Pipeline API Status Update permission regression
Summary
Prior versions of GitLab allowed calls to the Pipeline API to update a commit's status while only requiring the Developer permission.
At some point recently (during the 12.8 release cycle, as far as I can tell) it appears that the Pipeline API now requires Maintainer access - requiring a much more privileged account to update build information on all built commits. This is an undocumented change and, being backwards-incompatible, an API breakage.
This change was introduced in this commit.
This also appears to affect anyone using GitLab in conjunction with the GitLab Plugin for Jenkins, wherein Jenkins is able to update commits with build information.
Steps to reproduce
Using access credentials tied to a user with the Developer role, attempt to send a POST request to update a commit's build status per the following API:
https://docs.gitlab.com/ee/api/commits.html#post-the-build-status-to-a-commit
e.g. POST /api/v4/projects/katana/TreeResolver/statuses/f1c35fef86bb22a8d067d94636f649e0cc955332
An HTTP 403 will be returned by GitLab if the user is not a Maintainer and the branch is protected.
Example Project
No example project is available for this behavior.
What is the current bug behavior?
An HTTP 403 is returned by GitLab if the user is not a Maintainer or a branch that the commit exists on is protected when calling the POST /projects/:id/statuses/:sha
API endpoint.
What is the expected correct behavior?
Prior behavior, wherein if the user must be authenticated and possesses a minimum of Developer access to the project, the POST request to the POST /projects/:id/statuses/:sha
API should succeed with a 200 and update the commit build status.
Relevant logs and/or screenshots
Note: I'm running GitLab via the Docker image reference gitlab/gitlab-ce:latest
, currently running 12.9.1 with an update scheduled to occur tonight.
==> /var/log/gitlab/nginx/gitlab_access.log <==
[REDACTED] - - [18/Mar/2020:16:18:39 +0000] "GET /api/v4/projects/katana%2FTreeResolver/repository/commits/f1c35fef86bb22a8d067d94636f649e0cc955332 HTTP/1.1" 200 878 "" "-"
[REDACTED] - - [18/Mar/2020:16:18:39 +0000] "POST /api/v4/projects/katana%2FTreeResolver/statuses/f1c35fef86bb22a8d067d94636f649e0cc955332 HTTP/1.1" 403 27 "" "-"
[REDACTED] - - [18/Mar/2020:16:18:39 +0000] "GET /api/v4/projects/katana%2FTreeResolver/repository/commits/f1c35fef86bb22a8d067d94636f649e0cc955332 HTTP/1.1" 200 878 "" "-"
[REDACTED] - - [18/Mar/2020:16:18:39 +0000] "POST /api/v4/projects/katana%2FTreeResolver/statuses/f1c35fef86bb22a8d067d94636f649e0cc955332 HTTP/1.1" 403 27 "" "-"
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 12.0.0 ? ... OK (12.0.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 2/1 ... yes 5/2 ... yes 5/3 ... yes 5/4 ... yes 2/5 ... yes 6/6 ... yes 10/7 ... yes 10/8 ... yes 7/9 ... yes 13/10 ... yes 7/11 ... yes 13/12 ... yes 7/13 ... yes 13/14 ... yes 6/15 ... yes 6/16 ... yes 6/17 ... yes 13/18 ... yes 2/19 ... yes 7/23 ... yes 7/24 ... yes 9/25 ... yes 9/26 ... yes 9/27 ... yes 9/28 ... yes 7/29 ... yes 8/30 ... yes 6/31 ... yes 7/32 ... yes 9/33 ... yes 7/35 ... yes 7/36 ... yes 7/37 ... yes 11/38 ... yes 6/39 ... yes 6/40 ... yes 6/41 ... yes 12/42 ... yes 12/43 ... yes 12/44 ... yes 14/45 ... yes 6/46 ... yes 12/47 ... yes 3/48 ... yes 11/49 ... yes 7/50 ... yes 11/51 ... yes 11/52 ... yes 11/53 ... yes 16/54 ... yes 2/56 ... yes 16/57 ... yes 16/58 ... yes 2/59 ... yes 18/60 ... yes 12/61 ... yes 16/63 ... yes 12/64 ... yes 18/65 ... yes 18/66 ... yes 18/67 ... yes 18/68 ... yes Redis version >= 2.8.0? ... yes Ruby version >= 2.5.3 ? ... yes (2.6.5) Git version >= 2.22.0 ? ... yes (2.24.1) Git user has default SSH configuration? ... yes Active users: ... 5 Is authorized keys file accessible? ... yes
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
Possible fixes
Reverting the following commit: 5f63ef2b