Deploy Keys gets restricted after blocking user
Summary
A Deploy Key, which has been added by a user that is blocked afterwards is no longer usable for pushes, while cloning is still possible.
Steps to reproduce
- Create a default user
- Create a shared private group
- Create a shared private project
- Generate a fresh ssh-key and add this key to a project as a deployment key with permissions set correctly
- Clone the project, fill it locally with a sample file and push that change back --> this is expected to be working correctly
- Block the user using an administrative account
- Try to push changes to this repository --> this fails for us
- Try to freshly clone this repository using the same key --> this works - while it is not clear, why cloning is OK, but pushing is NOT.
What is the current bug behavior?
Writing to a repository gets denied, when a deployment key has been added by a user that is blocked
matthias@w-workwmlin:~/shareproject$ git push
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 2 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 284 bytes | 284.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0)
remote: GitLab: You are not allowed to push code to this project.
To code.no-cloud.io:sharegroup/shareproject.git
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'git@code.no-cloud.io:sharegroup/shareproject
matthias@w-workwmlin:~$ mv shareproject shareproject2
matthias@w-workwmlin:~$ git clone git@code.no-cloud.io:sharegroup/shareproject.g
Cloning into 'shareproject'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), done.What is the expected correct behavior?
Either everything is impossible after the user has been blocked (cloning and writing to a repo) or none - while the use of a deployment key is in our case to prevent the crash of all CI/CD lines when a user leaves the company
Output of checks
This bug happens on on-premise installations - to be verified for cloud solutions
Results of GitLab environment info
Tested with 13.10.3 and 13.10.1
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) ``` root@code:/# gitlab-rake gitlab:env:info System information System: Current User: git Using RVM: no Ruby Version: 2.7.2p137 Gem Version: 3.1.4 Bundler Version:2.1.4 Rake Version: 13.0.3 Redis Version: 6.0.10 Git Version: 2.29.0 Sidekiq Version:5.2.9 Go Version: unknown GitLab information Version: 13.10.3 Revision: b1774ad36a9 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 12.6 URL: https://code.no-cloud.io HTTP Clone URL: https://code.no-cloud.io/some-group/some-project.git SSH Clone URL: git@code.no-cloud.io:some-group/some-project.git Using LDAP: yes Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 13.17.0 Repository storage paths: - default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Git: /opt/gitlab/embedded/bin/git ```
Results of GitLab application Check
run on the 13.10.3 system - a docker setup:
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)root@code:/# gitlab-rake gitlab:check SANITIZE=true Checking GitLab subtasks ... Checking GitLab Shell ... GitLab Shell: ... GitLab Shell version >= 13.17.0 ? ... OK (13.17.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful Checking GitLab Shell ... Finished Checking Gitaly ... Gitaly: ... default ... OK Checking Gitaly ... Finished Checking Sidekiq ... Sidekiq: ... Running? ... yes Number of Sidekiq processes (cluster/worker) ... 1/1 Checking Sidekiq ... Finished Checking Incoming Email ... Incoming Email: ... Reply by email is disabled in config/gitlab.yml Checking Incoming Email ... Finished Checking LDAP ... LDAP: ... Server: ldapmain LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) User output sanitized. Found 11 users of 100 limit. Checking LDAP ... Finished Checking GitLab App ... Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 2/1 ... yes 2/2 ... yes 2/3 ... yes 2/4 ... yes 2/5 ... yes 2/6 ... yes 4/8 ... yes 4/9 ... yes 4/10 ... yes 4/11 ... yes 4/12 ... yes 4/13 ... yes 4/14 ... yes 4/15 ... yes 4/16 ... yes 4/17 ... yes 3/18 ... yes 3/19 ... yes 3/20 ... yes 3/21 ... yes 3/22 ... yes 3/23 ... yes 3/24 ... yes 3/25 ... yes 3/26 ... yes 3/27 ... yes 3/28 ... yes 3/29 ... yes 3/30 ... yes 3/31 ... yes 3/32 ... yes 5/33 ... yes 10/34 ... yes 13/35 ... yes 13/36 ... yes 13/37 ... yes 14/38 ... yes 47/39 ... yes 47/41 ... yes 47/42 ... yes 47/43 ... yes 15/44 ... yes 13/45 ... yes 47/46 ... yes 16/48 ... yes 16/49 ... yes 16/50 ... yes 16/51 ... yes 16/52 ... yes 17/53 ... yes 17/54 ... yes 17/55 ... yes 18/56 ... yes 19/57 ... yes 20/58 ... yes 20/59 ... yes 20/60 ... yes 20/61 ... yes 20/62 ... yes 20/63 ... yes 20/64 ... yes 22/66 ... yes 23/67 ... yes 40/68 ... yes 41/69 ... yes 39/70 ... yes 42/71 ... yes 25/72 ... yes 25/73 ... yes 25/74 ... yes 25/75 ... yes 25/76 ... yes 25/77 ... yes 25/78 ... yes 25/79 ... yes 25/80 ... yes 26/81 ... yes 26/82 ... yes 26/83 ... yes 26/84 ... yes 27/85 ... yes 27/86 ... yes 27/87 ... yes 28/88 ... yes 29/89 ... yes 30/91 ... yes 15/95 ... yes 33/96 ... yes 15/97 ... yes 34/98 ... yes 34/99 ... yes 34/100 ... yes 35/102 ... yes 35/103 ... yes 35/104 ... yes 43/105 ... yes 24/108 ... yes 8/109 ... yes 48/112 ... yes 50/113 ... yes 8/116 ... yes 54/117 ... yes 48/120 ... yes 48/122 ... yes 48/123 ... yes 48/124 ... yes 48/125 ... yes 48/127 ... yes 55/128 ... yes 32/129 ... yes 48/130 ... yes 32/131 ... yes 23/132 ... yes 24/133 ... yes 47/135 ... yes 56/136 ... yes 47/137 ... yes 15/138 ... yes 8/139 ... yes 8/140 ... yes 58/141 ... yes 59/143 ... yes 59/144 ... yes 60/145 ... yes 59/146 ... yes 56/147 ... yes 8/148 ... yes 62/149 ... yes 47/150 ... yes 8/151 ... yes 63/152 ... yes 61/153 ... yes 8/154 ... yes 66/155 ... yes 26/156 ... yes 61/157 ... yes 67/158 ... yes 67/159 ... yes 42/160 ... yes 8/161 ... yes 55/162 ... yes 8/163 ... yes 83/164 ... yes 84/165 ... yes 84/166 ... yes 35/167 ... yes 84/168 ... yes 2/169 ... yes 86/170 ... yes Redis version >= 4.0.0? ... yes Ruby version >= 2.7.2 ? ... yes (2.7.2) Git version >= 2.29.0 ? ... yes (2.29.0) Git user has default SSH configuration? ... yes Active users: ... 11 Is authorized keys file accessible? ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes Checking GitLab App ... Finished Checking GitLab subtasks ... Finished
Edited by Matthias R. Wiora