Instruct user to use a personal access token for Git over HTTP

If internal auth is disabled and LDAP is not configured on the instance,
present the user with a message to create a personal access token if his
Git over HTTP auth attempt fails.

2 files changed, 57 insertions, 7 deletions

diff --git a/spec/requests/git_http_spec.rb b/spec/requests/git_http_spec.rb
index f018b48ceb2..ae2ec39f402 100644
--- a/spec/requests/git_http_spec.rb
+++ b/spec/requests/git_http_spec.rb
@@ -418,17 +418,17 @@ describe 'Git HTTP requests', lib: true do
                 end
 
                 context 'when username and password are provided' do
-                  it 'rejects pulls with 2FA error message' do
+                  it 'rejects pulls with personal access token error message' do
                     download(path, user: user.username, password: user.password) do |response|
                       expect(response).to have_http_status(:unauthorized)
-                      expect(response.body).to include('You have 2FA enabled, please use a personal access token for Git over HTTP')
+                      expect(response.body).to include('You must use a personal access token with \'api\' scope for Git over HTTP')
                     end
                   end
 
-                  it 'rejects the push attempt' do
+                  it 'rejects the push attempt with personal access token error message' do
                     upload(path, user: user.username, password: user.password) do |response|
                       expect(response).to have_http_status(:unauthorized)
-                      expect(response.body).to include('You have 2FA enabled, please use a personal access token for Git over HTTP')
+                      expect(response.body).to include('You must use a personal access token with \'api\' scope for Git over HTTP')
                     end
                   end
                 end
@@ -441,6 +441,41 @@ describe 'Git HTTP requests', lib: true do
                 end
               end
 
+              context 'when internal auth is disabled' do
+                before do
+                  allow_any_instance_of(ApplicationSetting).to receive(:signin_enabled?) { false }
+                end
+
+                it 'rejects pulls with personal access token error message' do
+                  download(path, user: 'foo', password: 'bar') do |response|
+                    expect(response).to have_http_status(:unauthorized)
+                    expect(response.body).to include('You must use a personal access token with \'api\' scope for Git over HTTP')
+                  end
+                end
+
+                it 'rejects pushes with personal access token error message' do
+                  upload(path, user: 'foo', password: 'bar') do |response|
+                    expect(response).to have_http_status(:unauthorized)
+                    expect(response.body).to include('You must use a personal access token with \'api\' scope for Git over HTTP')
+                  end
+                end
+
+                context 'when LDAP is configured' do
+                  before do
+                    allow(Gitlab::LDAP::Config).to receive(:enabled?).and_return(true)
+                    allow_any_instance_of(Gitlab::LDAP::Authentication).
+                      to receive(:login).and_return(nil)
+                  end
+
+                  it 'does not display the personal access token error message' do
+                    upload(path, user: 'foo', password: 'bar') do |response|
+                      expect(response).to have_http_status(:unauthorized)
+                      expect(response.body).not_to include('You must use a personal access token with \'api\' scope for Git over HTTP')
+                    end
+                  end
+                end
+              end
+
               context "when blank password attempts follow a valid login" do
                 def attempt_login(include_password)
                   password = include_password ? user.password : ""
diff --git a/spec/requests/jwt_controller_spec.rb b/spec/requests/jwt_controller_spec.rb
index e056353fa6f..54d7cf5f10d 100644
--- a/spec/requests/jwt_controller_spec.rb
+++ b/spec/requests/jwt_controller_spec.rb
@@ -70,7 +70,7 @@ describe JwtController do
         context 'without personal token' do
           it 'rejects the authorization attempt' do
             expect(response).to have_http_status(401)
-            expect(response.body).to include('You have 2FA enabled, please use a personal access token for Git over HTTP')
+            expect(response.body).to include('You must use a personal access token with \'api\' scope for Git over HTTP')
           end
         end
 
@@ -88,9 +88,24 @@ describe JwtController do
     context 'using invalid login' do
       let(:headers) { { authorization: credentials('invalid', 'password') } }
 
-      subject! { get '/jwt/auth', parameters, headers }
+      context 'when internal auth is enabled' do
+        it 'rejects the authorization attempt' do
+          get '/jwt/auth', parameters, headers
+
+          expect(response).to have_http_status(401)
+          expect(response.body).not_to include('You must use a personal access token with \'api\' scope for Git over HTTP')
+        end
+      end
 
-      it { expect(response).to have_http_status(401) }
+      context 'when internal auth is disabled' do
+        it 'rejects the authorization attempt with personal access token message' do
+          allow_any_instance_of(ApplicationSetting).to receive(:signin_enabled?) { false }
+          get '/jwt/auth', parameters, headers
+
+          expect(response).to have_http_status(401)
+          expect(response.body).to include('You must use a personal access token with \'api\' scope for Git over HTTP')
+        end
+      end
     end
   end