Add latest changes from gitlab-org/security/gitlab@14-3-stable-ee

7 files changed, 121 insertions, 71 deletions

diff --git a/spec/lib/gitlab/auth/two_factor_auth_verifier_spec.rb b/spec/lib/gitlab/auth/two_factor_auth_verifier_spec.rb
index f906870195a..876c23a91bd 100644
--- a/spec/lib/gitlab/auth/two_factor_auth_verifier_spec.rb
+++ b/spec/lib/gitlab/auth/two_factor_auth_verifier_spec.rb
@@ -3,33 +3,50 @@
 require 'spec_helper'
 
 RSpec.describe Gitlab::Auth::TwoFactorAuthVerifier do
-  let(:user) { create(:user) }
+  using RSpec::Parameterized::TableSyntax
 
-  subject { described_class.new(user) }
+  subject(:verifier) { described_class.new(user) }
 
-  describe '#two_factor_authentication_required?' do
-    describe 'when it is required on application level' do
-      it 'returns true' do
-        stub_application_setting require_two_factor_authentication: true
+  let(:user) { build_stubbed(:user, otp_grace_period_started_at: Time.zone.now) }
 
-        expect(subject.two_factor_authentication_required?).to be_truthy
-      end
-    end
+  describe '#two_factor_authentication_enforced?' do
+    subject { verifier.two_factor_authentication_enforced? }
 
-    describe 'when it is required on group level' do
-      it 'returns true' do
-        allow(user).to receive(:require_two_factor_authentication_from_group?).and_return(true)
+    where(:instance_level_enabled, :group_level_enabled, :grace_period_expired, :should_be_enforced) do
+      false | false | true  | false
+      true  | false | false | false
+      true  | false | true  | true
+      false | true  | false | false
+      false | true  | true  | true
+    end
 
-        expect(subject.two_factor_authentication_required?).to be_truthy
+    with_them do
+      before do
+        stub_application_setting(require_two_factor_authentication: instance_level_enabled)
+        allow(user).to receive(:require_two_factor_authentication_from_group?).and_return(group_level_enabled)
+        stub_application_setting(two_factor_grace_period: grace_period_expired ? 0 : 1.month.in_hours)
       end
+
+      it { is_expected.to eq(should_be_enforced) }
     end
+  end
 
-    describe 'when it is not required' do
-      it 'returns false when not required on group level' do
-        allow(user).to receive(:require_two_factor_authentication_from_group?).and_return(false)
+  describe '#two_factor_authentication_required?' do
+    subject { verifier.two_factor_authentication_required? }
+
+    where(:instance_level_enabled, :group_level_enabled, :should_be_required) do
+      true  | false | true
+      false | true  | true
+      false | false | false
+    end
 
-        expect(subject.two_factor_authentication_required?).to be_falsey
+    with_them do
+      before do
+        stub_application_setting(require_two_factor_authentication: instance_level_enabled)
+        allow(user).to receive(:require_two_factor_authentication_from_group?).and_return(group_level_enabled)
       end
+
+      it { is_expected.to eq(should_be_required) }
     end
   end
 
@@ -85,25 +102,21 @@ RSpec.describe Gitlab::Auth::TwoFactorAuthVerifier do
   end
 
   describe '#two_factor_grace_period_expired?' do
-    before do
-      allow(user).to receive(:otp_grace_period_started_at).and_return(4.hours.ago)
-    end
-
     it 'returns true if the grace period has expired' do
-      allow(subject).to receive(:two_factor_grace_period).and_return(2)
+      stub_application_setting two_factor_grace_period: 0
 
       expect(subject.two_factor_grace_period_expired?).to be_truthy
     end
 
     it 'returns false if the grace period has not expired' do
-      allow(subject).to receive(:two_factor_grace_period).and_return(6)
+      stub_application_setting two_factor_grace_period: 1.month.in_hours
 
       expect(subject.two_factor_grace_period_expired?).to be_falsey
     end
 
     context 'when otp_grace_period_started_at is nil' do
       it 'returns false' do
-        allow(user).to receive(:otp_grace_period_started_at).and_return(nil)
+        user.otp_grace_period_started_at = nil
 
         expect(subject.two_factor_grace_period_expired?).to be_falsey
       end
diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb
index cc592bb8f24..5ec6e23774a 100644
--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -386,7 +386,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
         shared_examples 'with an invalid access token' do
           it 'fails for a non-member' do
             expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: project, ip: 'ip'))
-              .to have_attributes(auth_failure )
+              .to have_attributes(auth_failure)
           end
 
           context 'when project bot user is blocked' do
@@ -396,7 +396,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
 
             it 'fails for a blocked project bot' do
               expect(gl_auth.find_for_git_client(project_bot_user.username, access_token.token, project: project, ip: 'ip'))
-                .to have_attributes(auth_failure )
+                .to have_attributes(auth_failure)
             end
           end
         end
@@ -466,6 +466,41 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
           .to have_attributes(auth_failure)
       end
 
+      context 'when 2fa is enabled globally' do
+        let_it_be(:user) do
+          create(:user, username: 'normal_user', password: 'my-secret', otp_grace_period_started_at: 1.day.ago)
+        end
+
+        before do
+          stub_application_setting(require_two_factor_authentication: true)
+        end
+
+        it 'fails if grace period expired' do
+          stub_application_setting(two_factor_grace_period: 0)
+
+          expect { gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip') }
+            .to raise_error(Gitlab::Auth::MissingPersonalAccessTokenError)
+        end
+
+        it 'goes through if grace period is not expired yet' do
+          stub_application_setting(two_factor_grace_period: 72)
+
+          expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip'))
+            .to have_attributes(actor: user, project: nil, type: :gitlab_or_ldap, authentication_abilities: described_class.full_authentication_abilities)
+        end
+      end
+
+      context 'when 2fa is enabled personally' do
+        let(:user) do
+          create(:user, :two_factor, username: 'normal_user', password: 'my-secret', otp_grace_period_started_at: 1.day.ago)
+        end
+
+        it 'fails' do
+          expect { gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip') }
+            .to raise_error(Gitlab::Auth::MissingPersonalAccessTokenError)
+        end
+      end
+
       it 'goes through lfs authentication' do
         user = create(
           :user,
@@ -757,16 +792,16 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
   describe 'find_with_user_password' do
     let!(:user) do
       create(:user,
-        username: username,
-        password: password,
-        password_confirmation: password)
+             username: username,
+             password: password,
+             password_confirmation: password)
     end
 
     let(:username) { 'John' } # username isn't lowercase, test this
     let(:password) { 'my-secret' }
 
     it "finds user by valid login/password" do
-      expect( gl_auth.find_with_user_password(username, password) ).to eql user
+      expect(gl_auth.find_with_user_password(username, password)).to eql user
     end
 
     it 'finds user by valid email/password with case-insensitive email' do
@@ -779,12 +814,12 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
 
     it "does not find user with invalid password" do
       password = 'wrong'
-      expect( gl_auth.find_with_user_password(username, password) ).not_to eql user
+      expect(gl_auth.find_with_user_password(username, password)).not_to eql user
     end
 
     it "does not find user with invalid login" do
       user = 'wrong'
-      expect( gl_auth.find_with_user_password(username, password) ).not_to eql user
+      expect(gl_auth.find_with_user_password(username, password)).not_to eql user
     end
 
     include_examples 'user login operation with unique ip limit' do
@@ -796,13 +831,13 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
     it 'finds the user in deactivated state' do
       user.deactivate!
 
-      expect( gl_auth.find_with_user_password(username, password) ).to eql user
+      expect(gl_auth.find_with_user_password(username, password)).to eql user
     end
 
     it "does not find user in blocked state" do
       user.block
 
-      expect( gl_auth.find_with_user_password(username, password) ).not_to eql user
+      expect(gl_auth.find_with_user_password(username, password)).not_to eql user
     end
 
     it 'does not find user in locked state' do
@@ -814,13 +849,13 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
     it "does not find user in ldap_blocked state" do
       user.ldap_block
 
-      expect( gl_auth.find_with_user_password(username, password) ).not_to eql user
+      expect(gl_auth.find_with_user_password(username, password)).not_to eql user
     end
 
     it 'does not find user in blocked_pending_approval state' do
       user.block_pending_approval
 
-      expect( gl_auth.find_with_user_password(username, password) ).not_to eql user
+      expect(gl_auth.find_with_user_password(username, password)).not_to eql user
     end
 
     context 'with increment_failed_attempts' do
diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb
index bf682e4e4c6..bf2e3c7f5f8 100644
--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -435,17 +435,19 @@ RSpec.describe Gitlab::GitAccess do
 
     it 'disallows users with expired password to pull' do
       project.add_maintainer(user)
-      user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)
+      user.update!(password_expires_at: 2.minutes.ago)
 
       expect { pull_access_check }.to raise_forbidden("Your password expired. Please access GitLab from a web browser to update your password.")
     end
 
-    it 'allows ldap users with expired password to pull' do
-      project.add_maintainer(user)
-      user.update!(password_expires_at: 2.minutes.ago)
-      allow(user).to receive(:ldap_user?).and_return(true)
+    context 'with an ldap user' do
+      let(:user) { create(:omniauth_user, provider: 'ldap', password_expires_at: 2.minutes.ago) }
 
-      expect { pull_access_check }.not_to raise_error
+      it 'allows ldap users with expired password to pull' do
+        project.add_maintainer(user)
+
+        expect { pull_access_check }.not_to raise_error
+      end
     end
 
     context 'when the project repository does not exist' do
@@ -987,24 +989,23 @@ RSpec.describe Gitlab::GitAccess do
       end
 
       it 'disallows users with expired password to push' do
-        user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)
+        user.update!(password_expires_at: 2.minutes.ago)
 
         expect { push_access_check }.to raise_forbidden("Your password expired. Please access GitLab from a web browser to update your password.")
       end
 
-      it 'allows ldap users with expired password to push' do
-        user.update!(password_expires_at: 2.minutes.ago)
-        allow(user).to receive(:ldap_user?).and_return(true)
+      context 'with an ldap user' do
+        let(:user) { create(:omniauth_user, provider: 'ldap', password_expires_at: 2.minutes.ago) }
 
-        expect { push_access_check }.not_to raise_error
-      end
+        it 'allows ldap users with expired password to push' do
+          expect { push_access_check }.not_to raise_error
+        end
 
-      it 'disallows blocked ldap users with expired password to push' do
-        user.block
-        user.update!(password_expires_at: 2.minutes.ago)
-        allow(user).to receive(:ldap_user?).and_return(true)
+        it 'disallows blocked ldap users with expired password to push' do
+          user.block
 
-        expect { push_access_check }.to raise_forbidden("Your account has been blocked.")
+          expect { push_access_check }.to raise_forbidden("Your account has been blocked.")
+        end
       end
 
       it 'cleans up the files' do
diff --git a/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb b/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb
index 82f465c4f9e..518a9337826 100644
--- a/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb
+++ b/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb
@@ -445,8 +445,8 @@ RSpec.describe Gitlab::ImportExport::Project::TreeRestorer do
             expect(@project.merge_requests.size).to eq(9)
           end
 
-          it 'only restores valid triggers' do
-            expect(@project.triggers.size).to eq(1)
+          it 'does not restore triggers' do
+            expect(@project.triggers.size).to eq(0)
           end
 
           it 'has the correct number of pipelines and statuses' do
diff --git a/spec/lib/gitlab/import_export/safe_model_attributes.yml b/spec/lib/gitlab/import_export/safe_model_attributes.yml
index a9efa32f986..287be24d11f 100644
--- a/spec/lib/gitlab/import_export/safe_model_attributes.yml
+++ b/spec/lib/gitlab/import_export/safe_model_attributes.yml
@@ -401,15 +401,6 @@ Ci::Variable:
 - encrypted_value
 - encrypted_value_salt
 - encrypted_value_iv
-Ci::Trigger:
-- id
-- token
-- project_id
-- created_at
-- updated_at
-- owner_id
-- description
-- ref
 Ci::PipelineSchedule:
 - id
 - description
@@ -556,7 +547,6 @@ Project:
 - disable_overriding_approvers_per_merge_request
 - merge_requests_ff_only_enabled
 - issues_template
-- repository_size_limit
 - sync_time
 - service_desk_enabled
 - last_repository_updated_at
diff --git a/spec/lib/gitlab/legacy_github_import/client_spec.rb b/spec/lib/gitlab/legacy_github_import/client_spec.rb
index 0929b90d1f4..83ba5858d81 100644
--- a/spec/lib/gitlab/legacy_github_import/client_spec.rb
+++ b/spec/lib/gitlab/legacy_github_import/client_spec.rb
@@ -86,6 +86,15 @@ RSpec.describe Gitlab::LegacyGithubImport::Client do
       it 'builds a endpoint with the given options' do
         expect(client.api.api_endpoint).to eq 'https://try.gitea.io/api/v3/'
       end
+
+      context 'and hostname' do
+        subject(:client) { described_class.new(token, host: 'https://167.99.148.217/', api_version: 'v1', hostname: 'try.gitea.io') }
+
+        it 'builds a endpoint with the given options' do
+          expect(client.api.connection_options.dig(:headers, :host)).to eq 'try.gitea.io'
+          expect(client.api.api_endpoint).to eq 'https://167.99.148.217/api/v1/'
+        end
+      end
     end
   end
 
diff --git a/spec/lib/gitlab/lfs_token_spec.rb b/spec/lib/gitlab/lfs_token_spec.rb
index a8472062f03..3bc0bd385a7 100644
--- a/spec/lib/gitlab/lfs_token_spec.rb
+++ b/spec/lib/gitlab/lfs_token_spec.rb
@@ -126,7 +126,7 @@ RSpec.describe Gitlab::LfsToken, :clean_gitlab_redis_shared_state do
         end
 
         context 'when the user password is expired' do
-          let(:actor) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true) }
+          let(:actor) { create(:user, password_expires_at: 1.minute.ago) }
 
           it 'returns false' do
             expect(lfs_token.token_valid?(lfs_token.token)).to be false
@@ -135,12 +135,12 @@ RSpec.describe Gitlab::LfsToken, :clean_gitlab_redis_shared_state do
       end
 
       context 'when the actor is an ldap user' do
-        before do
-          allow(actor).to receive(:ldap_user?).and_return(true)
-        end
+        let(:actor) { create(:omniauth_user, provider: 'ldap') }
 
         context 'when the user is blocked' do
-          let(:actor) { create(:user, :blocked) }
+          before do
+            actor.block!
+          end
 
           it 'returns false' do
             expect(lfs_token.token_valid?(lfs_token.token)).to be false
@@ -148,7 +148,9 @@ RSpec.describe Gitlab::LfsToken, :clean_gitlab_redis_shared_state do
         end
 
         context 'when the user password is expired' do
-          let(:actor) { create(:user, password_expires_at: 1.minute.ago) }
+          before do
+            actor.update!(password_expires_at: 1.minute.ago)
+          end
 
           it 'returns true' do
             expect(lfs_token.token_valid?(lfs_token.token)).to be true