kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Don't allow blocked users to authenticate through other means

Browse source 
Gitlab::Auth.find_with_user_password is currently used in these places:

- resource_owner_from_credentials in config/initializers/doorkeeper.rb,
  which is used for the OAuth Resource Owner Password Credentials flow

- the /session API call in lib/api/session.rb, which is used to reveal
  the user's current authentication_token

In both cases users should only be authenticated if they're in the
active state.
This commit is contained in:
Markus Koller 2017-01-18 11:23:25 +01:00 committed by Alexis Reigel
parent 789db2cc19
commit 93daeee164
6 changed files with 81 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
lib/gitlab/auth.rb
View file

@ -40,7 +40,7 @@ module Gitlab
Gitlab::LDAP::Authentication.login(login, password)
else
user if user.valid_password?(password)
user if user.active? && user.valid_password?(password)
end
end
end

12
spec/lib/gitlab/auth_spec.rb
View file

@ -210,6 +210,18 @@ describe Gitlab::Auth, lib: true do
end
end
it "does not find user in blocked state" do
user.block
expect( gl_auth.find_with_user_password(username, password) ).not_to eql user
end
it "does not find user in ldap_blocked state" do
user.ldap_block
expect( gl_auth.find_with_user_password(username, password) ).not_to eql user
end
context "with ldap enabled" do
before do
allow(Gitlab::LDAP::Config).to receive(:enabled?).and_return(true)

18
spec/requests/api/doorkeeper_access_spec.rb
View file

@ -39,4 +39,22 @@ describe API::API, api: true do
end
end
end
describe "when user is blocked" do
it "returns authentication error" do
user.block
get api("/user"), access_token: token.token
expect(response).to have_http_status(401)
end
end
describe "when user is ldap_blocked" do
it "returns authentication error" do
user.ldap_block
get api("/user"), access_token: token.token
expect(response).to have_http_status(401)
end
end
end

22
spec/requests/api/oauth_tokens_spec.rb
View file

@ -29,5 +29,27 @@ describe API::API, api: true do
expect(json_response['access_token']).not_to be_nil
end
end
context "when user is blocked" do
it "does not create an access token" do
user = create(:user)
user.block
request_oauth_token(user)
expect(response).to have_http_status(401)
end
end
context "when user is ldap_blocked" do
it "does not create an access token" do
user = create(:user)
user.ldap_block
request_oauth_token(user)
expect(response).to have_http_status(401)
end
end
end
end

18
spec/requests/api/session_spec.rb
View file

@ -87,5 +87,23 @@ describe API::Session, api: true do
expect(response).to have_http_status(400)
end
end
context "when user is blocked" do
it "returns authentication error" do
user.block
post api("/session"), email: user.username, password: user.password
expect(response).to have_http_status(401)
end
end
context "when user is ldap_blocked" do
it "returns authentication error" do
user.ldap_block
post api("/session"), email: user.username, password: user.password
expect(response).to have_http_status(401)
end
end
end
end

12
spec/requests/git_http_spec.rb
View file

@ -221,12 +221,20 @@ describe 'Git HTTP requests', lib: true do
end
context "when the user is blocked" do
it "responds with status 404" do
it "responds with status 401" do
user.block
project.team << [user, :master]
download(path, env) do |response|
expect(response).to have_http_status(404)
expect(response).to have_http_status(401)
end
end
it "responds with status 401 for unknown projects (no project existence information leak)" do
user.block
download('doesnt/exist.git', env) do |response|
expect(response).to have_http_status(401)
end
end
end