diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-12-10 09:09:47 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-12-10 09:09:47 +0300 |
commit | 65952e598a194110f5894da1c42577b2b20c6336 (patch) | |
tree | 224311d216425668c8b653b82fe009f3d965e8b4 /spec/lib | |
parent | a8b811acdfb8200f30cdd70d290e87bb7ac46ab1 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'spec/lib')
-rw-r--r-- | spec/lib/gitlab/auth/otp/session_enforcer_spec.rb | 41 | ||||
-rw-r--r-- | spec/lib/gitlab/git_access_spec.rb | 102 |
2 files changed, 143 insertions, 0 deletions
diff --git a/spec/lib/gitlab/auth/otp/session_enforcer_spec.rb b/spec/lib/gitlab/auth/otp/session_enforcer_spec.rb new file mode 100644 index 00000000000..928aade4008 --- /dev/null +++ b/spec/lib/gitlab/auth/otp/session_enforcer_spec.rb @@ -0,0 +1,41 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Gitlab::Auth::Otp::SessionEnforcer, :clean_gitlab_redis_shared_state do + let_it_be(:key) { create(:key)} + + describe '#update_session' do + it 'registers a session in Redis' do + redis = double(:redis) + expect(Gitlab::Redis::SharedState).to receive(:with).and_yield(redis) + + expect(redis).to( + receive(:setex) + .with("#{described_class::OTP_SESSIONS_NAMESPACE}:#{key.id}", + described_class::DEFAULT_EXPIRATION, + true) + .once) + + described_class.new(key).update_session + end + end + + describe '#access_restricted?' do + subject { described_class.new(key).access_restricted? } + + context 'with existing session' do + before do + Gitlab::Redis::SharedState.with do |redis| + redis.set("#{described_class::OTP_SESSIONS_NAMESPACE}:#{key.id}", true ) + end + end + + it { is_expected.to be_falsey } + end + + context 'without an existing session' do + it { is_expected.to be_truthy } + end + end +end diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb index cd465a92fec..780f4329bcc 100644 --- a/spec/lib/gitlab/git_access_spec.rb +++ b/spec/lib/gitlab/git_access_spec.rb @@ -387,6 +387,108 @@ RSpec.describe Gitlab::GitAccess do end end + describe '#check_otp_session!' do + let_it_be(:user) { create(:user, :two_factor_via_otp)} + let_it_be(:key) { create(:key, user: user) } + let_it_be(:actor) { key } + + before do + project.add_developer(user) + stub_feature_flags(two_factor_for_cli: true) + end + + context 'with an OTP session', :clean_gitlab_redis_shared_state do + before do + Gitlab::Redis::SharedState.with do |redis| + redis.set("#{Gitlab::Auth::Otp::SessionEnforcer::OTP_SESSIONS_NAMESPACE}:#{key.id}", true) + end + end + + it 'allows push and pull access' do + aggregate_failures do + expect { push_access_check }.not_to raise_error + expect { pull_access_check }.not_to raise_error + end + end + end + + context 'without OTP session' do + it 'does not allow push or pull access' do + user = 'jane.doe' + host = 'fridge.ssh' + port = 42 + + stub_config( + gitlab_shell: { + ssh_user: user, + ssh_host: host, + ssh_port: port + } + ) + + error_message = "OTP verification is required to access the repository.\n\n"\ + " Use: ssh #{user}@#{host} -p #{port} 2fa_verify" + + aggregate_failures do + expect { push_access_check }.to raise_forbidden(error_message) + expect { pull_access_check }.to raise_forbidden(error_message) + end + end + + context 'when protocol is HTTP' do + let(:protocol) { 'http' } + + it 'allows push and pull access' do + aggregate_failures do + expect { push_access_check }.not_to raise_error + expect { pull_access_check }.not_to raise_error + end + end + end + + context 'when actor is not an SSH key' do + let(:deploy_key) { create(:deploy_key, user: user) } + let(:actor) { deploy_key } + + before do + deploy_key.deploy_keys_projects.create(project: project, can_push: true) + end + + it 'allows push and pull access' do + aggregate_failures do + expect { push_access_check }.not_to raise_error + expect { pull_access_check }.not_to raise_error + end + end + end + + context 'when 2FA is not enabled for the user' do + let(:user) { create(:user)} + let(:actor) { create(:key, user: user) } + + it 'allows push and pull access' do + aggregate_failures do + expect { push_access_check }.not_to raise_error + expect { pull_access_check }.not_to raise_error + end + end + end + + context 'when feature flag is disabled' do + before do + stub_feature_flags(two_factor_for_cli: false) + end + + it 'allows push and pull access' do + aggregate_failures do + expect { push_access_check }.not_to raise_error + expect { pull_access_check }.not_to raise_error + end + end + end + end + end + describe '#check_db_accessibility!' do context 'when in a read-only GitLab instance' do before do |