Add latest changes from gitlab-org/security/gitlab@13-4-stable-ee

8 files changed, 117 insertions, 12 deletions

diff --git a/spec/controllers/admin/users_controller_spec.rb b/spec/controllers/admin/users_controller_spec.rb
index e4cdcda756b..6301da74f4a 100644
--- a/spec/controllers/admin/users_controller_spec.rb
+++ b/spec/controllers/admin/users_controller_spec.rb
@@ -36,7 +36,7 @@ RSpec.describe Admin::UsersController do
     end
   end
 
-  describe 'DELETE #user with projects', :sidekiq_might_not_need_inline do
+  describe 'DELETE #destroy', :sidekiq_might_not_need_inline do
     let(:project) { create(:project, namespace: user.namespace) }
     let!(:issue) { create(:issue, author: user) }
 
@@ -59,6 +59,41 @@ RSpec.describe Admin::UsersController do
       expect(User.exists?(user.id)).to be_falsy
       expect(Issue.exists?(issue.id)).to be_falsy
     end
+
+    context 'prerequisites for account deletion' do
+      context 'solo-owned groups' do
+        let(:group) { create(:group) }
+
+        context 'if the user is the sole owner of at least one group' do
+          before do
+            create(:group_member, :owner, group: group, user: user)
+          end
+
+          context 'soft-delete' do
+            it 'fails' do
+              delete :destroy, params: { id: user.username }
+
+              message = s_('AdminUsers|You must transfer ownership or delete the groups owned by this user before you can delete their account')
+
+              expect(flash[:alert]).to eq(message)
+              expect(response).to have_gitlab_http_status(:see_other)
+              expect(response).to redirect_to admin_user_path(user)
+              expect(User.exists?(user.id)).to be_truthy
+            end
+          end
+
+          context 'hard-delete' do
+            it 'succeeds' do
+              delete :destroy, params: { id: user.username, hard_delete: true }
+
+              expect(response).to redirect_to(admin_users_path)
+              expect(flash[:notice]).to eq(_('The user is being deleted.'))
+              expect(User.exists?(user.id)).to be_falsy
+            end
+          end
+        end
+      end
+    end
   end
 
   describe 'PUT #activate' do
diff --git a/spec/controllers/profiles/emails_controller_spec.rb b/spec/controllers/profiles/emails_controller_spec.rb
index 08552cc28fa..950120ae564 100644
--- a/spec/controllers/profiles/emails_controller_spec.rb
+++ b/spec/controllers/profiles/emails_controller_spec.rb
@@ -15,6 +15,29 @@ RSpec.describe Profiles::EmailsController do
     end
   end
 
+  shared_examples_for 'respects the rate limit' do
+    context 'after the rate limit is exceeded' do
+      before do
+        allowed_threshold = Gitlab::ApplicationRateLimiter.rate_limits[action][:threshold]
+
+        allow(Gitlab::ApplicationRateLimiter)
+          .to receive(:increment)
+          .and_return(allowed_threshold + 1)
+      end
+
+      it 'does not send any email' do
+        expect { subject }.not_to change { ActionMailer::Base.deliveries.size }
+      end
+
+      it 'displays an alert' do
+        subject
+
+        expect(response).to have_gitlab_http_status(:redirect)
+        expect(flash[:alert]).to eq(_('This action has been performed too many times. Try again later.'))
+      end
+    end
+  end
+
   describe '#create' do
     let(:email) { 'add_email@example.com' }
     let(:params) { { email: { email: email } } }
@@ -32,6 +55,10 @@ RSpec.describe Profiles::EmailsController do
         expect { subject }.not_to change { ActionMailer::Base.deliveries.size }
       end
     end
+
+    it_behaves_like 'respects the rate limit' do
+      let(:action) { :profile_add_new_email }
+    end
   end
 
   describe '#resend_confirmation_instructions' do
@@ -54,5 +81,9 @@ RSpec.describe Profiles::EmailsController do
         expect { subject }.not_to change { ActionMailer::Base.deliveries.size }
       end
     end
+
+    it_behaves_like 'respects the rate limit' do
+      let(:action) { :profile_resend_email_confirmation }
+    end
   end
 end
diff --git a/spec/controllers/projects/raw_controller_spec.rb b/spec/controllers/projects/raw_controller_spec.rb
index 5f10343eb76..b3921164c81 100644
--- a/spec/controllers/projects/raw_controller_spec.rb
+++ b/spec/controllers/projects/raw_controller_spec.rb
@@ -33,6 +33,11 @@ RSpec.describe Projects::RawController do
 
       it_behaves_like 'project cache control headers'
       it_behaves_like 'content disposition headers'
+      it_behaves_like 'uncached response' do
+        before do
+          subject
+        end
+      end
     end
 
     context 'image header' do
diff --git a/spec/controllers/registrations_controller_spec.rb b/spec/controllers/registrations_controller_spec.rb
index f80e18df22e..60957dc72e6 100644
--- a/spec/controllers/registrations_controller_spec.rb
+++ b/spec/controllers/registrations_controller_spec.rb
@@ -459,6 +459,24 @@ RSpec.describe RegistrationsController do
         expect_success
       end
     end
+
+    context 'prerequisites for account deletion' do
+      context 'solo-owned groups' do
+        let(:group) { create(:group) }
+
+        context 'if the user is the sole owner of at least one group' do
+          before do
+            create(:group_member, :owner, group: group, user: user)
+          end
+
+          it 'fails' do
+            delete :destroy, params: { password: '12345678' }
+
+            expect_failure(s_('Profiles|You must transfer ownership or delete groups you are an owner of before you can delete your account'))
+          end
+        end
+      end
+    end
   end
 
   describe '#welcome' do
diff --git a/spec/factories/projects.rb b/spec/factories/projects.rb
index e3411e4f925..147413557d6 100644
--- a/spec/factories/projects.rb
+++ b/spec/factories/projects.rb
@@ -29,6 +29,7 @@ FactoryBot.define do
       pages_access_level do
         visibility_level == Gitlab::VisibilityLevel::PUBLIC ? ProjectFeature::ENABLED : ProjectFeature::PRIVATE
       end
+      metrics_dashboard_access_level { ProjectFeature::PRIVATE }
 
       # we can't assign the delegated `#ci_cd_settings` attributes directly, as the
       # `#ci_cd_settings` relation needs to be created first
@@ -53,7 +54,8 @@ FactoryBot.define do
         forking_access_level: evaluator.forking_access_level,
         merge_requests_access_level: merge_requests_access_level,
         repository_access_level: evaluator.repository_access_level,
-        pages_access_level: evaluator.pages_access_level
+        pages_access_level: evaluator.pages_access_level,
+        metrics_dashboard_access_level: evaluator.metrics_dashboard_access_level
       }
 
       project.build_project_feature(hash)
@@ -309,6 +311,9 @@ FactoryBot.define do
     trait(:pages_enabled)           { pages_access_level { ProjectFeature::ENABLED } }
     trait(:pages_disabled)          { pages_access_level { ProjectFeature::DISABLED } }
     trait(:pages_private)           { pages_access_level { ProjectFeature::PRIVATE } }
+    trait(:metrics_dashboard_enabled) { metrics_dashboard_access_level { ProjectFeature::ENABLED } }
+    trait(:metrics_dashboard_disabled) { metrics_dashboard_access_level { ProjectFeature::DISABLED } }
+    trait(:metrics_dashboard_private) { metrics_dashboard_access_level { ProjectFeature::PRIVATE } }
 
     trait :auto_devops do
       association :auto_devops, factory: :project_auto_devops
diff --git a/spec/requests/api/files_spec.rb b/spec/requests/api/files_spec.rb
index d7571ad4bff..bb4e88f97f8 100644
--- a/spec/requests/api/files_spec.rb
+++ b/spec/requests/api/files_spec.rb
@@ -532,16 +532,13 @@ RSpec.describe API::Files do
         expect(response).to have_gitlab_http_status(:ok)
       end
 
-      it 'sets no-cache headers' do
-        url = route('.gitignore') + "/raw"
-        expect(Gitlab::Workhorse).to receive(:send_git_blob)
-
-        get api(url, current_user), params: params
+      it_behaves_like 'uncached response' do
+        before do
+          url = route('.gitignore') + "/raw"
+          expect(Gitlab::Workhorse).to receive(:send_git_blob)
 
-        expect(response.headers["Cache-Control"]).to include("no-store")
-        expect(response.headers["Cache-Control"]).to include("no-cache")
-        expect(response.headers["Pragma"]).to eq("no-cache")
-        expect(response.headers["Expires"]).to eq("Fri, 01 Jan 1990 00:00:00 GMT")
+          get api(url, current_user), params: params
+        end
       end
 
       context 'when mandatory params are not given' do
diff --git a/spec/requests/projects/metrics_dashboard_spec.rb b/spec/requests/projects/metrics_dashboard_spec.rb
index f0e0e6a02ee..0a4100f2bf5 100644
--- a/spec/requests/projects/metrics_dashboard_spec.rb
+++ b/spec/requests/projects/metrics_dashboard_spec.rb
@@ -39,7 +39,9 @@ RSpec.describe 'Projects::MetricsDashboardController' do
 
     context 'with anonymous user and public dashboard visibility' do
       let(:anonymous_user) { create(:user) }
-      let(:project) { create(:project, :public) }
+      let(:project) do
+        create(:project, :public, :metrics_dashboard_enabled)
+      end
 
       before do
         project.update!(metrics_dashboard_access_level: 'enabled')
diff --git a/spec/support/shared_examples/cached_response_shared_examples.rb b/spec/support/shared_examples/cached_response_shared_examples.rb
new file mode 100644
index 00000000000..34e5f741b4e
--- /dev/null
+++ b/spec/support/shared_examples/cached_response_shared_examples.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+#
+# Negates lib/gitlab/no_cache_headers.rb
+#
+
+RSpec.shared_examples 'cached response' do
+  it 'defines a cached header response' do
+    expect(response.headers["Cache-Control"]).not_to include("no-store", "no-cache")
+    expect(response.headers["Pragma"]).not_to eq("no-cache")
+    expect(response.headers["Expires"]).not_to eq("Fri, 01 Jan 1990 00:00:00 GMT")
+  end
+end