diff options
| author | Kamil Trzciński <ayufan@ayufan.eu> | 2018-04-05 21:34:00 +0300 |
|---|---|---|
| committer | Kamil Trzciński <ayufan@ayufan.eu> | 2018-04-05 21:34:00 +0300 |
| commit | 1367e4ff9fbcdbf8eaa376183d1a2ffca7041641 (patch) | |
| tree | 1d0e1c8de45d27558fadda09ad8509b5cdcb0571 /lib | |
| parent | 160b4827edad1984ddb4339622b93ace17870cb1 (diff) | |
| parent | 9750006b1a7e78785256cf669c336c0075584d3b (diff) | |
Merge branch '44389-always-allow-http-for-ci-git-operations' into 'master'
Resolve "Allow HTTPS cloning by Runners if it is disabled for users"
Closes #44389
See merge request gitlab-org/gitlab-ce!18021
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/gitlab/git_access.rb | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb index ed0644f6cf1..6a01957184d 100644 --- a/lib/gitlab/git_access.rb +++ b/lib/gitlab/git_access.rb @@ -29,9 +29,9 @@ module Gitlab PUSH_COMMANDS = %w{ git-receive-pack }.freeze ALL_COMMANDS = DOWNLOAD_COMMANDS + PUSH_COMMANDS - attr_reader :actor, :project, :protocol, :authentication_abilities, :namespace_path, :project_path, :redirected_path + attr_reader :actor, :project, :protocol, :authentication_abilities, :namespace_path, :project_path, :redirected_path, :auth_result_type - def initialize(actor, project, protocol, authentication_abilities:, namespace_path: nil, project_path: nil, redirected_path: nil) + def initialize(actor, project, protocol, authentication_abilities:, namespace_path: nil, project_path: nil, redirected_path: nil, auth_result_type: nil) @actor = actor @project = project @protocol = protocol @@ -39,6 +39,7 @@ module Gitlab @namespace_path = namespace_path @project_path = project_path @redirected_path = redirected_path + @auth_result_type = auth_result_type end def check(cmd, changes) @@ -78,6 +79,12 @@ module Gitlab authentication_abilities.include?(:build_download_code) && user_access.can_do_action?(:build_download_code) end + def request_from_ci_build? + return false unless protocol == 'http' + + auth_result_type == :build || auth_result_type == :ci + end + def protocol_allowed? Gitlab::ProtocolAccess.allowed?(protocol) end @@ -93,6 +100,8 @@ module Gitlab end def check_protocol! + return if request_from_ci_build? + unless protocol_allowed? raise UnauthorizedError, "Git access over #{protocol.upcase} is not allowed" end |