Allow reset password when password auth is partially disabled

Regression was caused in https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3815 Changelog: fixed

Allow reset password when password auth is partially disabled
9198967a · Bogdan Denkovych · d02cd1e5 · 9198967a · 9198967a
Verified Commit 9198967a authored 11 months ago by Bogdan Denkovych
--- a/app/models/concerns/recoverable_by_any_email.rb
+++ b/app/models/concerns/recoverable_by_any_email.rb
@@ -14,7 +14,11 @@ def send_reset_password_instructions(attributes = {})
      return super unless email
      recoverable = email.user
-      return recoverable.password_auth_unavailable_error! unless recoverable.allow_password_authentication_for_web?
+      unless recoverable.allow_password_authentication?
+        recoverable.errors.add(:password, :unavailable, message: _('Password authentication is unavailable.'))
+        return recoverable
+      end
      recoverable.send_reset_password_instructions(to: email.email)
      recoverable
@@ -29,11 +33,6 @@ def send_reset_password_instructions(opts = {})
    token
  end
-  def password_auth_unavailable_error!
-    errors.add(:password, :unavailable, message: _('Password authentication is unavailable.'))
-    self
-  end
  protected
  def send_reset_password_instructions_notification(token, opts = {})

--- a/spec/models/concerns/recoverable_by_any_email_spec.rb
+++ b/spec/models/concerns/recoverable_by_any_email_spec.rb
@@ -68,8 +68,11 @@
    end
    shared_examples "does not send 'Reset password instructions' email when password auth is not allowed" do
-      it 'find the user with error' do
+      it 'finds the user' do
-        expect(send_reset_password_instructions).to be_instance_of User
+        expect(send_reset_password_instructions).to eq(expected_user)
+      end
+      it 'returns the user with error' do
        expect(send_reset_password_instructions.errors[:password])
          .to include(_('Password authentication is unavailable.'))
      end
@@ -91,14 +94,6 @@
      let(:email) { user_confirmed_primary_email }
      it_behaves_like "sends 'Reset password instructions' email"
-      context 'when password authentication is not allowed' do
-        before do
-          allow(Gitlab::CurrentSettings).to receive_messages(password_authentication_enabled_for_web?: false)
-        end
-        it_behaves_like "does not send 'Reset password instructions' email when password auth is not allowed"
-      end
    end
    context "when email param matches user's unconfirmed primary email" do
@@ -167,22 +162,52 @@
      it_behaves_like "does not send 'Reset password instructions' email"
    end
-    context 'with an LDAP user' do
+    context 'for password authentication availability' do
-      let_it_be(:ldap_user) { create(:omniauth_user, :ldap) }
+      let(:expected_user) { create(:user) }
+      let(:email) { expected_user.email }
-      context 'with a confirmed primary email' do
+      it_behaves_like "sends 'Reset password instructions' email"
-        let(:email) { ldap_user.email }
-        it_behaves_like "does not send 'Reset password instructions' email when password auth is not allowed"
+      context 'when password authentication is disabled for web' do
+        before do
+          stub_application_setting(password_authentication_enabled_for_web: false)
+        end
+        it_behaves_like "sends 'Reset password instructions' email"
      end
-      context 'with a confirmed secondary email' do
+      context 'when password authentication is disabled for git' do
-        let(:email) do
+        before do
-          create(:email, :confirmed, user: ldap_user, email: 'confirmed-secondary-ldap-email@example.com').email
+          stub_application_setting(password_authentication_enabled_for_git: false)
+        end
+        it_behaves_like "sends 'Reset password instructions' email"
+      end
+      context 'when password authentication is disabled' do
+        before do
+          stub_application_setting(password_authentication_enabled_for_web: false)
+          stub_application_setting(password_authentication_enabled_for_git: false)
        end
        it_behaves_like "does not send 'Reset password instructions' email when password auth is not allowed"
      end
+      context 'for an LDAP user' do
+        let(:expected_user) { create(:omniauth_user, :ldap) }
+        context "when email param is user's primary email" do
+          it_behaves_like "does not send 'Reset password instructions' email when password auth is not allowed"
+        end
+        context "when email param is user's confirmed secondary email" do
+          let(:email) do
+            create(:email, :confirmed, user: expected_user, email: 'confirmed-secondary-ldap-email@example.com').email
+          end
+          it_behaves_like "does not send 'Reset password instructions' email when password auth is not allowed"
+        end
+      end
    end
  end
 end