Add latest changes from gitlab-org/gitlab@master

2 files changed, 143 insertions, 0 deletions

diff --git a/spec/lib/gitlab/auth/otp/session_enforcer_spec.rb b/spec/lib/gitlab/auth/otp/session_enforcer_spec.rb
new file mode 100644
index 00000000000..928aade4008
--- /dev/null
+++ b/spec/lib/gitlab/auth/otp/session_enforcer_spec.rb
@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Auth::Otp::SessionEnforcer, :clean_gitlab_redis_shared_state do
+  let_it_be(:key) { create(:key)}
+
+  describe '#update_session' do
+    it 'registers a session in Redis' do
+      redis = double(:redis)
+      expect(Gitlab::Redis::SharedState).to receive(:with).and_yield(redis)
+
+      expect(redis).to(
+        receive(:setex)
+          .with("#{described_class::OTP_SESSIONS_NAMESPACE}:#{key.id}",
+                described_class::DEFAULT_EXPIRATION,
+                true)
+          .once)
+
+      described_class.new(key).update_session
+    end
+  end
+
+  describe '#access_restricted?' do
+    subject { described_class.new(key).access_restricted? }
+
+    context 'with existing session' do
+      before do
+        Gitlab::Redis::SharedState.with do |redis|
+          redis.set("#{described_class::OTP_SESSIONS_NAMESPACE}:#{key.id}", true )
+        end
+      end
+
+      it { is_expected.to be_falsey }
+    end
+
+    context 'without an existing session' do
+      it { is_expected.to be_truthy }
+    end
+  end
+end
diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb
index cd465a92fec..780f4329bcc 100644
--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -387,6 +387,108 @@ RSpec.describe Gitlab::GitAccess do
     end
   end
 
+  describe '#check_otp_session!' do
+    let_it_be(:user) { create(:user, :two_factor_via_otp)}
+    let_it_be(:key) { create(:key, user: user) }
+    let_it_be(:actor) { key }
+
+    before do
+      project.add_developer(user)
+      stub_feature_flags(two_factor_for_cli: true)
+    end
+
+    context 'with an OTP session', :clean_gitlab_redis_shared_state do
+      before do
+        Gitlab::Redis::SharedState.with do |redis|
+          redis.set("#{Gitlab::Auth::Otp::SessionEnforcer::OTP_SESSIONS_NAMESPACE}:#{key.id}", true)
+        end
+      end
+
+      it 'allows push and pull access' do
+        aggregate_failures do
+          expect { push_access_check }.not_to raise_error
+          expect { pull_access_check }.not_to raise_error
+        end
+      end
+    end
+
+    context 'without OTP session' do
+      it 'does not allow push or pull access' do
+        user = 'jane.doe'
+        host = 'fridge.ssh'
+        port = 42
+
+        stub_config(
+          gitlab_shell: {
+            ssh_user: user,
+            ssh_host: host,
+            ssh_port: port
+          }
+        )
+
+        error_message = "OTP verification is required to access the repository.\n\n"\
+                        "   Use: ssh #{user}@#{host} -p #{port} 2fa_verify"
+
+        aggregate_failures do
+          expect { push_access_check }.to raise_forbidden(error_message)
+          expect { pull_access_check }.to raise_forbidden(error_message)
+        end
+      end
+
+      context 'when protocol is HTTP' do
+        let(:protocol) { 'http' }
+
+        it 'allows push and pull access' do
+          aggregate_failures do
+            expect { push_access_check }.not_to raise_error
+            expect { pull_access_check }.not_to raise_error
+          end
+        end
+      end
+
+      context 'when actor is not an SSH key' do
+        let(:deploy_key) { create(:deploy_key, user: user) }
+        let(:actor) { deploy_key }
+
+        before do
+          deploy_key.deploy_keys_projects.create(project: project, can_push: true)
+        end
+
+        it 'allows push and pull access' do
+          aggregate_failures do
+            expect { push_access_check }.not_to raise_error
+            expect { pull_access_check }.not_to raise_error
+          end
+        end
+      end
+
+      context 'when 2FA is not enabled for the user' do
+        let(:user) { create(:user)}
+        let(:actor) { create(:key, user: user) }
+
+        it 'allows push and pull access' do
+          aggregate_failures do
+            expect { push_access_check }.not_to raise_error
+            expect { pull_access_check }.not_to raise_error
+          end
+        end
+      end
+
+      context 'when feature flag is disabled' do
+        before do
+          stub_feature_flags(two_factor_for_cli: false)
+        end
+
+        it 'allows push and pull access' do
+          aggregate_failures do
+            expect { push_access_check }.not_to raise_error
+            expect { pull_access_check }.not_to raise_error
+          end
+        end
+      end
+    end
+  end
+
   describe '#check_db_accessibility!' do
     context 'when in a read-only GitLab instance' do
       before do