Merge branch 'ag-block-git-push' into 'master'

Check maintenance mode when checking git push access

See merge request gitlab-org/gitlab!41600

ee/lib/ee/gitlab/git_access.rb

@@ -10,6 +10,7 @@ module EE
 
       override :check
       def check(cmd, changes)
+        check_maintenance_mode!(cmd)
         check_geo_license!
         check_smartcard_access!
 
@@ -91,6 +92,17 @@ module EE
         end
       end
 
+      def check_maintenance_mode!(cmd)
+        return unless cmd == 'git-receive-pack'
+        return unless maintenance_mode?
+
+        raise ::Gitlab::GitAccess::ForbiddenError, 'Git push is not allowed because this GitLab instance is currently in (read-only) maintenance mode.'
+      end
+
+      def maintenance_mode?
+        ::Gitlab::CurrentSettings.current_application_settings.maintenance_mode
+      end
+
       def can_access_without_new_smartcard_login?
         return true unless user
 

ee/spec/lib/gitlab/git_access_spec.rb

@@ -729,6 +729,40 @@ RSpec.describe Gitlab::GitAccess do
     end
   end
 
+  describe '#check_maintenance_mode!' do
+    let(:changes) { Gitlab::GitAccess::ANY }
+
+    before do
+      project.add_maintainer(user)
+    end
+
+    def push_access_check
+      access.check('git-receive-pack', changes)
+    end
+
+    context 'when maintenance mode is enabled' do
+      before do
+        stub_application_setting(maintenance_mode: true)
+      end
+
+      it 'blocks git push' do
+        aggregate_failures do
+          expect { push_access_check }.to raise_forbidden('Git push is not allowed because this GitLab instance is currently in (read-only) maintenance mode.')
+        end
+      end
+    end
+
+    context 'when maintenance mode is disabled' do
+      before do
+        stub_application_setting(maintenance_mode: false)
+      end
+
+      it 'allows git push' do
+        expect { push_access_check }.not_to raise_error
+      end
+    end
+  end
+
   private
 
   def access

ee/spec/requests/api/internal/base_spec.rb

@@ -3,14 +3,15 @@ require 'spec_helper'
 
 RSpec.describe API::Internal::Base do
   include EE::GeoHelpers
+  include APIInternalBaseHelpers
 
   let_it_be(:primary_url) { 'http://primary.example.com' }
   let_it_be(:secondary_url) { 'http://secondary.example.com' }
   let_it_be(:primary_node, reload: true) { create(:geo_node, :primary, url: primary_url) }
   let_it_be(:secondary_node, reload: true) { create(:geo_node, url: secondary_url) }
+  let_it_be(:user) { create(:user) }
 
   describe 'POST /internal/post_receive', :geo do
-    let_it_be(:user) { create(:user) }
     let(:key) { create(:key, user: user) }
     let_it_be(:project, reload: true) { create(:project, :repository, :wiki_repo) }
     let(:secret_token) { Gitlab::Shell.secret_token }
@@ -72,7 +73,6 @@ RSpec.describe API::Internal::Base do
   end
 
   describe "POST /internal/allowed" do
-    let_it_be(:user) { create(:user) }
     let_it_be(:key) { create(:key, user: user) }
     let(:secret_token) { Gitlab::Shell.secret_token }
 
@@ -243,10 +243,41 @@ RSpec.describe API::Internal::Base do
         end
       end
     end
+
+    context 'maintenance mode enabled' do
+      let_it_be(:project) { create(:project, :repository) }
+
+      before do
+        stub_application_setting(maintenance_mode: true)
+
+        project.add_developer(user)
+      end
+
+      context 'when action is git push' do
+        it 'returns forbidden' do
+          push(key, project)
+
+          expect(response).to have_gitlab_http_status(:unauthorized)
+          expect(json_response["status"]).to be_falsey
+          expect(json_response["message"]).to eq(
+            'Git push is not allowed because this GitLab instance is currently in (read-only) maintenance mode.'
+          )
+          expect(user.reload.last_activity_on).to be_nil
+        end
+      end
+
+      context 'when action is not git push' do
+        it 'returns success' do
+          pull(key, project)
+
+          expect(response).to have_gitlab_http_status(:success)
+          expect(json_response["status"]).to be_truthy
+        end
+      end
+    end
   end
 
   describe "POST /internal/lfs_authenticate", :geo do
-    let(:user) { create(:user) }
     let(:project) { create(:project, :repository) }
     let(:secret_token) { Gitlab::Shell.secret_token }
 
@@ -279,7 +310,6 @@ RSpec.describe API::Internal::Base do
   end
 
   describe 'POST /internal/personal_access_token' do
-    let_it_be(:user) { create(:user) }
     let_it_be(:key) { create(:key, user: user) }
 
     let(:instance_level_max_personal_access_token_lifetime) { nil }

spec/requests/api/internal/base_spec.rb

@@ -3,6 +3,8 @@
 require 'spec_helper'
 
 RSpec.describe API::Internal::Base do
+  include APIInternalBaseHelpers
+
   let_it_be(:user, reload: true) { create(:user) }
   let_it_be(:project, reload: true) { create(:project, :repository, :wiki_repo) }
   let_it_be(:personal_snippet) { create(:personal_snippet, :repository, author: user) }
@@ -1207,88 +1209,6 @@ RSpec.describe API::Internal::Base do
     end
   end
 
-  def gl_repository_for(container)
-    case container
-    when ProjectWiki
-      Gitlab::GlRepository::WIKI.identifier_for_container(container.project)
-    when Project
-      Gitlab::GlRepository::PROJECT.identifier_for_container(container)
-    when Snippet
-      Gitlab::GlRepository::SNIPPET.identifier_for_container(container)
-    else
-      nil
-    end
-  end
-
-  def full_path_for(container)
-    case container
-    when PersonalSnippet
-      "snippets/#{container.id}"
-    when ProjectSnippet
-      "#{container.project.full_path}/snippets/#{container.id}"
-    else
-      container.full_path
-    end
-  end
-
-  def pull(key, container, protocol = 'ssh')
-    post(
-      api("/internal/allowed"),
-      params: {
-        key_id: key.id,
-        project: full_path_for(container),
-        gl_repository: gl_repository_for(container),
-        action: 'git-upload-pack',
-        secret_token: secret_token,
-        protocol: protocol
-      }
-    )
-  end
-
-  def push(key, container, protocol = 'ssh', env: nil, changes: nil)
-    push_with_path(key,
-                   full_path: full_path_for(container),
-                   gl_repository: gl_repository_for(container),
-                   protocol: protocol,
-                   env: env,
-                   changes: changes)
-  end
-
-  def push_with_path(key, full_path:, gl_repository: nil, protocol: 'ssh', env: nil, changes: nil)
-    changes ||= 'd14d6c0abdd253381df51a723d58691b2ee1ab08 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master'
-
-    params = {
-      changes: changes,
-      key_id: key.id,
-      project: full_path,
-      action: 'git-receive-pack',
-      secret_token: secret_token,
-      protocol: protocol,
-      env: env
-    }
-    params[:gl_repository] = gl_repository if gl_repository
-
-    post(
-      api("/internal/allowed"),
-      params: params
-    )
-  end
-
-  def archive(key, container)
-    post(
-      api("/internal/allowed"),
-      params: {
-        ref: 'master',
-        key_id: key.id,
-        project: full_path_for(container),
-        gl_repository: gl_repository_for(container),
-        action: 'git-upload-archive',
-        secret_token: secret_token,
-        protocol: 'ssh'
-      }
-    )
-  end
-
   def lfs_auth_project(project)
     post(
       api("/internal/lfs_authenticate"),

spec/support/helpers/api_internal_base_helpers.rb

+# frozen_string_literal: true
+
+module APIInternalBaseHelpers
+  def gl_repository_for(container)
+    case container
+    when ProjectWiki
+      Gitlab::GlRepository::WIKI.identifier_for_container(container.project)
+    when Project
+      Gitlab::GlRepository::PROJECT.identifier_for_container(container)
+    when Snippet
+      Gitlab::GlRepository::SNIPPET.identifier_for_container(container)
+    else
+      nil
+    end
+  end
+
+  def full_path_for(container)
+    case container
+    when PersonalSnippet
+      "snippets/#{container.id}"
+    when ProjectSnippet
+      "#{container.project.full_path}/snippets/#{container.id}"
+    else
+      container.full_path
+    end
+  end
+
+  def pull(key, container, protocol = 'ssh')
+    post(
+      api("/internal/allowed"),
+      params: {
+        key_id: key.id,
+        project: full_path_for(container),
+        gl_repository: gl_repository_for(container),
+        action: 'git-upload-pack',
+        secret_token: secret_token,
+        protocol: protocol
+      }
+    )
+  end
+
+  def push(key, container, protocol = 'ssh', env: nil, changes: nil)
+    push_with_path(key,
+                   full_path: full_path_for(container),
+                   gl_repository: gl_repository_for(container),
+                   protocol: protocol,
+                   env: env,
+                   changes: changes)
+  end
+
+  def push_with_path(key, full_path:, gl_repository: nil, protocol: 'ssh', env: nil, changes: nil)
+    changes ||= 'd14d6c0abdd253381df51a723d58691b2ee1ab08 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master'
+
+    params = {
+      changes: changes,
+      key_id: key.id,
+      project: full_path,
+      action: 'git-receive-pack',
+      secret_token: secret_token,
+      protocol: protocol,
+      env: env
+    }
+    params[:gl_repository] = gl_repository if gl_repository
+
+    post(
+      api("/internal/allowed"),
+      params: params
+    )
+  end
+
+  def archive(key, container)
+    post(
+      api("/internal/allowed"),
+      params: {
+        ref: 'master',
+        key_id: key.id,
+        project: full_path_for(container),
+        gl_repository: gl_repository_for(container),
+        action: 'git-upload-archive',
+        secret_token: secret_token,
+        protocol: 'ssh'
+      }
+    )
+  end
+end