1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe 'OAuth tokens', feature_category: :authentication_and_authorization do
include HttpBasicAuthHelpers
context 'Resource Owner Password Credentials' do
def request_oauth_token(user, headers = {})
post '/oauth/token',
params: { username: user.username, password: user.password, grant_type: 'password' },
headers: headers
end
let_it_be(:client) { create(:oauth_application) }
context 'when user has 2FA enabled' do
it 'does not create an access token' do
user = create(:user, :two_factor)
request_oauth_token(user, client_basic_auth_header(client))
expect(response).to have_gitlab_http_status(:bad_request)
expect(json_response['error']).to eq('invalid_grant')
end
end
context 'when 2FA enforced' do
let_it_be(:user) { create(:user, otp_grace_period_started_at: 1.day.ago) }
before do
stub_application_setting(require_two_factor_authentication: true)
end
context 'when grace period expired' do
before do
stub_application_setting(two_factor_grace_period: 0)
end
it 'does not create an access token' do
request_oauth_token(user, client_basic_auth_header(client))
expect(response).to have_gitlab_http_status(:bad_request)
expect(json_response['error']).to eq('invalid_grant')
end
end
context 'when grace period is not expired' do
before do
stub_application_setting(two_factor_grace_period: 72)
end
it 'creates an access token' do
request_oauth_token(user, client_basic_auth_header(client))
expect(response).to have_gitlab_http_status(:ok)
expect(json_response['access_token']).not_to be_nil
end
end
end
context 'when user does not have 2FA enabled' do
context 'when no client credentials provided' do
it 'creates an access token' do
user = create(:user)
request_oauth_token(user)
expect(response).to have_gitlab_http_status(:ok)
expect(json_response['access_token']).to be_present
end
end
context 'when client credentials provided' do
context 'with valid credentials' do
it 'creates an access token' do
user = create(:user)
request_oauth_token(user, client_basic_auth_header(client))
expect(response).to have_gitlab_http_status(:ok)
expect(json_response['access_token']).not_to be_nil
end
end
context 'with invalid credentials' do
it 'does not create an access token' do
user = create(:user)
request_oauth_token(user, basic_auth_header(client.uid, 'invalid secret'))
expect(response).to have_gitlab_http_status(:unauthorized)
expect(json_response['error']).to eq('invalid_client')
end
end
end
end
shared_examples 'does not create an access token' do
let(:user) { create(:user) }
it { expect(response).to have_gitlab_http_status(:bad_request) }
end
context 'when user is blocked' do
before do
user.block
request_oauth_token(user, client_basic_auth_header(client))
end
include_examples 'does not create an access token'
end
context 'when user is ldap_blocked' do
before do
user.ldap_block
request_oauth_token(user, client_basic_auth_header(client))
end
include_examples 'does not create an access token'
end
context 'when user account is not confirmed' do
before do
user.update!(confirmed_at: nil)
request_oauth_token(user, client_basic_auth_header(client))
end
include_examples 'does not create an access token'
end
end
end
|
