Git over HTTP: bypass admin mode

f60838ca · Jonas Wälter · Imre Farkas · a1033f87 · f60838ca · f60838ca
Commit f60838ca authored Feb 10, 2022 by Jonas Wälter Committed by Imre Farkas Feb 10, 2022
Showing with 31 additions and 4 deletions

app/controllers/repositories/git_http_client_controller.rb app/controllers/repositories/git_http_client_controller.rb +9 -0

spec/requests/git_http_spec.rb spec/requests/git_http_spec.rb +22 -4

No files found.
--- a/app/controllers/repositories/git_http_client_controller.rb
+++ b/app/controllers/repositories/git_http_client_controller.rb
@@ -17,6 +17,9 @@ module Repositories

    prepend_before_action :authenticate_user, :parse_repo_path

+    skip_around_action :sessionless_bypass_admin_mode!
+    around_action :bypass_admin_mode!, if: :authenticated_user
+
    feature_category :source_code_management

    def authenticated_user
@@ -136,6 +139,12 @@ module Repositories
      container &&
      Guest.can?(repo_type.guest_read_ability, container)
    end
+
+    def bypass_admin_mode!(&block)
+      return yield unless Gitlab::CurrentSettings.admin_mode
+
+      Gitlab::Auth::CurrentUserMode.bypass_session!(authenticated_user.id, &block)
+    end
  end
 end


--- a/spec/requests/git_http_spec.rb
+++ b/spec/requests/git_http_spec.rb
@@ -836,6 +836,24 @@ RSpec.describe 'Git HTTP requests' do
                end
              end
            end
+
+            context "when the user is admin" do
+              let(:admin) { create(:admin) }
+              let(:env) { { user: admin.username, password: admin.password } }
+
+              # Currently, the admin mode is bypassed for git operations.
+              # Once the admin mode is considered for git operations, this test will fail.
+              # Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/296509
+              context 'when admin mode is enabled', :enable_admin_mode do
+                it_behaves_like 'pulls are allowed'
+                it_behaves_like 'pushes are allowed'
+              end
+
+              context 'when admin mode is disabled' do
+                it_behaves_like 'pulls are allowed'
+                it_behaves_like 'pushes are allowed'
+              end
+            end
          end
        end

@@ -929,10 +947,10 @@ RSpec.describe 'Git HTTP requests' do
              context 'when admin mode is disabled' do
                it_behaves_like 'can download code only'

-                it 'downloads from other project get status 404' do
+                it 'downloads from other project get status 403' do
                  clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token

-                  expect(response).to have_gitlab_http_status(:not_found)
+                  expect(response).to have_gitlab_http_status(:forbidden)
                end
              end
            end
@@ -1534,10 +1552,10 @@ RSpec.describe 'Git HTTP requests' do
              context 'when admin mode is disabled' do
                it_behaves_like 'can download code only'

-                it 'downloads from other project get status 404' do
+                it 'downloads from other project get status 403' do
                  clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token

-                  expect(response).to have_gitlab_http_status(:not_found)
+                  expect(response).to have_gitlab_http_status(:forbidden)
                end
              end
            end