Cloning private repo with deploy token fails (audit_event_streaming_git_operations flag enabled)
Cloning private repo continues to fail (audit_e... (#361812 - closed)
This issue has been replaced withSummary
- Performing a git clone/pull/fetch operation on a private project using a deploy token fails when the
audit_event_streaming_git_operations
flag is enabled. - This was discovered during the flag rollout: https://gitlab.com/gitlab-org/gitlab/-/issues/357211
- It also caused a production issue: gitlab-com/gl-infra/production#6832 (closed)
- The flag was rolled-back until a fix could be put in place.
Steps to reproduce
- Enable the feature flag
audit_event_streaming_git_operations
on the instance in question. - Create a private project on a group with an Ultimate licence.
- Create a deploy token, with
read_repository
, scope for the project. (Settings -> Repository -> Deploy tokens) - Clone the repository using
http
credentials.git clone https://staging.gitlab.com/compliance-tanuki/test-violations.git
- Use the deploy token user/password as the credentials.
- Expect to see an error like this:
Username for 'https://staging.gitlab.com': gitlab+deploy-token-33250
Password for 'https://gitlab+deploy-token-33250@staging.gitlab.com':
error: RPC failed; HTTP 500 curl 22 The requested URL returned error: 500
fatal: expected flush after ref listing
What is the current bug behavior?
- 500 error and unable to clone/pull/fetch when the flag is enabled and using a deploy token as a form of authentication.
What is the expected correct behavior?
- No 500 error and the ability to use deploy tokens to
read_repository
using the git CLI.
Relevant logs and/or screenshots
Example screenshot from a test performed on staging.gitlab.com
Proposed solution
- Resolve the errors raised in sentry by handling DeployToken as a form of authentication: https://sentry.gitlab.net/gitlab/gitlabcom/issues/3262340/?query=is%3Aunresolved%20deploytoken (Thanks @smcgivern)
- Attempt feature flag rollout on GitLab.com again.
Edited by Dennis Tang