Merge branch 'feat/bypass-admin-mode-on-git' into 'master'

Bypass admin mode for internal api operations

See merge request gitlab-org/gitlab!52697

changelogs/unreleased/feat-bypass-admin-mode-on-git.yml

+---
+title: Bypass admin mode for internal api operations (ssh git & http rails)
+merge_request: 52697
+author: Diego Louzán
+type: changed

lib/api/internal/base.rb

@@ -52,7 +52,9 @@ module API
           actor.update_last_used_at!
 
           check_result = begin
-                           access_check!(actor, params)
+                           Gitlab::Auth::CurrentUserMode.bypass_session!(actor.user&.id) do
+                             access_check!(actor, params)
+                           end
                          rescue Gitlab::GitAccess::ForbiddenError => e
                            # The return code needs to be 401. If we return 403
                            # the custom message we return won't be shown to the user

spec/requests/api/internal/base_spec.rb

@@ -1094,6 +1094,104 @@ RSpec.describe API::Internal::Base do
         expect(response).to have_gitlab_http_status(:unauthorized)
       end
     end
+
+    context 'admin mode' do
+      shared_examples 'pushes succeed for ssh and http' do
+        it 'accepts the SSH push' do
+          push(key, project)
+
+          expect(response).to have_gitlab_http_status(:ok)
+        end
+
+        it 'accepts the HTTP push' do
+          push(key, project, 'http')
+
+          expect(response).to have_gitlab_http_status(:ok)
+        end
+      end
+
+      shared_examples 'pushes fail for ssh and http' do
+        it 'rejects the SSH push' do
+          push(key, project)
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+
+        it 'rejects the HTTP push' do
+          push(key, project, 'http')
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+
+      context 'feature flag :user_mode_in_session is enabled' do
+        context 'with an admin user' do
+          let(:user) { create(:admin) }
+
+          context 'is member of the project' do
+            before do
+              project.add_developer(user)
+            end
+
+            it_behaves_like 'pushes succeed for ssh and http'
+          end
+
+          context 'is not member of the project' do
+            it_behaves_like 'pushes succeed for ssh and http'
+          end
+        end
+
+        context 'with a regular user' do
+          context 'is member of the project' do
+            before do
+              project.add_developer(user)
+            end
+
+            it_behaves_like 'pushes succeed for ssh and http'
+          end
+
+          context 'is not member of the project' do
+            it_behaves_like 'pushes fail for ssh and http'
+          end
+        end
+      end
+
+      context 'feature flag :user_mode_in_session is disabled' do
+        before do
+          stub_feature_flags(user_mode_in_session: false)
+        end
+
+        context 'with an admin user' do
+          let(:user) { create(:admin) }
+
+          context 'is member of the project' do
+            before do
+              project.add_developer(user)
+            end
+
+            it_behaves_like 'pushes succeed for ssh and http'
+          end
+
+          context 'is not member of the project' do
+            it_behaves_like 'pushes succeed for ssh and http'
+          end
+        end
+
+        context 'with a regular user' do
+          context 'is member of the project' do
+            before do
+              project.add_developer(user)
+            end
+
+            it_behaves_like 'pushes succeed for ssh and http'
+          end
+
+          context 'is not member of the project' do
+            it_behaves_like 'pushes fail for ssh and http'
+          end
+        end
+      end
+    end
   end
 
   describe 'POST /internal/post_receive', :clean_gitlab_redis_shared_state do