Commit 60bad970 authored by Aakriti Gupta's avatar Aakriti Gupta

Allow user sign-in in maintenance mode

parent a741fa4a
...@@ -24,6 +24,10 @@ module EE ...@@ -24,6 +24,10 @@ module EE
'repositories/lfs_locks_api' => %w{verify create unlock} 'repositories/lfs_locks_api' => %w{verify create unlock}
}.freeze }.freeze
ALLOWLISTED_SIGN_IN_ROUTES = {
'sessions' => %w{create}
}.freeze
private private
# In addition to routes allowed in FOSS, allow geo node update route # In addition to routes allowed in FOSS, allow geo node update route
...@@ -36,7 +40,7 @@ module EE ...@@ -36,7 +40,7 @@ module EE
allowed = super || geo_node_update_route? || geo_api_route? || admin_settings_update? allowed = super || geo_node_update_route? || geo_api_route? || admin_settings_update?
return true if allowed return true if allowed
return false if ::Gitlab.maintenance_mode? return sign_in_route? if ::Gitlab.maintenance_mode?
return false unless ::Gitlab::Geo.secondary? return false unless ::Gitlab::Geo.secondary?
git_write_routes git_write_routes
...@@ -82,6 +86,12 @@ module EE ...@@ -82,6 +86,12 @@ module EE
end end
end end
def sign_in_route?
return unless request.post? && request.path.start_with?('/users/sign_in')
ALLOWLISTED_SIGN_IN_ROUTES[route_hash[:controller]]&.include?(route_hash[:action])
end
def lfs_locks_route? def lfs_locks_route?
# Calling route_hash may be expensive. Only do it if we think there's a possible match # Calling route_hash may be expensive. Only do it if we think there's a possible match
unless request.path.end_with?('/info/lfs/locks', '/info/lfs/locks/verify') || unless request.path.end_with?('/info/lfs/locks', '/info/lfs/locks/verify') ||
......
...@@ -77,6 +77,13 @@ RSpec.shared_examples 'write access for a read-only GitLab (EE) instance in main ...@@ -77,6 +77,13 @@ RSpec.shared_examples 'write access for a read-only GitLab (EE) instance in main
expect(subject).to disallow_request expect(subject).to disallow_request
end end
end end
it "expects a POST to /users/sign_in URL to be allowed" do
response = request.post('/users/sign_in')
expect(response).not_to be_redirect
expect(subject).not_to disallow_request
end
end end
end end
end end
...@@ -125,6 +125,9 @@ RSpec.shared_examples 'write access for a read-only GitLab instance' do ...@@ -125,6 +125,9 @@ RSpec.shared_examples 'write access for a read-only GitLab instance' do
where(:description, :path) do where(:description, :path) do
'LFS request to batch' | '/root/rouge.git/info/lfs/objects/batch' 'LFS request to batch' | '/root/rouge.git/info/lfs/objects/batch'
'request to git-upload-pack' | '/root/rouge.git/git-upload-pack' 'request to git-upload-pack' | '/root/rouge.git/git-upload-pack'
'user sign out' | '/users/sign_out'
'admin session' | '/admin/session'
'admin session destroy' | '/admin/session/destroy'
end end
with_them do with_them do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment