From 48aff82709769b098321c738f3444b9bdaa694c6 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 21 Oct 2020 07:08:36 +0000
Subject: Add latest changes from gitlab-org/gitlab@13-5-stable-ee

---
 spec/lib/gitlab/auth/auth_finders_spec.rb          | 26 ++++++++--
 spec/lib/gitlab/auth/current_user_mode_spec.rb     |  2 +-
 spec/lib/gitlab/auth/otp/strategies/devise_spec.rb | 16 +++++++
 .../otp/strategies/forti_authenticator_spec.rb     | 55 ++++++++++++++++++++++
 spec/lib/gitlab/auth/unique_ips_limiter_spec.rb    |  2 +-
 .../gitlab/auth/user_access_denied_reason_spec.rb  |  8 ++++
 6 files changed, 104 insertions(+), 5 deletions(-)
 create mode 100644 spec/lib/gitlab/auth/otp/strategies/devise_spec.rb
 create mode 100644 spec/lib/gitlab/auth/otp/strategies/forti_authenticator_spec.rb

(limited to 'spec/lib/gitlab/auth')

diff --git a/spec/lib/gitlab/auth/auth_finders_spec.rb b/spec/lib/gitlab/auth/auth_finders_spec.rb
index 1ac8ebe1369..2ebde145bfd 100644
--- a/spec/lib/gitlab/auth/auth_finders_spec.rb
+++ b/spec/lib/gitlab/auth/auth_finders_spec.rb
@@ -419,10 +419,30 @@ RSpec.describe Gitlab::Auth::AuthFinders do
       expect(find_user_from_web_access_token(:ics)).to eq(user)
     end
 
-    it 'returns the user for API requests' do
-      set_header('SCRIPT_NAME', '/api/endpoint')
+    context 'for API requests' do
+      it 'returns the user' do
+        set_header('SCRIPT_NAME', '/api/endpoint')
+
+        expect(find_user_from_web_access_token(:api)).to eq(user)
+      end
+
+      it 'returns nil if URL does not start with /api/' do
+        set_header('SCRIPT_NAME', '/relative_root/api/endpoint')
+
+        expect(find_user_from_web_access_token(:api)).to be_nil
+      end
 
-      expect(find_user_from_web_access_token(:api)).to eq(user)
+      context 'when relative_url_root is set' do
+        before do
+          stub_config_setting(relative_url_root: '/relative_root')
+        end
+
+        it 'returns the user' do
+          set_header('SCRIPT_NAME', '/relative_root/api/endpoint')
+
+          expect(find_user_from_web_access_token(:api)).to eq(user)
+        end
+      end
     end
   end
 
diff --git a/spec/lib/gitlab/auth/current_user_mode_spec.rb b/spec/lib/gitlab/auth/current_user_mode_spec.rb
index 60b403780c0..ffd7813190a 100644
--- a/spec/lib/gitlab/auth/current_user_mode_spec.rb
+++ b/spec/lib/gitlab/auth/current_user_mode_spec.rb
@@ -121,7 +121,7 @@ RSpec.describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode, :request_
             subject.enable_admin_mode!(password: user.password)
             expect(subject.admin_mode?).to be(true), 'admin mode is not active in the present'
 
-            Timecop.freeze(Gitlab::Auth::CurrentUserMode::MAX_ADMIN_MODE_TIME.from_now) do
+            travel_to(Gitlab::Auth::CurrentUserMode::MAX_ADMIN_MODE_TIME.from_now) do
               # in the future this will be a new request, simulate by clearing the RequestStore
               Gitlab::SafeRequestStore.clear!
 
diff --git a/spec/lib/gitlab/auth/otp/strategies/devise_spec.rb b/spec/lib/gitlab/auth/otp/strategies/devise_spec.rb
new file mode 100644
index 00000000000..0c88421d456
--- /dev/null
+++ b/spec/lib/gitlab/auth/otp/strategies/devise_spec.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Auth::Otp::Strategies::Devise do
+  let_it_be(:user) { create(:user) }
+  let(:otp_code) { 42 }
+
+  subject(:validate) { described_class.new(user).validate(otp_code) }
+
+  it 'calls Devise' do
+    expect(user).to receive(:validate_and_consume_otp!).with(otp_code)
+
+    validate
+  end
+end
diff --git a/spec/lib/gitlab/auth/otp/strategies/forti_authenticator_spec.rb b/spec/lib/gitlab/auth/otp/strategies/forti_authenticator_spec.rb
new file mode 100644
index 00000000000..18fd6d08057
--- /dev/null
+++ b/spec/lib/gitlab/auth/otp/strategies/forti_authenticator_spec.rb
@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Auth::Otp::Strategies::FortiAuthenticator do
+  let_it_be(:user) { create(:user) }
+  let(:otp_code) { 42 }
+
+  let(:host) { 'forti_authenticator.example.com' }
+  let(:port) { '444' }
+  let(:api_username) { 'janedoe' }
+  let(:api_token) { 's3cr3t' }
+
+  let(:forti_authenticator_auth_url) { "https://#{host}:#{port}/api/v1/auth/" }
+
+  subject(:validate) { described_class.new(user).validate(otp_code) }
+
+  before do
+    stub_feature_flags(forti_authenticator: true)
+
+    stub_forti_authenticator_config(
+      host: host,
+      port: port,
+      username: api_username,
+      token: api_token
+    )
+
+    request_body = { username: user.username,
+                     token_code: otp_code }
+
+    stub_request(:post, forti_authenticator_auth_url)
+      .with(body: JSON(request_body), headers: { 'Content-Type' => 'application/json' })
+      .to_return(status: response_status, body: '', headers: {})
+  end
+
+  context 'successful validation' do
+    let(:response_status) { 200 }
+
+    it 'returns success' do
+      expect(validate[:status]).to eq(:success)
+    end
+  end
+
+  context 'unsuccessful validation' do
+    let(:response_status) { 401 }
+
+    it 'returns error' do
+      expect(validate[:status]).to eq(:error)
+    end
+  end
+
+  def stub_forti_authenticator_config(forti_authenticator_settings)
+    allow(::Gitlab.config.forti_authenticator).to(receive_messages(forti_authenticator_settings))
+  end
+end
diff --git a/spec/lib/gitlab/auth/unique_ips_limiter_spec.rb b/spec/lib/gitlab/auth/unique_ips_limiter_spec.rb
index a08055ab852..b239de841b6 100644
--- a/spec/lib/gitlab/auth/unique_ips_limiter_spec.rb
+++ b/spec/lib/gitlab/auth/unique_ips_limiter_spec.rb
@@ -26,7 +26,7 @@ RSpec.describe Gitlab::Auth::UniqueIpsLimiter, :clean_gitlab_redis_shared_state
         expect(described_class.update_and_return_ips_count(user.id, 'ip2')).to eq(1)
         expect(described_class.update_and_return_ips_count(user.id, 'ip3')).to eq(2)
 
-        Timecop.travel(Time.now.utc + described_class.config.unique_ips_limit_time_window) do
+        travel_to(Time.now.utc + described_class.config.unique_ips_limit_time_window) do
           expect(described_class.update_and_return_ips_count(user.id, 'ip4')).to eq(1)
           expect(described_class.update_and_return_ips_count(user.id, 'ip5')).to eq(2)
         end
diff --git a/spec/lib/gitlab/auth/user_access_denied_reason_spec.rb b/spec/lib/gitlab/auth/user_access_denied_reason_spec.rb
index 5cbd22827c9..d3c6cde5590 100644
--- a/spec/lib/gitlab/auth/user_access_denied_reason_spec.rb
+++ b/spec/lib/gitlab/auth/user_access_denied_reason_spec.rb
@@ -49,5 +49,13 @@ RSpec.describe Gitlab::Auth::UserAccessDeniedReason do
 
       it { is_expected.to match /Your primary email address is not confirmed/ }
     end
+
+    context 'when the user is blocked pending approval' do
+      before do
+        user.block_pending_approval!
+      end
+
+      it { is_expected.to eq('Your account is pending approval from your administrator and hence blocked.') }
+    end
   end
 end
-- 
cgit v1.2.3