From 65952e598a194110f5894da1c42577b2b20c6336 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Thu, 10 Dec 2020 06:09:47 +0000
Subject: Add latest changes from gitlab-org/gitlab@master

---
 spec/lib/gitlab/git_access_spec.rb | 102 +++++++++++++++++++++++++++++++++++++
 1 file changed, 102 insertions(+)

(limited to 'spec/lib/gitlab/git_access_spec.rb')

diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb
index cd465a92fec..780f4329bcc 100644
--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -387,6 +387,108 @@ RSpec.describe Gitlab::GitAccess do
     end
   end
 
+  describe '#check_otp_session!' do
+    let_it_be(:user) { create(:user, :two_factor_via_otp)}
+    let_it_be(:key) { create(:key, user: user) }
+    let_it_be(:actor) { key }
+
+    before do
+      project.add_developer(user)
+      stub_feature_flags(two_factor_for_cli: true)
+    end
+
+    context 'with an OTP session', :clean_gitlab_redis_shared_state do
+      before do
+        Gitlab::Redis::SharedState.with do |redis|
+          redis.set("#{Gitlab::Auth::Otp::SessionEnforcer::OTP_SESSIONS_NAMESPACE}:#{key.id}", true)
+        end
+      end
+
+      it 'allows push and pull access' do
+        aggregate_failures do
+          expect { push_access_check }.not_to raise_error
+          expect { pull_access_check }.not_to raise_error
+        end
+      end
+    end
+
+    context 'without OTP session' do
+      it 'does not allow push or pull access' do
+        user = 'jane.doe'
+        host = 'fridge.ssh'
+        port = 42
+
+        stub_config(
+          gitlab_shell: {
+            ssh_user: user,
+            ssh_host: host,
+            ssh_port: port
+          }
+        )
+
+        error_message = "OTP verification is required to access the repository.\n\n"\
+                        "   Use: ssh #{user}@#{host} -p #{port} 2fa_verify"
+
+        aggregate_failures do
+          expect { push_access_check }.to raise_forbidden(error_message)
+          expect { pull_access_check }.to raise_forbidden(error_message)
+        end
+      end
+
+      context 'when protocol is HTTP' do
+        let(:protocol) { 'http' }
+
+        it 'allows push and pull access' do
+          aggregate_failures do
+            expect { push_access_check }.not_to raise_error
+            expect { pull_access_check }.not_to raise_error
+          end
+        end
+      end
+
+      context 'when actor is not an SSH key' do
+        let(:deploy_key) { create(:deploy_key, user: user) }
+        let(:actor) { deploy_key }
+
+        before do
+          deploy_key.deploy_keys_projects.create(project: project, can_push: true)
+        end
+
+        it 'allows push and pull access' do
+          aggregate_failures do
+            expect { push_access_check }.not_to raise_error
+            expect { pull_access_check }.not_to raise_error
+          end
+        end
+      end
+
+      context 'when 2FA is not enabled for the user' do
+        let(:user) { create(:user)}
+        let(:actor) { create(:key, user: user) }
+
+        it 'allows push and pull access' do
+          aggregate_failures do
+            expect { push_access_check }.not_to raise_error
+            expect { pull_access_check }.not_to raise_error
+          end
+        end
+      end
+
+      context 'when feature flag is disabled' do
+        before do
+          stub_feature_flags(two_factor_for_cli: false)
+        end
+
+        it 'allows push and pull access' do
+          aggregate_failures do
+            expect { push_access_check }.not_to raise_error
+            expect { pull_access_check }.not_to raise_error
+          end
+        end
+      end
+    end
+  end
+
   describe '#check_db_accessibility!' do
     context 'when in a read-only GitLab instance' do
       before do
-- 
cgit v1.2.3