Allow CI to clone public projects when HTTP protocol is disabled
GitLab has a mechanism that allows CI to clone repositories via HTTP even when the HTTP protocol is disabled. This works as expected when a project is private or internal. However, when a project is public CI gets an error message that HTTP is not allowed. This happens because Git only sends auth in a subsequent request after a 401 is returned first. For public projects, GitLab grabs onto that unauthenticated request and sends it through since it recognizes that Guests are ordinarily allowed to access the repository. Later on this leads to a 403 since HTTP protocol is disabled. Fix this by only continuing with unauthenticated requests when HTTP is allowed.
This commit is contained in:
parent
7f9c653ef4
commit
7f00bcb92e
3 changed files with 22 additions and 1 deletions
|
@ -49,7 +49,8 @@ class Projects::GitHttpClientController < Projects::ApplicationController
|
||||||
send_final_spnego_response
|
send_final_spnego_response
|
||||||
return # Allow access
|
return # Allow access
|
||||||
end
|
end
|
||||||
elsif project && download_request? && Guest.can?(:download_code, project)
|
elsif project && download_request? && http_allowed? && Guest.can?(:download_code, project)
|
||||||
|
|
||||||
@authentication_result = Gitlab::Auth::Result.new(nil, project, :none, [:download_code])
|
@authentication_result = Gitlab::Auth::Result.new(nil, project, :none, [:download_code])
|
||||||
|
|
||||||
return # Allow access
|
return # Allow access
|
||||||
|
@ -113,4 +114,8 @@ class Projects::GitHttpClientController < Projects::ApplicationController
|
||||||
def ci?
|
def ci?
|
||||||
authentication_result.ci?(project)
|
authentication_result.ci?(project)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def http_allowed?
|
||||||
|
Gitlab::ProtocolAccess.allowed?('http')
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
title: Allow CI to clone public projects when HTTP protocol is disabled
|
||||||
|
merge_request: 31632
|
||||||
|
author:
|
||||||
|
type: fixed
|
|
@ -12,4 +12,15 @@ describe Projects::GitHttpController do
|
||||||
expect(response.status).to eq(403)
|
expect(response.status).to eq(403)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe 'GET #info_refs' do
|
||||||
|
it 'returns 401 for unauthenticated requests to public repositories when http protocol is disabled' do
|
||||||
|
stub_application_setting(enabled_git_access_protocol: 'ssh')
|
||||||
|
project = create(:project, :public, :repository)
|
||||||
|
|
||||||
|
get :info_refs, params: { service: 'git-upload-pack', namespace_id: project.namespace.to_param, project_id: project.path + '.git' }
|
||||||
|
|
||||||
|
expect(response.status).to eq(401)
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue