Project access tokens not working to authenticate against Git over HTTP
Summary
Originally reported here: &2587 (comment 351230899)
Authenticating against Git over HTTP does not work with Project Access Tokens. It returns:
HTTP Basic: Access denied
Steps to reproduce
- Enable the
:resource_access_tokenfeature flagFeature.enable(:resource_access_token)
- Create a Project Access Token. "Project" -> "Settings" -> "Access Tokens"
- In "Settings" -> "Members" make note of the username of the project bot
- Try to clone the repo with the access token
git clone https://<bot_username>:<project_access_token>@example.com/user/access-token-test.git
What is the current bug behavior?
Authenticating against Git over HTTP does not work with Project Access Tokens. It returns:
HTTP Basic: Access denied
What is the expected correct behavior?
You should be able to Authenticate against Git over HTTP using Project Access Tokens
Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise.)
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Ubuntu 16.04 Proxy: no Current User: git Using RVM: no Ruby Version: 2.6.6p146 Gem Version: 2.7.10 Bundler Version:1.17.3 Rake Version: 12.3.3 Redis Version: 5.0.9 Git Version: 2.26.2 Sidekiq Version:5.2.7 Go Version: unknown GitLab information Version: 13.1.0-pre Revision: 976293a6325 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 11.7 URL: https://gitlab-test-area.peterhegman.com HTTP Clone URL: https://gitlab-test-area.peterhegman.com/some-group/some-project.git SSH Clone URL: git@gitlab-test-area.peterhegman.com:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: no Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 13.2.0 Repository storage paths: - default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
Checking GitLab subtasks ... Checking GitLab Shell ... GitLab Shell: ... GitLab Shell version >= 13.2.0 ? ... OK (13.2.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful Checking GitLab Shell ... Finished Checking Gitaly ... Gitaly: ... default ... OK Checking Gitaly ... Finished Checking Sidekiq ... Sidekiq: ... Running? ... yes Number of Sidekiq processes ... 1 Checking Sidekiq ... Finished Checking Incoming Email ... Incoming Email: ... Reply by email is disabled in config/gitlab.yml Checking Incoming Email ... Finished Checking LDAP ... LDAP: ... LDAP is disabled in config/gitlab.yml Checking LDAP ... Finished Checking GitLab App ... Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... skipped (no tmp uploads folder yet) Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 1/1 ... yes Redis version >= 4.0.0? ... yes Ruby version >= 2.5.3 ? ... yes (2.6.6) Git version >= 2.22.0 ? ... yes (2.26.2) Git user has default SSH configuration? ... yes Active users: ... 4 Is authorized keys file accessible? ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes Elasticsearch version 5.6 - 6.x? ... skipped (elasticsearch is disabled) Checking GitLab App ... Finished Checking GitLab subtasks ... Finished
Possible fixes
Project Bots (being bots) are not allowed to login via UI.
if token && valid_scoped_token?(token, all_available_scopes) && token.user.can?(:log_in)The HTTP authentication fails when a Project Access token is used, since while validating if a token is valid, we also check if the user is allowed to login via UI.
In order to resolve this issue:
- we can verify if the check for UI Login is needed
- if it is, we may want to evaluate if it can be skipped for Project Bot users
Post resolution
Uncomment the documentation after the fix - ref: !39292 (merged)