Don't allow blocked users to authenticate through other means

Gitlab::Auth.find_with_user_password is currently used in these places:

- resource_owner_from_credentials in config/initializers/doorkeeper.rb,
  which is used for the OAuth Resource Owner Password Credentials flow

- the /session API call in lib/api/session.rb, which is used to reveal
  the user's current authentication_token

In both cases users should only be authenticated if they're in the
active state.

lib/gitlab/auth.rb

@@ -40,7 +40,7 @@ module Gitlab
 
             Gitlab::LDAP::Authentication.login(login, password)
           else
-            user if user.valid_password?(password)
+            user if user.active? && user.valid_password?(password)
           end
         end
       end

spec/lib/gitlab/auth_spec.rb

@@ -210,6 +210,18 @@ describe Gitlab::Auth, lib: true do
       end
     end
 
+    it "does not find user in blocked state" do
+      user.block
+
+      expect( gl_auth.find_with_user_password(username, password) ).not_to eql user
+    end
+
+    it "does not find user in ldap_blocked state" do
+      user.ldap_block
+
+      expect( gl_auth.find_with_user_password(username, password) ).not_to eql user
+    end
+
     context "with ldap enabled" do
       before do
         allow(Gitlab::LDAP::Config).to receive(:enabled?).and_return(true)

spec/requests/api/doorkeeper_access_spec.rb

@@ -39,4 +39,22 @@ describe API::API, api: true do
       end
     end
   end
+
+  describe "when user is blocked" do
+    it "returns authentication error" do
+      user.block
+      get api("/user"), access_token: token.token
+
+      expect(response).to have_http_status(401)
+    end
+  end
+
+  describe "when user is ldap_blocked" do
+    it "returns authentication error" do
+      user.ldap_block
+      get api("/user"), access_token: token.token
+
+      expect(response).to have_http_status(401)
+    end
+  end
 end

spec/requests/api/oauth_tokens_spec.rb

@@ -29,5 +29,27 @@ describe API::API, api: true  do
         expect(json_response['access_token']).not_to be_nil
       end
     end
+
+    context "when user is blocked" do
+      it "does not create an access token" do
+        user = create(:user)
+        user.block
+
+        request_oauth_token(user)
+
+        expect(response).to have_http_status(401)
+      end
+    end
+
+    context "when user is ldap_blocked" do
+      it "does not create an access token" do
+        user = create(:user)
+        user.ldap_block
+
+        request_oauth_token(user)
+
+        expect(response).to have_http_status(401)
+      end
+    end
   end
 end

spec/requests/api/session_spec.rb

@@ -87,5 +87,23 @@ describe API::Session, api: true  do
         expect(response).to have_http_status(400)
       end
     end
+
+    context "when user is blocked" do
+      it "returns authentication error" do
+        user.block
+        post api("/session"), email: user.username, password: user.password
+
+        expect(response).to have_http_status(401)
+      end
+    end
+
+    context "when user is ldap_blocked" do
+      it "returns authentication error" do
+        user.ldap_block
+        post api("/session"), email: user.username, password: user.password
+
+        expect(response).to have_http_status(401)
+      end
+    end
   end
 end

spec/requests/git_http_spec.rb

@@ -221,12 +221,20 @@ describe 'Git HTTP requests', lib: true do
               end
 
               context "when the user is blocked" do
-                it "responds with status 404" do
+                it "responds with status 401" do
                   user.block
                   project.team << [user, :master]
 
                   download(path, env) do |response|
-                    expect(response).to have_http_status(404)
+                    expect(response).to have_http_status(401)
+                  end
+                end
+
+                it "responds with status 401 for unknown projects (no project existence information leak)" do
+                  user.block
+
+                  download('doesnt/exist.git', env) do |response|
+                    expect(response).to have_http_status(401)
                   end
                 end
               end