Block access to GitLab for users with expired password

Changelog: security

app/policies/concerns/policy_actor.rb

@@ -80,6 +80,10 @@ module PolicyActor
   def can_read_all_resources?
     false
   end
+
+  def password_expired?
+    false
+  end
 end
 
 PolicyActor.prepend_mod_with('PolicyActor')

app/policies/global_policy.rb

@@ -15,6 +15,10 @@ class GlobalPolicy < BasePolicy
     @user&.required_terms_not_accepted?
   end
 
+  condition(:password_expired, scope: :user) do
+    @user&.password_expired?
+  end
+
   condition(:project_bot, scope: :user) { @user&.project_bot? }
   condition(:migration_bot, scope: :user) { @user&.migration_bot? }
 
@@ -73,6 +77,12 @@ class GlobalPolicy < BasePolicy
     prevent :access_git
   end
 
+  rule { password_expired }.policy do
+    prevent :access_api
+    prevent :access_git
+    prevent :use_slash_commands
+  end
+
   rule { can_create_group }.policy do
     enable :create_group
   end

lib/gitlab/auth.rb

@@ -84,7 +84,7 @@ module Gitlab
         Gitlab::Auth::UniqueIpsLimiter.limit_user! do
           user = User.by_login(login)
 
-          break if user && !user.can?(:log_in)
+          break if user && !can_user_login_with_non_expired_password?(user)
 
           authenticators = []
 
@@ -182,7 +182,7 @@ module Gitlab
 
           if valid_oauth_token?(token)
             user = User.id_in(token.resource_owner_id).first
-            return unless user&.can?(:log_in)
+            return unless user && can_user_login_with_non_expired_password?(user)
 
             Gitlab::Auth::Result.new(user, nil, :oauth, full_authentication_abilities)
           end
@@ -200,7 +200,7 @@ module Gitlab
 
         return if project && token.user.project_bot? && !project.bots.include?(token.user)
 
-        if token.user.can?(:log_in) || token.user.project_bot?
+        if can_user_login_with_non_expired_password?(token.user) || token.user.project_bot?
           Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scopes(token.scopes))
         end
       end
@@ -285,7 +285,7 @@ module Gitlab
         return unless build.project.builds_enabled?
 
         if build.user
-          return unless build.user.can?(:log_in) || (build.user.project_bot? && build.project.bots&.include?(build.user))
+          return unless can_user_login_with_non_expired_password?(build.user) || (build.user.project_bot? && build.project.bots&.include?(build.user))
 
           # If user is assigned to build, use restricted credentials of user
           Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)
@@ -380,6 +380,10 @@ module Gitlab
 
         user.increment_failed_attempts!
       end
+
+      def can_user_login_with_non_expired_password?(user)
+        user.can?(:log_in) && !user.password_expired?
+      end
     end
   end
 end

lib/gitlab/auth/user_access_denied_reason.rb

@@ -23,6 +23,9 @@ module Gitlab
           "Your primary email address is not confirmed. "\
           "Please check your inbox for the confirmation instructions. "\
           "In case the link is expired, you can request a new confirmation email at #{Rails.application.routes.url_helpers.new_user_confirmation_url}"
+        when :password_expired
+          "Your password expired. "\
+          "Please access GitLab from a web browser to update your password."
         else
           "Your account has been blocked."
         end
@@ -41,6 +44,8 @@ module Gitlab
           :deactivated
         elsif !@user.confirmed?
           :unconfirmed
+        elsif @user.password_expired?
+          :password_expired
         else
           :blocked
         end

spec/features/users/login_spec.rb

@@ -394,6 +394,25 @@ RSpec.describe 'Login' do
 
         gitlab_sign_in(user)
       end
+
+      context 'when the users password is expired' do
+        before do
+          user.update!(password_expires_at: Time.parse('2018-05-08 11:29:46 UTC'))
+        end
+
+        it 'asks for a new password' do
+          expect(authentication_metrics)
+            .to increment(:user_authenticated_counter)
+
+          visit new_user_session_path
+
+          fill_in 'user_login', with: user.email
+          fill_in 'user_password', with: '12345678'
+          click_button 'Sign in'
+
+          expect(current_path).to eq(new_profile_password_path)
+        end
+      end
     end
 
     context 'with invalid username and password' do

spec/lib/gitlab/auth/user_access_denied_reason_spec.rb

@@ -57,5 +57,13 @@ RSpec.describe Gitlab::Auth::UserAccessDeniedReason do
 
       it { is_expected.to eq('Your account is pending approval from your administrator and hence blocked.') }
     end
+
+    context 'when the user has expired password' do
+      before do
+        user.update!(password_expires_at: 2.days.ago)
+      end
+
+      it { is_expected.to eq('Your password expired. Please access GitLab from a web browser to update your password.') }
+    end
   end
 end

spec/lib/gitlab/git_access_spec.rb

@@ -433,6 +433,13 @@ RSpec.describe Gitlab::GitAccess do
       expect { pull_access_check }.to raise_forbidden("Your account has been deactivated by your administrator. Please log back in from a web browser to reactivate your account at #{Gitlab.config.gitlab.url}")
     end
 
+    it 'disallows users with expired password to pull' do
+      project.add_maintainer(user)
+      user.update!(password_expires_at: 2.minutes.ago)
+
+      expect { pull_access_check }.to raise_forbidden("Your password expired. Please access GitLab from a web browser to update your password.")
+    end
+
     context 'when the project repository does not exist' do
       before do
         project.add_guest(user)
@@ -969,6 +976,13 @@ RSpec.describe Gitlab::GitAccess do
         expect { push_access_check }.to raise_forbidden("Your account has been deactivated by your administrator. Please log back in from a web browser to reactivate your account at #{Gitlab.config.gitlab.url}")
       end
 
+      it 'disallows users with expired password to push' do
+        project.add_maintainer(user)
+        user.update!(password_expires_at: 2.minutes.ago)
+
+        expect { push_access_check }.to raise_forbidden("Your password expired. Please access GitLab from a web browser to update your password.")
+      end
+
       it 'cleans up the files' do
         expect(project.repository).to receive(:clean_stale_repository_files).and_call_original
         expect { push_access_check }.not_to raise_error

spec/policies/global_policy_spec.rb

@@ -239,6 +239,14 @@ RSpec.describe GlobalPolicy do
       it { is_expected.not_to be_allowed(:access_api) }
     end
 
+    context 'user with expired password' do
+      before do
+        current_user.update!(password_expires_at: 2.minutes.ago)
+      end
+
+      it { is_expected.not_to be_allowed(:access_api) }
+    end
+
     context 'when terms are enforced' do
       before do
         enforce_terms
@@ -418,6 +426,14 @@ RSpec.describe GlobalPolicy do
 
       it { is_expected.not_to be_allowed(:access_git) }
     end
+
+    context 'user with expired password' do
+      before do
+        current_user.update!(password_expires_at: 2.minutes.ago)
+      end
+
+      it { is_expected.not_to be_allowed(:access_git) }
+    end
   end
 
   describe 'read instance metadata' do
@@ -494,6 +510,14 @@ RSpec.describe GlobalPolicy do
 
       it { is_expected.not_to be_allowed(:use_slash_commands) }
     end
+
+    context 'user with expired password' do
+      before do
+        current_user.update!(password_expires_at: 2.minutes.ago)
+      end
+
+      it { is_expected.not_to be_allowed(:use_slash_commands) }
+    end
   end
 
   describe 'create_snippet' do

spec/requests/git_http_spec.rb

@@ -35,6 +35,26 @@ RSpec.describe 'Git HTTP requests' do
             expect(response.header['WWW-Authenticate']).to start_with('Basic ')
           end
         end
+
+        context "when password is expired" do
+          it "responds to downloads with status 401 Unauthorized" do
+            user.update!(password_expires_at: 2.days.ago)
+
+            download(path, user: user.username, password: user.password) do |response|
+              expect(response).to have_gitlab_http_status(:unauthorized)
+            end
+          end
+        end
+
+        context "when user is blocked" do
+          let(:user) { create(:user, :blocked) }
+
+          it "responds to downloads with status 401 Unauthorized" do
+            download(path, user: user.username, password: user.password) do |response|
+              expect(response).to have_gitlab_http_status(:unauthorized)
+            end
+          end
+        end
       end
 
       context "when authentication succeeds" do
@@ -75,6 +95,15 @@ RSpec.describe 'Git HTTP requests' do
             expect(response.header['WWW-Authenticate']).to start_with('Basic ')
           end
         end
+
+        context "when password is expired" do
+          it "responds to uploads with status 401 Unauthorized" do
+            user.update!(password_expires_at: 2.days.ago)
+            upload(path, user: user.username, password: user.password) do |response|
+              expect(response).to have_gitlab_http_status(:unauthorized)
+            end
+          end
+        end
       end
 
       context "when authentication succeeds" do
@@ -576,6 +605,16 @@ RSpec.describe 'Git HTTP requests' do
 
                 it_behaves_like 'pulls are allowed'
                 it_behaves_like 'pushes are allowed'
+
+                context "when password is expired" do
+                  it "responds to downloads with status 401 unauthorized" do
+                    user.update!(password_expires_at: 2.days.ago)
+
+                    download(path, **env) do |response|
+                      expect(response).to have_gitlab_http_status(:unauthorized)
+                    end
+                  end
+                end
               end
 
               context 'when user has 2FA enabled' do
@@ -649,6 +688,18 @@ RSpec.describe 'Git HTTP requests' do
                       expect(response).to have_gitlab_http_status(:ok)
                     end
                   end
+
+                  context "when password is expired" do
+                    it "responds to uploads with status 401 unauthorized" do
+                      user.update!(password_expires_at: 2.days.ago)
+
+                      write_access_token = create(:personal_access_token, user: user, scopes: [:write_repository])
+
+                      upload(path, user: user.username, password: write_access_token.token) do |response|
+                        expect(response).to have_gitlab_http_status(:unauthorized)
+                      end
+                    end
+                  end
                 end
               end
 
@@ -860,6 +911,16 @@ RSpec.describe 'Git HTTP requests' do
 
                 expect(response).to have_gitlab_http_status(:not_found)
               end
+
+              context 'when users password is expired' do
+                it 'rejects pulls with 401 unauthorized' do
+                  user.update!(password_expires_at: 2.days.ago)
+
+                  download(path, user: 'gitlab-ci-token', password: build.token) do |response|
+                    expect(response).to have_gitlab_http_status(:unauthorized)
+                  end
+                end
+              end
             end
           end
         end

spec/requests/lfs_http_spec.rb

@@ -346,9 +346,7 @@ RSpec.describe 'Git LFS API and storage' do
               let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago)}
               let(:role) { :reporter}
 
-              # TODO: This should return a 404 response
-              # https://gitlab.com/gitlab-org/gitlab/-/issues/292006
-              it_behaves_like 'LFS http 200 response'
+              it_behaves_like 'LFS http 401 response'
             end
 
             context 'when user is blocked' do