Return 401 when user sign ins but password authentication is not allowed
What does this MR do and why?
In https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3870 we ensured that LDAP user cannot sign in with local password if somehow an LDAP user local password was set, via rails console for instance. We followed WIP "disable password authentication for Enterprise Users" implementation that is under a FF to achieve that.
In https://gitlab.com/gitlab-com/sec-sub-department/section-sec-request-for-help/-/issues/229#note_1816866805 we noticed when LDAP user sign ins with standard login/password authentication, the response of this request is 302. Also such request is not logged as failed attempt of the sign-in. It
- causes confusion while investigating incidents, example: https://gitlab.com/gitlab-com/sec-sub-department/section-sec-request-for-help/-/issues/229
- allows user enumeration, see https://gitlab.com/gitlab-com/sec-sub-department/section-sec-request-for-help/-/issues/229#note_1817392140
We should ensure that response status in that case is the same as when user sign ins with invalid login/password.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Create LDAP user
- Set password for that user via rails console, https://docs.gitlab.com/ee/security/reset_user_password.html#use-a-rails-console. Ensure
user.password_automatically_set = false. - Try to sign in to that user account via Standard login/password authentication:
In log/application_json.log you should see log similar to:
{"severity":"INFO","time":"2024-03-19T12:51:23.147Z","correlation_id":"01HSBC8CYPFWQJ3KD5JNEY2PXR","meta.caller_id":"SessionsController#new","meta.remote_ip":"127.0.0.1","meta.feature_category":"system_access","meta.client_id":"ip/127.0.0.1","message":"Failed Login: username=root ip=127.0.0.1"}In log/development.log you should see that POST "/users/sign_in" request completed with 401 Unauthorized and user should be landed to /users/sign_in page with 200 OK status and see Invalid login or password. message.