Skip to content
Snippets Groups Projects
Commit 93daeee1 authored by Markus Koller's avatar Markus Koller Committed by Alexis Reigel
Browse files

Don't allow blocked users to authenticate through other means 

Gitlab::Auth.find_with_user_password is currently used in these places:

- resource_owner_from_credentials in config/initializers/doorkeeper.rb,
  which is used for the OAuth Resource Owner Password Credentials flow

- the /session API call in lib/api/session.rb, which is used to reveal
  the user's current authentication_token

In both cases users should only be authenticated if they're in the
active state.
parent 789db2cc
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
lib/gitlab/auth.rb
+ 1
1
View file @ 93daeee1
@@ -40,7 +40,7 @@ module Gitlab
 
Gitlab::LDAP::Authentication.login(login, password)
else
user if user.valid_password?(password)
user if user.active? && user.valid_password?(password)
end
end
end
spec/lib/gitlab/auth_spec.rb
+ 12
0
View file @ 93daeee1
@@ -210,6 +210,18 @@ describe Gitlab::Auth, lib: true do
end
end
 
it "does not find user in blocked state" do
user.block
expect( gl_auth.find_with_user_password(username, password) ).not_to eql user
end
it "does not find user in ldap_blocked state" do
user.ldap_block
expect( gl_auth.find_with_user_password(username, password) ).not_to eql user
end
context "with ldap enabled" do
before do
allow(Gitlab::LDAP::Config).to receive(:enabled?).and_return(true)
spec/requests/api/doorkeeper_access_spec.rb
+ 18
0
View file @ 93daeee1
@@ -39,4 +39,22 @@ describe API::API, api: true do
end
end
end
describe "when user is blocked" do
it "returns authentication error" do
user.block
get api("/user"), access_token: token.token
expect(response).to have_http_status(401)
end
end
describe "when user is ldap_blocked" do
it "returns authentication error" do
user.ldap_block
get api("/user"), access_token: token.token
expect(response).to have_http_status(401)
end
end
end
spec/requests/api/oauth_tokens_spec.rb
+ 22
0
View file @ 93daeee1
@@ -29,5 +29,27 @@ describe API::API, api: true do
expect(json_response['access_token']).not_to be_nil
end
end
context "when user is blocked" do
it "does not create an access token" do
user = create(:user)
user.block
request_oauth_token(user)
expect(response).to have_http_status(401)
end
end
context "when user is ldap_blocked" do
it "does not create an access token" do
user = create(:user)
user.ldap_block
request_oauth_token(user)
expect(response).to have_http_status(401)
end
end
end
end
spec/requests/api/session_spec.rb
+ 18
0
View file @ 93daeee1
@@ -87,5 +87,23 @@ describe API::Session, api: true do
expect(response).to have_http_status(400)
end
end
context "when user is blocked" do
it "returns authentication error" do
user.block
post api("/session"), email: user.username, password: user.password
expect(response).to have_http_status(401)
end
end
context "when user is ldap_blocked" do
it "returns authentication error" do
user.ldap_block
post api("/session"), email: user.username, password: user.password
expect(response).to have_http_status(401)
end
end
end
end
spec/requests/git_http_spec.rb
+ 10
2
View file @ 93daeee1
@@ -221,12 +221,20 @@ describe 'Git HTTP requests', lib: true do
end
 
context "when the user is blocked" do
it "responds with status 404" do
it "responds with status 401" do
user.block
project.team << [user, :master]
 
download(path, env) do |response|
expect(response).to have_http_status(404)
expect(response).to have_http_status(401)
end
end
it "responds with status 401 for unknown projects (no project existence information leak)" do
user.block
download('doesnt/exist.git', env) do |response|
expect(response).to have_http_status(401)
end
end
end
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment