Merge branch 'jej/fix-git-http-with-sso-enforcement' into 'master'

Git HTTP works with SSO Enforcement Closes #11779 See merge request gitlab-org/gitlab-ee!13485

Merge branch 'jej/fix-git-http-with-sso-enforcement' into 'master'
Git HTTP works with SSO Enforcement Closes #11779 See merge request gitlab-org/gitlab-ee!13485
ee7fd56c · Jan Provaznik · 81a14114 · 86ebcf65 · ee7fd56c · ee7fd56c
Commit ee7fd56c authored Jun 06, 2019 by Jan Provaznik
6 changed files
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -440,6 +440,8 @@ class ApplicationController < ActionController::Base
  end

  def set_session_storage(&block)
+    return yield if sessionless_user?
+
    Gitlab::Session.with_session(session, &block)
  end


--- a/app/controllers/projects/git_http_client_controller.rb
+++ b/app/controllers/projects/git_http_client_controller.rb
@@ -15,6 +15,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
  alias_method :authenticated_user, :actor

  # Git clients will not know what authenticity token to send along
+  skip_around_action :set_session_storage
  skip_before_action :verify_authenticity_token
  skip_before_action :repository
  before_action :authenticate_user

--- a/changelogs/unreleased/ce-jej-fix-git-http-with-sso-enforcement.yml
+++ b/changelogs/unreleased/ce-jej-fix-git-http-with-sso-enforcement.yml
+---
+title: Avoid setting Gitlab::Session on sessionless requests and Git HTTP
+merge_request: 29146
+author:
+type: fixed
--- a/ee/changelogs/unreleased/jej-fix-git-http-with-sso-enforcement.yml
+++ b/ee/changelogs/unreleased/jej-fix-git-http-with-sso-enforcement.yml
+---
+title: Fix Git over HTTP when using SAML SSO Enforcement
+merge_request: 13485
+author:
+type: fixed
--- a/ee/spec/requests/git_http_spec.rb
+++ b/ee/spec/requests/git_http_spec.rb
@@ -138,4 +138,19 @@ describe 'Git HTTP requests' do
      it_behaves_like 'pushes are allowed'
    end
  end
+
+  describe 'when SSO is enforced' do
+    let(:user) { create(:user) }
+    let(:group) { create(:group) }
+    let(:project) { create(:project, :repository, :private, group: group) }
+    let(:env) { { user: user.username, password: user.password } }
+    let(:path) { "#{project.full_path}.git" }
+
+    before do
+      project.add_developer(user)
+      create(:saml_provider, group: group, enforced_sso: true)
+    end
+
+    it_behaves_like 'pulls are allowed'
+  end
 end
--- a/spec/controllers/application_controller_spec.rb
+++ b/spec/controllers/application_controller_spec.rb
@@ -691,4 +691,38 @@ describe ApplicationController do
      end
    end
  end
+
+  context 'Gitlab::Session' do
+    controller(described_class) do
+      prepend_before_action do
+        authenticate_sessionless_user!(:rss)
+      end
+
+      def index
+        if Gitlab::Session.current
+          head :created
+        else
+          head :not_found
+        end
+      end
+    end
+
+    it 'is set on web requests' do
+      sign_in(user)
+
+      get :index
+
+      expect(response).to have_gitlab_http_status(:created)
+    end
+
+    context 'with sessionless user' do
+      it 'is not set' do
+        personal_access_token = create(:personal_access_token, user: user)
+
+        get :index, format: :atom, params: { private_token: personal_access_token.token }
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+  end
 end