Commit 8dfeafc8 authored by Mayra Cabrera's avatar Mayra Cabrera

Merge branch 'security-ssl-verification-ftc' into 'master'

Always perform SSL verification for FortiTokenCloud Integration

See merge request gitlab-org/security/gitlab!1174
parents 0ac261e3 22a28ce9
---
title: Perform SSL verification for FortiTokenCloud Integration
merge_request:
author:
type: security
...@@ -61,8 +61,7 @@ module Gitlab ...@@ -61,8 +61,7 @@ module Gitlab
headers: { headers: {
'Content-Type': 'application/json' 'Content-Type': 'application/json'
}.merge(headers), }.merge(headers),
body: body, body: body
verify: false # FTC API Docs specifically mentions to turn off SSL Verification while making requests.
) )
end end
end end
......
...@@ -13,6 +13,8 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do ...@@ -13,6 +13,8 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do
let(:otp_verification_url) { url + '/auth' } let(:otp_verification_url) { url + '/auth' }
let(:access_token) { 'an_access_token' } let(:access_token) { 'an_access_token' }
let(:access_token_create_response_body) { '' } let(:access_token_create_response_body) { '' }
let(:access_token_request_body) { { client_id: client_id, client_secret: client_secret } }
let(:headers) { { 'Content-Type': 'application/json' } }
subject(:validate) { described_class.new(user).validate(otp_code) } subject(:validate) { described_class.new(user).validate(otp_code) }
...@@ -27,11 +29,8 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do ...@@ -27,11 +29,8 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do
client_secret: client_secret client_secret: client_secret
) )
access_token_request_body = { client_id: client_id,
client_secret: client_secret }
stub_request(:post, access_token_create_url) stub_request(:post, access_token_create_url)
.with(body: JSON(access_token_request_body), headers: { 'Content-Type' => 'application/json' }) .with(body: JSON(access_token_request_body), headers: headers)
.to_return( .to_return(
status: access_token_create_response_status, status: access_token_create_response_status,
body: Gitlab::Json.generate(access_token_create_response_body), body: Gitlab::Json.generate(access_token_create_response_body),
...@@ -81,6 +80,20 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do ...@@ -81,6 +80,20 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do
end end
end end
context 'SSL Verification' do
let(:access_token_create_response_status) { 400 }
context 'with `Gitlab::HTTP`' do
it 'does not use a `verify` argument,'\
'thereby always performing SSL verification while making API calls' do
expect(Gitlab::HTTP).to receive(:post)
.with(access_token_create_url, body: JSON(access_token_request_body), headers: headers).and_call_original
validate
end
end
end
def stub_forti_token_cloud_config(forti_token_cloud_settings) def stub_forti_token_cloud_config(forti_token_cloud_settings)
allow(::Gitlab.config.forti_token_cloud).to(receive_messages(forti_token_cloud_settings)) allow(::Gitlab.config.forti_token_cloud).to(receive_messages(forti_token_cloud_settings))
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment