key.has_access_to?(container) &&
+        (project? && project&.repository_access_level != ::Featurable::DISABLED)
+    end
+
     def user_can_download_code?
       authentication_abilities.include?(:download_code) &&
         user_access.can_do_action?(download_ability)
@@ -257,7 +264,7 @@ module Gitlab
     end
 
     def check_download_access!
-      passed = deploy_key? ||
+      passed = deploy_key_can_download_code? ||
         deploy_token? ||
         user_can_download_code? ||
         build_can_download_code? ||
diff --git a/lib/gitlab/regex.rb b/lib/gitlab/regex.rb
index 1e1e0d856b7..2d625737e05 100644
--- a/lib/gitlab/regex.rb
+++ b/lib/gitlab/regex.rb
@@ -6,11 +6,6 @@ module Gitlab
       CONAN_RECIPE_FILES = %w[conanfile.py conanmanifest.txt conan_sources.tgz conan_export.tgz].freeze
       CONAN_PACKAGE_FILES = %w[conaninfo.txt conanmanifest.txt conan_package.tgz].freeze
 
-      def conan_file_name_regex
-        @conan_file_name_regex ||=
-          %r{\A#{(CONAN_RECIPE_FILES + CONAN_PACKAGE_FILES).join("|")}\z}.freeze
-      end
-
       def conan_package_reference_regex
         @conan_package_reference_regex ||= %r{\A[A-Za-z0-9]+\z}.freeze
       end