Merge branch 'security-email-confirmation-bypass-via-api-ee' into 'master'

Prevent API access for unconfirmed users See merge request gitlab-org/security/gitlab!52

Merge branch 'security-email-confirmation-bypass-via-api-ee' into 'master'
Prevent API access for unconfirmed users See merge request gitlab-org/security/gitlab!52
79ec446e · GitLab Release Tools Bot · 1f57aadd · 84cd552f · 79ec446e · 79ec446e
Commit 79ec446e authored Jan 28, 2020 by GitLab Release Tools Bot
5 changed files
--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -21,6 +21,14 @@ class BasePolicy < DeclarativePolicy::Base
  with_options scope: :user, score: 0
  condition(:deactivated) { @user&.deactivated? }

+  desc "User email is unconfirmed or user account is locked"
+  with_options scope: :user, score: 0
+  condition(:inactive) do
+    Feature.enabled?(:inactive_policy_condition, default_enabled: true) &&
+      @user &&
+      !@user&.active_for_authentication?
+  end
+
  with_options scope: :user, score: 0
  condition(:external_user) { @user.nil? || @user.external? }


--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -36,6 +36,13 @@ class GlobalPolicy < BasePolicy
    enable :use_slash_commands
  end

+  rule { inactive }.policy do
+    prevent :log_in
+    prevent :access_api
+    prevent :access_git
+    prevent :use_slash_commands
+  end
+
  rule { blocked | internal }.policy do
    prevent :log_in
    prevent :access_api

--- a/changelogs/unreleased/security-email-confirmation-bypass-via-api-ee.yml
+++ b/changelogs/unreleased/security-email-confirmation-bypass-via-api-ee.yml
+---
+title: Prevent API access for unconfirmed users
+merge_request:
+author:
+type: security
--- a/spec/policies/global_policy_spec.rb
+++ b/spec/policies/global_policy_spec.rb
@@ -141,6 +141,34 @@ describe GlobalPolicy do
        it { is_expected.to be_allowed(:access_api) }
      end
    end
+
+    context 'inactive user' do
+      before do
+        current_user.update!(confirmed_at: nil, confirmation_sent_at: 5.days.ago)
+      end
+
+      context 'when within the confirmation grace period' do
+        before do
+          allow(User).to receive(:allow_unconfirmed_access_for).and_return(10.days)
+        end
+
+        it { is_expected.to be_allowed(:access_api) }
+      end
+
+      context 'when confirmation grace period is expired' do
+        before do
+          allow(User).to receive(:allow_unconfirmed_access_for).and_return(2.days)
+        end
+
+        it { is_expected.not_to be_allowed(:access_api) }
+      end
+
+      it 'when `inactive_policy_condition` feature flag is turned off' do
+        stub_feature_flags(inactive_policy_condition: false)
+
+        is_expected.to be_allowed(:access_api)
+      end
+    end
  end

  describe 'receive notifications' do
@@ -202,6 +230,20 @@ describe GlobalPolicy do
      it { is_expected.not_to be_allowed(:access_git) }
    end

+    describe 'inactive user' do
+      before do
+        current_user.update!(confirmed_at: nil)
+      end
+
+      it { is_expected.not_to be_allowed(:access_git) }
+
+      it 'when `inactive_policy_condition` feature flag is turned off' do
+        stub_feature_flags(inactive_policy_condition: false)
+
+        is_expected.to be_allowed(:access_git)
+      end
+    end
+
    context 'when terms are enforced' do
      before do
        enforce_terms
@@ -298,6 +340,20 @@ describe GlobalPolicy do
      it { is_expected.not_to be_allowed(:use_slash_commands) }
    end

+    describe 'inactive user' do
+      before do
+        current_user.update!(confirmed_at: nil)
+      end
+
+      it { is_expected.not_to be_allowed(:use_slash_commands) }
+
+      it 'when `inactive_policy_condition` feature flag is turned off' do
+        stub_feature_flags(inactive_policy_condition: false)
+
+        is_expected.to be_allowed(:use_slash_commands)
+      end
+    end
+
    context 'when access locked' do
      before do
        current_user.lock_access!

--- a/spec/requests/api/oauth_tokens_spec.rb
+++ b/spec/requests/api/oauth_tokens_spec.rb
@@ -30,26 +30,40 @@ describe 'OAuth tokens' do
      end
    end

-    context "when user is blocked" do
-      it "does not create an access token" do
-        user = create(:user)
+    shared_examples 'does not create an access token' do
+      let(:user) { create(:user) }
+
+      it { expect(response).to have_gitlab_http_status(401) }
+    end
+
+    context 'when user is blocked' do
+      before do
        user.block

        request_oauth_token(user)
-
-        expect(response).to have_gitlab_http_status(401)
      end
+
+      include_examples 'does not create an access token'
    end

-    context "when user is ldap_blocked" do
-      it "does not create an access token" do
-        user = create(:user)
+    context 'when user is ldap_blocked' do
+      before do
        user.ldap_block

        request_oauth_token(user)
+      end

-        expect(response).to have_gitlab_http_status(401)
+      include_examples 'does not create an access token'
+    end
+
+    context 'when user account is not confirmed' do
+      before do
+        user.update!(confirmed_at: nil)
+
+        request_oauth_token(user)
      end
+
+      include_examples 'does not create an access token'
    end
  end
 end