diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-06-03 15:34:09 +0300 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-06-03 15:34:09 +0300 |
commit | 3dcf3cfde35d1506c7196634080849d002251a41 (patch) | |
tree | 2af98684876c2d91811fd0069de0691060d4270c /spec/controllers | |
parent | 38e4977dc7931aea13f496cafd3ed7d15d5ec93e (diff) | |
parent | fab6a50f17d15d21a157d4d561f41527fa943f27 (diff) |
Merge branch 'security-jej/prevent-web-sign-in-bypass' into 'master'
Prevent password sign in restriction bypass
See merge request gitlab/gitlabhq!2702
Diffstat (limited to 'spec/controllers')
-rw-r--r-- | spec/controllers/sessions_controller_spec.rb | 34 |
1 files changed, 33 insertions, 1 deletions
diff --git a/spec/controllers/sessions_controller_spec.rb b/spec/controllers/sessions_controller_spec.rb index 6bcff7f975c..9c4ddce5409 100644 --- a/spec/controllers/sessions_controller_spec.rb +++ b/spec/controllers/sessions_controller_spec.rb @@ -58,7 +58,26 @@ describe SessionsController do it 'authenticates user correctly' do post(:create, params: { user: user_params }) - expect(subject.current_user). to eq user + expect(subject.current_user).to eq user + end + + context 'with password authentication disabled' do + before do + stub_application_setting(password_authentication_enabled_for_web: false) + end + + it 'does not sign in the user' do + post(:create, params: { user: user_params }) + + expect(@request.env['warden']).not_to be_authenticated + expect(subject.current_user).to be_nil + end + + it 'returns status 403' do + post(:create, params: { user: user_params }) + + expect(response.status).to eq 403 + end end it 'creates an audit log record' do @@ -153,6 +172,19 @@ describe SessionsController do end end + context 'with password authentication disabled' do + before do + stub_application_setting(password_authentication_enabled_for_web: false) + end + + it 'allows 2FA stage of non-password login' do + authenticate_2fa(otp_attempt: user.current_otp) + + expect(@request.env['warden']).to be_authenticated + expect(subject.current_user).to eq user + end + end + ## # See #14900 issue # |