summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTomasz Maczukin <tomasz@maczukin.pl>2018-03-27 17:35:27 +0200
committerTomasz Maczukin <tomasz@maczukin.pl>2018-04-05 12:35:12 +0200
commitedcba1aa277c731ae2e375a571601d527c0ff6dc (patch)
tree9b4c73d5c3c6938160a6929254ee407275e9b8a9
parentb15dd5dfa2ac269763d6342d7f0b3d9a64eb7fe4 (diff)
downloadgitlab-ce-edcba1aa277c731ae2e375a571601d527c0ff6dc.tar.gz
Allow HTTP(s) when git request is made by GitLab CI
-rw-r--r--app/controllers/projects/git_http_client_controller.rb1
-rw-r--r--app/controllers/projects/git_http_controller.rb2
-rw-r--r--lib/gitlab/git_access.rb13
-rw-r--r--spec/lib/gitlab/git_access_spec.rb24
4 files changed, 36 insertions, 4 deletions
diff --git a/app/controllers/projects/git_http_client_controller.rb b/app/controllers/projects/git_http_client_controller.rb
index dd5e66f60e3..07249fe3182 100644
--- a/app/controllers/projects/git_http_client_controller.rb
+++ b/app/controllers/projects/git_http_client_controller.rb
@@ -7,6 +7,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
attr_reader :authentication_result, :redirected_path
delegate :actor, :authentication_abilities, to: :authentication_result, allow_nil: true
+ delegate :type, to: :authentication_result, allow_nil: true, prefix: :auth_result
alias_method :user, :actor
alias_method :authenticated_user, :actor
diff --git a/app/controllers/projects/git_http_controller.rb b/app/controllers/projects/git_http_controller.rb
index 45910a9be44..1dcf837f78e 100644
--- a/app/controllers/projects/git_http_controller.rb
+++ b/app/controllers/projects/git_http_controller.rb
@@ -64,7 +64,7 @@ class Projects::GitHttpController < Projects::GitHttpClientController
@access ||= access_klass.new(access_actor, project,
'http', authentication_abilities: authentication_abilities,
namespace_path: params[:namespace_id], project_path: project_path,
- redirected_path: redirected_path)
+ redirected_path: redirected_path, auth_result_type: auth_result_type)
end
def access_actor
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
index ed0644f6cf1..6a01957184d 100644
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -29,9 +29,9 @@ module Gitlab
PUSH_COMMANDS = %w{ git-receive-pack }.freeze
ALL_COMMANDS = DOWNLOAD_COMMANDS + PUSH_COMMANDS
- attr_reader :actor, :project, :protocol, :authentication_abilities, :namespace_path, :project_path, :redirected_path
+ attr_reader :actor, :project, :protocol, :authentication_abilities, :namespace_path, :project_path, :redirected_path, :auth_result_type
- def initialize(actor, project, protocol, authentication_abilities:, namespace_path: nil, project_path: nil, redirected_path: nil)
+ def initialize(actor, project, protocol, authentication_abilities:, namespace_path: nil, project_path: nil, redirected_path: nil, auth_result_type: nil)
@actor = actor
@project = project
@protocol = protocol
@@ -39,6 +39,7 @@ module Gitlab
@namespace_path = namespace_path
@project_path = project_path
@redirected_path = redirected_path
+ @auth_result_type = auth_result_type
end
def check(cmd, changes)
@@ -78,6 +79,12 @@ module Gitlab
authentication_abilities.include?(:build_download_code) && user_access.can_do_action?(:build_download_code)
end
+ def request_from_ci_build?
+ return false unless protocol == 'http'
+
+ auth_result_type == :build || auth_result_type == :ci
+ end
+
def protocol_allowed?
Gitlab::ProtocolAccess.allowed?(protocol)
end
@@ -93,6 +100,8 @@ module Gitlab
end
def check_protocol!
+ return if request_from_ci_build?
+
unless protocol_allowed?
raise UnauthorizedError, "Git access over #{protocol.upcase} is not allowed"
end
diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb
index f8f09d29c73..b845abab5ef 100644
--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -10,12 +10,13 @@ describe Gitlab::GitAccess do
let(:protocol) { 'ssh' }
let(:authentication_abilities) { %i[read_project download_code push_code] }
let(:redirected_path) { nil }
+ let(:auth_result_type) { nil }
let(:access) do
described_class.new(actor, project,
protocol, authentication_abilities: authentication_abilities,
namespace_path: namespace_path, project_path: project_path,
- redirected_path: redirected_path)
+ redirected_path: redirected_path, auth_result_type: auth_result_type)
end
let(:changes) { '_any' }
@@ -45,6 +46,7 @@ describe Gitlab::GitAccess do
before do
disable_protocol('http')
+ project.add_master(user)
end
it 'blocks http push and pull' do
@@ -53,6 +55,26 @@ describe Gitlab::GitAccess do
expect { pull_access_check }.to raise_unauthorized('Git access over HTTP is not allowed')
end
end
+
+ context 'when request is made from CI' do
+ let(:auth_result_type) { :build }
+
+ it "doesn't block http pull" do
+ aggregate_failures do
+ expect { pull_access_check }.not_to raise_unauthorized('Git access over HTTP is not allowed')
+ end
+ end
+
+ context 'when legacy CI credentials are used' do
+ let(:auth_result_type) { :ci }
+
+ it "doesn't block http pull" do
+ aggregate_failures do
+ expect { pull_access_check }.not_to raise_unauthorized('Git access over HTTP is not allowed')
+ end
+ end
+ end
+ end
end
end