summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDrew Blessing <drew@blessing.io>2019-08-08 14:56:36 -0500
committerDrew Blessing <drew@blessing.io>2019-08-08 14:56:36 -0500
commitd534122e0eef9c12e53e51c9a4fa6124a446581a (patch)
tree08daf6987cc4659cfd4f1fa59cc442a397902d96
parent6bd2db0e4ca9e1c87f5b1778253d1414de2added (diff)
downloadgitlab-ce-dblessing-fix-public-project-ssh-only-ci-failure.tar.gz
Allow CI to clone public projects when HTTP protocol is disableddblessing-fix-public-project-ssh-only-ci-failure
GitLab has a mechanism that allows CI to clone repositories via HTTP even when the HTTP protocol is disabled. This works as expected when a project is private or internal. However, when a project is public CI gets an error message that HTTP is not allowed. This happens because Git only sends auth in a subsequent requests when a 401 is returned first. For public projects, GitLab grabs onto that unauthenticated request and sends it through since it recognizes that Guests are ordinaryily allowed to access the repository. Later on this leads to a 403 since HTTP protocol is disabled. Fix by only grabbing unauthenticated requests when HTTP is allowed.
-rw-r--r--app/controllers/projects/git_http_client_controller.rb7
1 files changed, 6 insertions, 1 deletions
diff --git a/app/controllers/projects/git_http_client_controller.rb b/app/controllers/projects/git_http_client_controller.rb
index 956093b972b..abf8407a51c 100644
--- a/app/controllers/projects/git_http_client_controller.rb
+++ b/app/controllers/projects/git_http_client_controller.rb
@@ -49,7 +49,8 @@ class Projects::GitHttpClientController < Projects::ApplicationController
send_final_spnego_response
return # Allow access
end
- elsif project && download_request? && Guest.can?(:download_code, project)
+ elsif project && download_request? && http_allowed? && Guest.can?(:download_code, project)
+
@authentication_result = Gitlab::Auth::Result.new(nil, project, :none, [:download_code])
return # Allow access
@@ -113,4 +114,8 @@ class Projects::GitHttpClientController < Projects::ApplicationController
def ci?
authentication_result.ci?(project)
end
+
+ def http_allowed?
+ Gitlab::ProtocolAccess.allowed?('http')
+ end
end