Skip to content

G
gitlab-ce
Commit 366b1d74 authored by Małgorzata Ksionek's avatar Małgorzata Ksionek
Browse files
Options

Add another guard clause to password_expired_if_applicable 

Changelog: fixed
parent 46b23aa5
Hide whitespace changes
Inline Side-by-side
Showing with 82 additions and 21 deletions
app/models/user.rb
View file @ 366b1d74
...@@ -1890,7 +1890,8 @@ class User < ApplicationRecord ...@@ -1890,7 +1890,8 @@ class User < ApplicationRecord
end end
def password_expired_if_applicable? def password_expired_if_applicable?
return false unless password_expired? return false if bot?
return false unless password_expired? && password_automatically_set?
return false unless allow_password_authentication? return false unless allow_password_authentication?
true true
......
spec/lib/gitlab/git_access_spec.rb
View file @ 366b1d74
...@@ -435,7 +435,7 @@ RSpec.describe Gitlab::GitAccess do ...@@ -435,7 +435,7 @@ RSpec.describe Gitlab::GitAccess do
it 'disallows users with expired password to pull' do it 'disallows users with expired password to pull' do
project.add_maintainer(user) project.add_maintainer(user)
user.update!(password_expires_at: 2.minutes.ago) user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)
expect { pull_access_check }.to raise_forbidden("Your password expired. Please access GitLab from a web browser to update your password.") expect { pull_access_check }.to raise_forbidden("Your password expired. Please access GitLab from a web browser to update your password.")
end end
...@@ -987,7 +987,7 @@ RSpec.describe Gitlab::GitAccess do ...@@ -987,7 +987,7 @@ RSpec.describe Gitlab::GitAccess do
end end
it 'disallows users with expired password to push' do it 'disallows users with expired password to push' do
user.update!(password_expires_at: 2.minutes.ago) user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)
expect { push_access_check }.to raise_forbidden("Your password expired. Please access GitLab from a web browser to update your password.") expect { push_access_check }.to raise_forbidden("Your password expired. Please access GitLab from a web browser to update your password.")
end end
......
spec/lib/gitlab/lfs_token_spec.rb
View file @ 366b1d74
...@@ -126,7 +126,7 @@ RSpec.describe Gitlab::LfsToken, :clean_gitlab_redis_shared_state do ...@@ -126,7 +126,7 @@ RSpec.describe Gitlab::LfsToken, :clean_gitlab_redis_shared_state do
end end
context 'when the user password is expired' do context 'when the user password is expired' do
let(:actor) { create(:user, password_expires_at: 1.minute.ago) } let(:actor) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true) }
it 'returns false' do it 'returns false' do
expect(lfs_token.token_valid?(lfs_token.token)).to be false expect(lfs_token.token_valid?(lfs_token.token)).to be false
......
spec/models/user_spec.rb
View file @ 366b1d74
...@@ -5275,11 +5275,43 @@ RSpec.describe User do ...@@ -5275,11 +5275,43 @@ RSpec.describe User do
end end
describe '#password_expired_if_applicable?' do describe '#password_expired_if_applicable?' do
let(:user) { build(:user, password_expires_at: password_expires_at) } let(:user) { build(:user, password_expires_at: password_expires_at, password_automatically_set: set_automatically?) }
subject { user.password_expired_if_applicable? } subject { user.password_expired_if_applicable? }
context 'when user is not ldap user' do context 'when user is not ldap user' do
context 'when user has password set automatically' do
let(:set_automatically?) { true }
context 'when password_expires_at is not set' do
let(:password_expires_at) {}
it 'returns false' do
is_expected.to be_falsey
end
end
context 'when password_expires_at is in the past' do
let(:password_expires_at) { 1.minute.ago }
it 'returns true' do
is_expected.to be_truthy
end
end
context 'when password_expires_at is in the future' do
let(:password_expires_at) { 1.minute.from_now }
it 'returns false' do
is_expected.to be_falsey
end
end
end
end
context 'when user has password not set automatically' do
let(:set_automatically?) { false }
context 'when password_expires_at is not set' do context 'when password_expires_at is not set' do
let(:password_expires_at) {} let(:password_expires_at) {}
...@@ -5291,8 +5323,8 @@ RSpec.describe User do ...@@ -5291,8 +5323,8 @@ RSpec.describe User do
context 'when password_expires_at is in the past' do context 'when password_expires_at is in the past' do
let(:password_expires_at) { 1.minute.ago } let(:password_expires_at) { 1.minute.ago }
it 'returns true' do it 'returns false' do
is_expected.to be_truthy is_expected.to be_falsey
end end
end end
...@@ -5336,6 +5368,34 @@ RSpec.describe User do ...@@ -5336,6 +5368,34 @@ RSpec.describe User do
end end
end end
end end
context 'when user is a project bot' do
let(:user) { build(:user, :project_bot, password_expires_at: password_expires_at) }
context 'when password_expires_at is not set' do
let(:password_expires_at) {}
it 'returns false' do
is_expected.to be_falsey
end
end
context 'when password_expires_at is in the past' do
let(:password_expires_at) { 1.minute.ago }
it 'returns false' do
is_expected.to be_falsey
end
end
context 'when password_expires_at is in the future' do
let(:password_expires_at) { 1.minute.from_now }
it 'returns false' do
is_expected.to be_falsey
end
end
end
end end
describe '#read_only_attribute?' do describe '#read_only_attribute?' do
......
spec/policies/global_policy_spec.rb
View file @ 366b1d74
...@@ -249,7 +249,7 @@ RSpec.describe GlobalPolicy do ...@@ -249,7 +249,7 @@ RSpec.describe GlobalPolicy do
context 'user with expired password' do context 'user with expired password' do
before do before do
current_user.update!(password_expires_at: 2.minutes.ago) current_user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)
end end
it { is_expected.not_to be_allowed(:access_api) } it { is_expected.not_to be_allowed(:access_api) }
...@@ -445,7 +445,7 @@ RSpec.describe GlobalPolicy do ...@@ -445,7 +445,7 @@ RSpec.describe GlobalPolicy do
context 'user with expired password' do context 'user with expired password' do
before do before do
current_user.update!(password_expires_at: 2.minutes.ago) current_user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)
end end
it { is_expected.not_to be_allowed(:access_git) } it { is_expected.not_to be_allowed(:access_git) }
...@@ -537,7 +537,7 @@ RSpec.describe GlobalPolicy do ...@@ -537,7 +537,7 @@ RSpec.describe GlobalPolicy do
context 'user with expired password' do context 'user with expired password' do
before do before do
current_user.update!(password_expires_at: 2.minutes.ago) current_user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)
end end
it { is_expected.not_to be_allowed(:use_slash_commands) } it { is_expected.not_to be_allowed(:use_slash_commands) }
......
spec/requests/git_http_spec.rb
View file @ 366b1d74
...@@ -61,7 +61,7 @@ RSpec.describe 'Git HTTP requests' do ...@@ -61,7 +61,7 @@ RSpec.describe 'Git HTTP requests' do
shared_examples 'operations are not allowed with expired password' do shared_examples 'operations are not allowed with expired password' do
context "when password is expired" do context "when password is expired" do
it "responds to downloads with status 401 Unauthorized" do it "responds to downloads with status 401 Unauthorized" do
user.update!(password_expires_at: 2.days.ago) user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
download(path, user: user.username, password: user.password) do |response| download(path, user: user.username, password: user.password) do |response|
expect(response).to have_gitlab_http_status(:unauthorized) expect(response).to have_gitlab_http_status(:unauthorized)
...@@ -69,7 +69,7 @@ RSpec.describe 'Git HTTP requests' do ...@@ -69,7 +69,7 @@ RSpec.describe 'Git HTTP requests' do
end end
it "responds to uploads with status 401 Unauthorized" do it "responds to uploads with status 401 Unauthorized" do
user.update!(password_expires_at: 2.days.ago) user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
upload(path, user: user.username, password: user.password) do |response| upload(path, user: user.username, password: user.password) do |response|
expect(response).to have_gitlab_http_status(:unauthorized) expect(response).to have_gitlab_http_status(:unauthorized)
...@@ -614,7 +614,7 @@ RSpec.describe 'Git HTTP requests' do ...@@ -614,7 +614,7 @@ RSpec.describe 'Git HTTP requests' do
context "when password is expired" do context "when password is expired" do
it "responds to downloads with status 401 unauthorized" do it "responds to downloads with status 401 unauthorized" do
user.update!(password_expires_at: 2.days.ago) user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
download(path, **env) do |response| download(path, **env) do |response|
expect(response).to have_gitlab_http_status(:unauthorized) expect(response).to have_gitlab_http_status(:unauthorized)
...@@ -697,7 +697,7 @@ RSpec.describe 'Git HTTP requests' do ...@@ -697,7 +697,7 @@ RSpec.describe 'Git HTTP requests' do
context "when password is expired" do context "when password is expired" do
it "responds to uploads with status 401 unauthorized" do it "responds to uploads with status 401 unauthorized" do
user.update!(password_expires_at: 2.days.ago) user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
write_access_token = create(:personal_access_token, user: user, scopes: [:write_repository]) write_access_token = create(:personal_access_token, user: user, scopes: [:write_repository])
...@@ -920,7 +920,7 @@ RSpec.describe 'Git HTTP requests' do ...@@ -920,7 +920,7 @@ RSpec.describe 'Git HTTP requests' do
context 'when users password is expired' do context 'when users password is expired' do
it 'rejects pulls with 401 unauthorized' do it 'rejects pulls with 401 unauthorized' do
user.update!(password_expires_at: 2.days.ago) user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
download(path, user: 'gitlab-ci-token', password: build.token) do |response| download(path, user: 'gitlab-ci-token', password: build.token) do |response|
expect(response).to have_gitlab_http_status(:unauthorized) expect(response).to have_gitlab_http_status(:unauthorized)
...@@ -1215,7 +1215,7 @@ RSpec.describe 'Git HTTP requests' do ...@@ -1215,7 +1215,7 @@ RSpec.describe 'Git HTTP requests' do
context "when password is expired" do context "when password is expired" do
it "responds to downloads with status 401 unauthorized" do it "responds to downloads with status 401 unauthorized" do
user.update!(password_expires_at: 2.days.ago) user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
download(path, **env) do |response| download(path, **env) do |response|
expect(response).to have_gitlab_http_status(:unauthorized) expect(response).to have_gitlab_http_status(:unauthorized)
...@@ -1298,7 +1298,7 @@ RSpec.describe 'Git HTTP requests' do ...@@ -1298,7 +1298,7 @@ RSpec.describe 'Git HTTP requests' do
context "when password is expired" do context "when password is expired" do
it "responds to uploads with status 401 unauthorized" do it "responds to uploads with status 401 unauthorized" do
user.update!(password_expires_at: 2.days.ago) user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
write_access_token = create(:personal_access_token, user: user, scopes: [:write_repository]) write_access_token = create(:personal_access_token, user: user, scopes: [:write_repository])
...@@ -1521,7 +1521,7 @@ RSpec.describe 'Git HTTP requests' do ...@@ -1521,7 +1521,7 @@ RSpec.describe 'Git HTTP requests' do
context 'when users password is expired' do context 'when users password is expired' do
it 'rejects pulls with 401 unauthorized' do it 'rejects pulls with 401 unauthorized' do
user.update!(password_expires_at: 2.days.ago) user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
download(path, user: 'gitlab-ci-token', password: build.token) do |response| download(path, user: 'gitlab-ci-token', password: build.token) do |response|
expect(response).to have_gitlab_http_status(:unauthorized) expect(response).to have_gitlab_http_status(:unauthorized)
......
spec/requests/lfs_http_spec.rb
View file @ 366b1d74
...@@ -126,7 +126,7 @@ RSpec.describe 'Git LFS API and storage' do ...@@ -126,7 +126,7 @@ RSpec.describe 'Git LFS API and storage' do
it_behaves_like 'LFS http 200 blob response' it_behaves_like 'LFS http 200 blob response'
context 'when user password is expired' do context 'when user password is expired' do
let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago)} let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true)}
it_behaves_like 'LFS http 401 response' it_behaves_like 'LFS http 401 response'
end end
...@@ -344,7 +344,7 @@ RSpec.describe 'Git LFS API and storage' do ...@@ -344,7 +344,7 @@ RSpec.describe 'Git LFS API and storage' do
end end
context 'when user password is expired' do context 'when user password is expired' do
let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago)} let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true)}
let(:role) { :reporter} let(:role) { :reporter}
...@@ -958,7 +958,7 @@ RSpec.describe 'Git LFS API and storage' do ...@@ -958,7 +958,7 @@ RSpec.describe 'Git LFS API and storage' do
it_behaves_like 'LFS http 200 workhorse response' it_behaves_like 'LFS http 200 workhorse response'
context 'when user password is expired' do context 'when user password is expired' do
let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago)} let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true) }
it_behaves_like 'LFS http 401 response' it_behaves_like 'LFS http 401 response'
end end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7