Unable to clone wiki using CI token with repository turned off
Summary
Customer isn't able to clone the wiki of a project using CI Token when the repository is disabled for the project. It works as expected when done via SSH/HTTPS.
Steps to reproduce
- Disable the repository feature of the project which has the wiki to be cloned.
- Run the following in CI:
git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/fullpath/wikiproject.wiki.git
Example Project
- Project with Wiki
- Project trying to clone wiki
- Job failing with Repo turned off
- Job successful with Repo turned on
- Job success with Repo turned off via HTTPS
What is the current bug behavior?
User is shown an error saying
remote: You are not allowed to download files from this wiki.
What is the expected correct behavior?
The user should be able to successfully clone the wiki.
Relevant logs and/or screenshots
$ git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/fullpath/193173-test.wiki.git
Cloning into '193173-test.wiki'...
remote: You are not allowed to download files from this wiki.
fatal: unable to access 'https://gitlab-ci-token:[MASKED]@gitlab.com/fullpath/193173-test.wiki.git/': The requested URL returned error: 403
Cleaning up file based variables
00:00
ERROR: Job failed: exit code 1Output of checks
This bug happens on GitLab.com
Possible fixes
The problem seems to be in https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/git_access.rb#L110. There, we check the access level value of the repository feature when the user is using a deploy token. But this is wrong in the context of wikis because we should be checking wiki_access_level.
But there is another problem. When the wiki is a group wiki, that line of code would also fail, which means that no group wiki can be cloned using a deploy token.
The fix would be something like:
# lib/gitlab/git_access.rb
def deploy_key_can_download_code?
authentication_abilities.include?(:download_code) &&
deploy_key? &&
deploy_key.has_access_to?(container) &&
right_feature_access_level?
end
def right_feature_access_level?
project? && project&.repository_access_level != ::Featurable::DISABLED
end
# lib/gitlab/git_access_wiki.rb
override right_feature_access_level?
def right_feature_access_level?
project? && project&.wiki_access_level != ::Featurable::DISABLED
end
# ee/lib/ee/gitlab/git_access_wiki.rb
override right_feature_access_level?
def right_feature_access_level?
return super unless container.is_a?(GroupWiki)
# There is no access_level feature yet for group wikis
# but, if we don't override this here, users won't be able to clone
# group wikis using deploy tokens
#
# Once https://gitlab.com/gitlab-org/gitlab/-/issues/208412 is
# implemented we can add the access_level to this checking.
group?
end