Allow CI to clone public projects when HTTP protocol is disabled

GitLab has a mechanism that allows CI to clone repositories via HTTP even when the HTTP protocol is disabled. This works as expected when a project is private or internal. However, when a project is public CI gets an error message that HTTP is not allowed. This happens because Git only sends auth in a subsequent request after a 401 is returned first. For public projects, GitLab grabs onto that unauthenticated request and sends it through since it recognizes that Guests are ordinarily allowed to access the repository. Later on this leads to a 403 since HTTP protocol is disabled. Fix this by only continuing with unauthenticated requests when HTTP is allowed.

Allow CI to clone public projects when HTTP protocol is disabled
GitLab has a mechanism that allows CI to clone repositories via HTTP even when the HTTP protocol is disabled. This works as expected when a project is private or internal. However, when a project is public CI gets an error message that HTTP is not allowed. This happens because Git only sends auth in a subsequent request after a 401 is returned first. For public projects, GitLab grabs onto that unauthenticated request and sends it through since it recognizes that Guests are ordinarily allowed to access the repository. Later on this leads to a 403 since HTTP protocol is disabled. Fix this by only continuing with unauthenticated requests when HTTP is allowed.
7f00bcb9 · Drew Blessing · 7f9c653e · 7f00bcb9 · 7f00bcb9 · 7f00bcb9
Commit 7f00bcb9 authored Aug 08, 2019 by Drew Blessing
3 changed files
--- a/app/controllers/projects/git_http_client_controller.rb
+++ b/app/controllers/projects/git_http_client_controller.rb
@@ -49,7 +49,8 @@ class Projects::GitHttpClientController < Projects::ApplicationController
        send_final_spnego_response
        return # Allow access
      end
-    elsif project && download_request? && Guest.can?(:download_code, project)
+    elsif project && download_request? && http_allowed? && Guest.can?(:download_code, project)
      @authentication_result = Gitlab::Auth::Result.new(nil, project, :none, [:download_code])
      return # Allow access
@@ -113,4 +114,8 @@ class Projects::GitHttpClientController < Projects::ApplicationController
  def ci?
    authentication_result.ci?(project)
  end
+  def http_allowed?
+    Gitlab::ProtocolAccess.allowed?('http')
+  end
 end
--- a/changelogs/unreleased/dblessing-fix-public-project-ssh-only-ci-failure.yml
+++ b/changelogs/unreleased/dblessing-fix-public-project-ssh-only-ci-failure.yml
+---
+title: Allow CI to clone public projects when HTTP protocol is disabled
+merge_request: 31632
+author:
+type: fixed
--- a/spec/controllers/projects/git_http_controller_spec.rb
+++ b/spec/controllers/projects/git_http_controller_spec.rb
@@ -12,4 +12,15 @@ describe Projects::GitHttpController do
      expect(response.status).to eq(403)
    end
  end
+  describe 'GET #info_refs' do
+    it 'returns 401 for unauthenticated requests to public repositories when http protocol is disabled' do
+      stub_application_setting(enabled_git_access_protocol: 'ssh')
+      project = create(:project, :public, :repository)
+      get :info_refs, params: { service: 'git-upload-pack', namespace_id: project.namespace.to_param, project_id: project.path + '.git' }
+      expect(response.status).to eq(401)
+    end
+  end
 end