1 files changed, 43 insertions, 19 deletions

diff --git a/spec/requests/git_http_spec.rb b/spec/requests/git_http_spec.rb
index 279c65fc2f4..c379fd9e73b 100644
--- a/spec/requests/git_http_spec.rb
+++ b/spec/requests/git_http_spec.rb
@@ -36,16 +36,6 @@ RSpec.describe 'Git HTTP requests' do
           end
         end
 
-        context "when password is expired" do
-          it "responds to downloads with status 401 Unauthorized" do
-            user.update!(password_expires_at: 2.days.ago)
-
-            download(path, user: user.username, password: user.password) do |response|
-              expect(response).to have_gitlab_http_status(:unauthorized)
-            end
-          end
-        end
-
         context "when user is blocked" do
           let(:user) { create(:user, :blocked) }
 
@@ -68,6 +58,26 @@ RSpec.describe 'Git HTTP requests' do
     end
   end
 
+  shared_examples 'operations are not allowed with expired password' do
+    context "when password is expired" do
+      it "responds to downloads with status 401 Unauthorized" do
+        user.update!(password_expires_at: 2.days.ago)
+
+        download(path, user: user.username, password: user.password) do |response|
+          expect(response).to have_gitlab_http_status(:unauthorized)
+        end
+      end
+
+      it "responds to uploads with status 401 Unauthorized" do
+        user.update!(password_expires_at: 2.days.ago)
+
+        upload(path, user: user.username, password: user.password) do |response|
+          expect(response).to have_gitlab_http_status(:unauthorized)
+        end
+      end
+    end
+  end
+
   shared_examples 'pushes require Basic HTTP Authentication' do
     context "when no credentials are provided" do
       it "responds to uploads with status 401 Unauthorized (no project existence information leak)" do
@@ -95,15 +105,6 @@ RSpec.describe 'Git HTTP requests' do
             expect(response.header['WWW-Authenticate']).to start_with('Basic ')
           end
         end
-
-        context "when password is expired" do
-          it "responds to uploads with status 401 Unauthorized" do
-            user.update!(password_expires_at: 2.days.ago)
-            upload(path, user: user.username, password: user.password) do |response|
-              expect(response).to have_gitlab_http_status(:unauthorized)
-            end
-          end
-        end
       end
 
       context "when authentication succeeds" do
@@ -212,6 +213,7 @@ RSpec.describe 'Git HTTP requests' do
 
         it_behaves_like 'pulls require Basic HTTP Authentication'
         it_behaves_like 'pushes require Basic HTTP Authentication'
+        it_behaves_like 'operations are not allowed with expired password'
 
         context 'when authenticated' do
           it 'rejects downloads and uploads with 404 Not Found' do
@@ -306,6 +308,7 @@ RSpec.describe 'Git HTTP requests' do
 
         it_behaves_like 'pulls require Basic HTTP Authentication'
         it_behaves_like 'pushes require Basic HTTP Authentication'
+        it_behaves_like 'operations are not allowed with expired password'
 
         context 'when authenticated' do
           context 'and as a developer on the team' do
@@ -473,6 +476,7 @@ RSpec.describe 'Git HTTP requests' do
 
             it_behaves_like 'pulls require Basic HTTP Authentication'
             it_behaves_like 'pushes require Basic HTTP Authentication'
+            it_behaves_like 'operations are not allowed with expired password'
           end
 
           context 'but the repo is enabled' do
@@ -488,6 +492,7 @@ RSpec.describe 'Git HTTP requests' do
 
             it_behaves_like 'pulls require Basic HTTP Authentication'
             it_behaves_like 'pushes require Basic HTTP Authentication'
+            it_behaves_like 'operations are not allowed with expired password'
           end
         end
 
@@ -508,6 +513,7 @@ RSpec.describe 'Git HTTP requests' do
 
         it_behaves_like 'pulls require Basic HTTP Authentication'
         it_behaves_like 'pushes require Basic HTTP Authentication'
+        it_behaves_like 'operations are not allowed with expired password'
 
         context "when username and password are provided" do
           let(:env) { { user: user.username, password: 'nope' } }
@@ -1003,6 +1009,24 @@ RSpec.describe 'Git HTTP requests' do
 
           it_behaves_like 'pulls are allowed'
           it_behaves_like 'pushes are allowed'
+
+          context "when password is expired" do
+            it "responds to downloads with status 200" do
+              user.update!(password_expires_at: 2.days.ago)
+
+              download(path, user: user.username, password: user.password) do |response|
+                expect(response).to have_gitlab_http_status(:ok)
+              end
+            end
+
+            it "responds to uploads with status 200" do
+              user.update!(password_expires_at: 2.days.ago)
+
+              upload(path, user: user.username, password: user.password) do |response|
+                expect(response).to have_gitlab_http_status(:ok)
+              end
+            end
+          end
         end
       end
     end