Fix sessions controller

app/controllers/sessions_controller.rb

@@ -76,7 +76,7 @@ class SessionsController < Devise::SessionsController
         flash[:notice] = nil
       end
 
-      if password_based_login? && !resource.allow_password_authentication_for_web?
+      if password_based_login? && resource.user_authorized_by_provisioning_group?
         sign_out
         flash[:alert] = _('You are not allowed to log in using password')
         redirect_to new_user_session_path

app/models/user.rb

@@ -1121,6 +1121,11 @@ class User < ApplicationRecord
     Gitlab::CurrentSettings.password_authentication_enabled_for_git? && !password_based_omniauth_user?
   end
 
+  #method overriden in EE
+  def user_authorized_by_provisioning_group?
+    false
+  end
+
   def can_change_username?
     gitlab_config.username_changing_enabled
   end

ee/app/models/ee/user.rb

@@ -328,6 +328,7 @@ module EE
       super
     end
 
+    override :user_authorized_by_provisioning_group?
     def user_authorized_by_provisioning_group?
       user_detail.provisioned_by_group? && ::Feature.enabled?(:block_password_auth_for_saml_users, user_detail.provisioned_by_group, type: :ops)
     end

spec/controllers/sessions_controller_spec.rb

@@ -119,17 +119,6 @@ RSpec.describe SessionsController do
         end
       end
 
-      context 'when user is not allowed to log in using password' do
-        let(:user) { create(:omniauth_user, provider: 'ldapmain')}
-
-        it 'does not authenticate the user' do
-          post_action
-
-          expect(@request.env['warden']).not_to be_authenticated
-          expect(flash[:alert]).to include('You are not allowed to log in using password')
-        end
-      end
-
       context 'when using valid password', :clean_gitlab_redis_shared_state do
         let(:user) { create(:user) }
         let(:user_params) { { login: user.username, password: user.password } }