Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
gitlab-ce
Commits
8bb1931e
Commit
8bb1931e
authored
Aug 10, 2016
by
Patricio Cano
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Deny Git over HTTP access to users that have 2FA enabled, unless they use a Personal Access Token.
parent
c5a7a70d
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
45 additions
and
0 deletions
+45
-0
app/views/profiles/personal_access_tokens/index.html.haml
app/views/profiles/personal_access_tokens/index.html.haml
+4
-0
spec/requests/git_http_spec.rb
spec/requests/git_http_spec.rb
+41
-0
No files found.
app/views/profiles/personal_access_tokens/index.html.haml
View file @
8bb1931e
...
...
@@ -7,6 +7,10 @@
=
page_title
%p
You can generate a personal access token for each application you use that needs access to the GitLab API.
%p
You can also use personal access tokens to authenticate against Git over HTTP. Use them specially when you
have 2FA enabled.
.col-lg-9
-
if
flash
[
:personal_access_token
]
...
...
spec/requests/git_http_spec.rb
View file @
8bb1931e
...
...
@@ -198,6 +198,47 @@ describe 'Git HTTP requests', lib: true do
end
end
context
'when user has 2FA enabled'
do
before
do
@user
=
create
(
:user
,
:two_factor
)
project
.
team
<<
[
@user
,
:master
]
end
context
'when username and password are provided'
do
it
'rejects the clone attempt'
do
download
(
"
#{
project
.
path_with_namespace
}
.git"
,
user:
@user
.
username
,
password:
@user
.
password
)
do
|
response
|
expect
(
response
).
to
have_http_status
(
401
)
expect
(
response
.
body
).
to
include
(
'You have 2FA enabled, please use a personal access token for Git over HTTP'
)
end
end
it
'rejects the push attempt'
do
upload
(
"
#{
project
.
path_with_namespace
}
.git"
,
user:
@user
.
username
,
password:
@user
.
password
)
do
|
response
|
expect
(
response
).
to
have_http_status
(
401
)
expect
(
response
.
body
).
to
include
(
'You have 2FA enabled, please use a personal access token for Git over HTTP'
)
end
end
end
context
'when username and personal access token are provided'
do
before
do
@token
=
create
(
:personal_access_token
,
user:
@user
)
end
it
'allows clones'
do
download
(
"
#{
project
.
path_with_namespace
}
.git"
,
user:
@user
.
username
,
password:
@token
.
token
)
do
|
response
|
expect
(
response
).
to
have_http_status
(
200
)
end
end
it
'allows pushes'
do
upload
(
"
#{
project
.
path_with_namespace
}
.git"
,
user:
@user
.
username
,
password:
@token
.
token
)
do
|
response
|
expect
(
response
).
to
have_http_status
(
200
)
end
end
end
end
context
"when blank password attempts follow a valid login"
do
def
attempt_login
(
include_password
)
password
=
include_password
?
user
.
password
:
""
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment