Git over HTTP: bypass admin mode
Probblem
The documentation on limitations of Admin Mode states:
The following access methods are not protected by Admin Mode:
- Git client access (SSH using public keys or HTTPS using Personal Access Tokens).
- API access using a Personal Access Token.
In other words, administrators who are otherwise limited by Admin Mode can still use Git clients, and access RESTful API endpoints as administrators, without additional authentication steps.
Unfortunately, the documentation does not match the actual behavior when Admin Mode is enabled:
Operation | According to docs | Actual behavior |
---|---|---|
Git operation over SSH | Admin Mode is bypassed | Admin Mode is bypassed |
Git operation over HTTPS | Admin Mode is bypassed | Admin Mode is NOT bypassed |
Related:
-
ℹ Issue: Git over HTTP operations don't respect user.adm... (#351488 - closed) -
ℹ Discussion: #334697 (comment 629079298)
What does this MR do and why?
This MR ensures that the Admin Mode is correctly bypassed (again) when performing git operations over HTTPS. So the actual behavior corresponds again to the documentation. (This will then be an intermediate state. In a next step, we want to implement a solution so that admin mode can be used in the right way for git operations as well.)
Solves #351488 (closed)
/cc @bufferoverflow
How to set up and validate locally
- Create a private project and make sure the admin is not a member of it.
- Clone the git repository over HTTP with Personal Access Token of the admin:
git clone http://root:<PAT>:3000/<group>/<project>.git
➡ successful (Admin Mode bypassed)✅ - Enable Admin Mode on Admin Area > General > Sign-in restrictions (http://localhost:3000/admin/application_settings/general#js-signin-settings)
- Clone the git repository over HTTP with Personal Access Token of the admin:
git clone http://root:<PAT>:3000/<group>/<project>.git
-
Before this MR
➡ failed withHTTP 404
(Admin Mode NOT bypassed)❌ -
After this MR
➡ successful (Admin Mode bypassed)✅
-
Before this MR
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.