Commit 8dfeafc8 authored by Mayra Cabrera's avatar Mayra Cabrera

Merge branch 'security-ssl-verification-ftc' into 'master'

Always perform SSL verification for FortiTokenCloud Integration

See merge request gitlab-org/security/gitlab!1174
parents 0ac261e3 22a28ce9
---
title: Perform SSL verification for FortiTokenCloud Integration
merge_request:
author:
type: security
......@@ -61,8 +61,7 @@ module Gitlab
headers: {
'Content-Type': 'application/json'
}.merge(headers),
body: body,
verify: false # FTC API Docs specifically mentions to turn off SSL Verification while making requests.
body: body
)
end
end
......
......@@ -13,6 +13,8 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do
let(:otp_verification_url) { url + '/auth' }
let(:access_token) { 'an_access_token' }
let(:access_token_create_response_body) { '' }
let(:access_token_request_body) { { client_id: client_id, client_secret: client_secret } }
let(:headers) { { 'Content-Type': 'application/json' } }
subject(:validate) { described_class.new(user).validate(otp_code) }
......@@ -27,11 +29,8 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do
client_secret: client_secret
)
access_token_request_body = { client_id: client_id,
client_secret: client_secret }
stub_request(:post, access_token_create_url)
.with(body: JSON(access_token_request_body), headers: { 'Content-Type' => 'application/json' })
.with(body: JSON(access_token_request_body), headers: headers)
.to_return(
status: access_token_create_response_status,
body: Gitlab::Json.generate(access_token_create_response_body),
......@@ -81,6 +80,20 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do
end
end
context 'SSL Verification' do
let(:access_token_create_response_status) { 400 }
context 'with `Gitlab::HTTP`' do
it 'does not use a `verify` argument,'\
'thereby always performing SSL verification while making API calls' do
expect(Gitlab::HTTP).to receive(:post)
.with(access_token_create_url, body: JSON(access_token_request_body), headers: headers).and_call_original
validate
end
end
end
def stub_forti_token_cloud_config(forti_token_cloud_settings)
allow(::Gitlab.config.forti_token_cloud).to(receive_messages(forti_token_cloud_settings))
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment