Commit 1367e4ff authored by Kamil Trzciński's avatar Kamil Trzciński

Merge branch '44389-always-allow-http-for-ci-git-operations' into 'master'

Resolve "Allow HTTPS cloning by Runners if it is disabled for users"

Closes #44389

See merge request gitlab-org/gitlab-ce!18021
parents 160b4827 9750006b
...@@ -7,6 +7,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController ...@@ -7,6 +7,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
attr_reader :authentication_result, :redirected_path attr_reader :authentication_result, :redirected_path
delegate :actor, :authentication_abilities, to: :authentication_result, allow_nil: true delegate :actor, :authentication_abilities, to: :authentication_result, allow_nil: true
delegate :type, to: :authentication_result, allow_nil: true, prefix: :auth_result
alias_method :user, :actor alias_method :user, :actor
alias_method :authenticated_user, :actor alias_method :authenticated_user, :actor
......
...@@ -64,7 +64,7 @@ class Projects::GitHttpController < Projects::GitHttpClientController ...@@ -64,7 +64,7 @@ class Projects::GitHttpController < Projects::GitHttpClientController
@access ||= access_klass.new(access_actor, project, @access ||= access_klass.new(access_actor, project,
'http', authentication_abilities: authentication_abilities, 'http', authentication_abilities: authentication_abilities,
namespace_path: params[:namespace_id], project_path: project_path, namespace_path: params[:namespace_id], project_path: project_path,
redirected_path: redirected_path) redirected_path: redirected_path, auth_result_type: auth_result_type)
end end
def access_actor def access_actor
......
---
title: Allow HTTP(s) when git request is made by GitLab CI
merge_request: 18021
author:
type: changed
...@@ -32,9 +32,15 @@ When you choose to allow only one of the protocols, a couple of things will happ ...@@ -32,9 +32,15 @@ When you choose to allow only one of the protocols, a couple of things will happ
On top of these UI restrictions, GitLab will deny all Git actions on the protocol On top of these UI restrictions, GitLab will deny all Git actions on the protocol
not selected. not selected.
CAUTION: **Important:**
Starting with [GitLab 10.7][ce-18021], HTTP(s) protocol will be allowed for
git clone/fetch requests done by GitLab Runner from CI/CD Jobs, even if
_Only SSH_ was selected.
> **Note:** Please keep in mind that disabling an access protocol does not actually > **Note:** Please keep in mind that disabling an access protocol does not actually
block access to the server itself. The ports used for the protocol, be it SSH or block access to the server itself. The ports used for the protocol, be it SSH or
HTTP, will still be accessible. What GitLab does is restrict access on the HTTP, will still be accessible. What GitLab does is restrict access on the
application level. application level.
[ce-4696]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/4696 [ce-4696]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/4696
[ce-18021]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/18021
...@@ -29,9 +29,9 @@ module Gitlab ...@@ -29,9 +29,9 @@ module Gitlab
PUSH_COMMANDS = %w{ git-receive-pack }.freeze PUSH_COMMANDS = %w{ git-receive-pack }.freeze
ALL_COMMANDS = DOWNLOAD_COMMANDS + PUSH_COMMANDS ALL_COMMANDS = DOWNLOAD_COMMANDS + PUSH_COMMANDS
attr_reader :actor, :project, :protocol, :authentication_abilities, :namespace_path, :project_path, :redirected_path attr_reader :actor, :project, :protocol, :authentication_abilities, :namespace_path, :project_path, :redirected_path, :auth_result_type
def initialize(actor, project, protocol, authentication_abilities:, namespace_path: nil, project_path: nil, redirected_path: nil) def initialize(actor, project, protocol, authentication_abilities:, namespace_path: nil, project_path: nil, redirected_path: nil, auth_result_type: nil)
@actor = actor @actor = actor
@project = project @project = project
@protocol = protocol @protocol = protocol
...@@ -39,6 +39,7 @@ module Gitlab ...@@ -39,6 +39,7 @@ module Gitlab
@namespace_path = namespace_path @namespace_path = namespace_path
@project_path = project_path @project_path = project_path
@redirected_path = redirected_path @redirected_path = redirected_path
@auth_result_type = auth_result_type
end end
def check(cmd, changes) def check(cmd, changes)
...@@ -78,6 +79,12 @@ module Gitlab ...@@ -78,6 +79,12 @@ module Gitlab
authentication_abilities.include?(:build_download_code) && user_access.can_do_action?(:build_download_code) authentication_abilities.include?(:build_download_code) && user_access.can_do_action?(:build_download_code)
end end
def request_from_ci_build?
return false unless protocol == 'http'
auth_result_type == :build || auth_result_type == :ci
end
def protocol_allowed? def protocol_allowed?
Gitlab::ProtocolAccess.allowed?(protocol) Gitlab::ProtocolAccess.allowed?(protocol)
end end
...@@ -93,6 +100,8 @@ module Gitlab ...@@ -93,6 +100,8 @@ module Gitlab
end end
def check_protocol! def check_protocol!
return if request_from_ci_build?
unless protocol_allowed? unless protocol_allowed?
raise UnauthorizedError, "Git access over #{protocol.upcase} is not allowed" raise UnauthorizedError, "Git access over #{protocol.upcase} is not allowed"
end end
......
...@@ -10,12 +10,13 @@ describe Gitlab::GitAccess do ...@@ -10,12 +10,13 @@ describe Gitlab::GitAccess do
let(:protocol) { 'ssh' } let(:protocol) { 'ssh' }
let(:authentication_abilities) { %i[read_project download_code push_code] } let(:authentication_abilities) { %i[read_project download_code push_code] }
let(:redirected_path) { nil } let(:redirected_path) { nil }
let(:auth_result_type) { nil }
let(:access) do let(:access) do
described_class.new(actor, project, described_class.new(actor, project,
protocol, authentication_abilities: authentication_abilities, protocol, authentication_abilities: authentication_abilities,
namespace_path: namespace_path, project_path: project_path, namespace_path: namespace_path, project_path: project_path,
redirected_path: redirected_path) redirected_path: redirected_path, auth_result_type: auth_result_type)
end end
let(:changes) { '_any' } let(:changes) { '_any' }
...@@ -45,6 +46,7 @@ describe Gitlab::GitAccess do ...@@ -45,6 +46,7 @@ describe Gitlab::GitAccess do
before do before do
disable_protocol('http') disable_protocol('http')
project.add_master(user)
end end
it 'blocks http push and pull' do it 'blocks http push and pull' do
...@@ -53,6 +55,26 @@ describe Gitlab::GitAccess do ...@@ -53,6 +55,26 @@ describe Gitlab::GitAccess do
expect { pull_access_check }.to raise_unauthorized('Git access over HTTP is not allowed') expect { pull_access_check }.to raise_unauthorized('Git access over HTTP is not allowed')
end end
end end
context 'when request is made from CI' do
let(:auth_result_type) { :build }
it "doesn't block http pull" do
aggregate_failures do
expect { pull_access_check }.not_to raise_unauthorized('Git access over HTTP is not allowed')
end
end
context 'when legacy CI credentials are used' do
let(:auth_result_type) { :ci }
it "doesn't block http pull" do
aggregate_failures do
expect { pull_access_check }.not_to raise_unauthorized('Git access over HTTP is not allowed')
end
end
end
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment