Allow CI to clone public projects when HTTP protocol is disabled

GitLab has a mechanism that allows CI to clone repositories via HTTP
even when the HTTP protocol is disabled. This works as expected
when a project is private or internal. However, when a project is
public CI gets an error message that HTTP is not allowed. This
happens because Git only sends auth in a subsequent request after a
401 is returned first. For public projects, GitLab grabs onto that
unauthenticated request and sends it through since it recognizes
that Guests are ordinarily allowed to access the repository.
Later on this leads to a 403 since HTTP protocol is disabled.
Fix this by only continuing with unauthenticated requests when
HTTP is allowed.
This commit is contained in:
Drew Blessing 2019-08-08 14:56:36 -05:00
parent 7f9c653ef4
commit 7f00bcb92e
3 changed files with 22 additions and 1 deletions

View file

@ -49,7 +49,8 @@ class Projects::GitHttpClientController < Projects::ApplicationController
send_final_spnego_response send_final_spnego_response
return # Allow access return # Allow access
end end
elsif project && download_request? && Guest.can?(:download_code, project) elsif project && download_request? && http_allowed? && Guest.can?(:download_code, project)
@authentication_result = Gitlab::Auth::Result.new(nil, project, :none, [:download_code]) @authentication_result = Gitlab::Auth::Result.new(nil, project, :none, [:download_code])
return # Allow access return # Allow access
@ -113,4 +114,8 @@ class Projects::GitHttpClientController < Projects::ApplicationController
def ci? def ci?
authentication_result.ci?(project) authentication_result.ci?(project)
end end
def http_allowed?
Gitlab::ProtocolAccess.allowed?('http')
end
end end

View file

@ -0,0 +1,5 @@
---
title: Allow CI to clone public projects when HTTP protocol is disabled
merge_request: 31632
author:
type: fixed

View file

@ -12,4 +12,15 @@ describe Projects::GitHttpController do
expect(response.status).to eq(403) expect(response.status).to eq(403)
end end
end end
describe 'GET #info_refs' do
it 'returns 401 for unauthenticated requests to public repositories when http protocol is disabled' do
stub_application_setting(enabled_git_access_protocol: 'ssh')
project = create(:project, :public, :repository)
get :info_refs, params: { service: 'git-upload-pack', namespace_id: project.namespace.to_param, project_id: project.path + '.git' }
expect(response.status).to eq(401)
end
end
end end