Skip to content

Git over HTTP: bypass admin mode

Probblem

The documentation on limitations of Admin Mode states:

The following access methods are not protected by Admin Mode:

  • Git client access (SSH using public keys or HTTPS using Personal Access Tokens).
  • API access using a Personal Access Token.

In other words, administrators who are otherwise limited by Admin Mode can still use Git clients, and access RESTful API endpoints as administrators, without additional authentication steps.

Unfortunately, the documentation does not match the actual behavior when Admin Mode is enabled:

Operation According to docs Actual behavior
Git operation over SSH Admin Mode is bypassed Admin Mode is bypassed
Git operation over HTTPS Admin Mode is bypassed Admin Mode is NOT bypassed

Related:

What does this MR do and why?

This MR ensures that the Admin Mode is correctly bypassed (again) when performing git operations over HTTPS. So the actual behavior corresponds again to the documentation. (This will then be an intermediate state. In a next step, we want to implement a solution so that admin mode can be used in the right way for git operations as well.)

Solves #351488 (closed)

🛠 with at Siemens

/cc @bufferoverflow

How to set up and validate locally

  1. Create a private project and make sure the admin is not a member of it.
  2. Clone the git repository over HTTP with Personal Access Token of the admin: git clone http://root:<PAT>:3000/<group>/<project>.git successful (Admin Mode bypassed)
  3. Enable Admin Mode on Admin Area > General > Sign-in restrictions (http://localhost:3000/admin/application_settings/general#js-signin-settings)
  4. Clone the git repository over HTTP with Personal Access Token of the admin: git clone http://root:<PAT>:3000/<group>/<project>.git
    • Before this MR failed with HTTP 404 (Admin Mode NOT bypassed)
    • After this MR successful (Admin Mode bypassed)

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Jonas Wälter

Merge request reports

Loading