Merge branch 'security-ssl-verification-ftc' into 'master'

Always perform SSL verification for FortiTokenCloud Integration See merge request gitlab-org/security/gitlab!1174

Merge branch 'security-ssl-verification-ftc' into 'master'
Always perform SSL verification for FortiTokenCloud Integration See merge request gitlab-org/security/gitlab!1174
8dfeafc8 · Mayra Cabrera · 0ac261e3 · 22a28ce9 · 8dfeafc8 · 8dfeafc8
Commit 8dfeafc8 authored Feb 09, 2021 by Mayra Cabrera
3 changed files
--- a/changelogs/unreleased/security-ssl-verification-ftc.yml
+++ b/changelogs/unreleased/security-ssl-verification-ftc.yml
+---
+title: Perform SSL verification for FortiTokenCloud Integration
+merge_request:
+author:
+type: security
--- a/lib/gitlab/auth/otp/strategies/forti_token_cloud.rb
+++ b/lib/gitlab/auth/otp/strategies/forti_token_cloud.rb
@@ -61,8 +61,7 @@ module Gitlab
              headers: {
                'Content-Type': 'application/json'
              }.merge(headers),
-              body: body,
-              verify: false # FTC API Docs specifically mentions to turn off SSL Verification while making requests.
+              body: body
            )
          end
        end

--- a/spec/lib/gitlab/auth/otp/strategies/forti_token_cloud_spec.rb
+++ b/spec/lib/gitlab/auth/otp/strategies/forti_token_cloud_spec.rb
@@ -13,6 +13,8 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do
  let(:otp_verification_url) { url + '/auth' }
  let(:access_token) { 'an_access_token' }
  let(:access_token_create_response_body) { '' }
+  let(:access_token_request_body) { { client_id: client_id, client_secret: client_secret } }
+  let(:headers) { { 'Content-Type': 'application/json' } }

  subject(:validate) { described_class.new(user).validate(otp_code) }

@@ -27,11 +29,8 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do
      client_secret: client_secret
    )

-    access_token_request_body = { client_id: client_id,
-                                  client_secret: client_secret }
-
    stub_request(:post, access_token_create_url)
-      .with(body: JSON(access_token_request_body), headers: { 'Content-Type' => 'application/json' })
+      .with(body: JSON(access_token_request_body), headers: headers)
      .to_return(
        status: access_token_create_response_status,
        body: Gitlab::Json.generate(access_token_create_response_body),
@@ -81,6 +80,20 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do
    end
  end

+  context 'SSL Verification' do
+    let(:access_token_create_response_status) { 400 }
+
+    context 'with `Gitlab::HTTP`' do
+      it 'does not use a `verify` argument,'\
+         'thereby always performing SSL verification while making API calls' do
+        expect(Gitlab::HTTP).to receive(:post)
+          .with(access_token_create_url, body: JSON(access_token_request_body), headers: headers).and_call_original
+
+        validate
+      end
+    end
+  end
+
  def stub_forti_token_cloud_config(forti_token_cloud_settings)
    allow(::Gitlab.config.forti_token_cloud).to(receive_messages(forti_token_cloud_settings))
  end