Repo can be accessed via Geo Secondary using public deploy key that has not been granted access to the project when request proxied to primary
Summary
It appears that the proxying of a git clone
request from a secondary to the primary using a public deploy key bypasses checking whether the project has enabled access for the deploy key.
Git requests made to the secondary are proxied to the primary when there is no up-to-date copy of the repository on the secondary.
Reported by customer in this ticket.
Steps to reproduce
- Configure a GitLab Geo environment with primary (
gitlab-pri
) and secondary (gitlab-sec
). - Configure Geo to replicate projects in specified groups (this allows us to create a project in a group that is not replicated to ensure proxying takes place) and select any existing group.
- Create a new group
nosync-group
containing a projectnosync-proj
with a readme on the primary - this project won't be replicated to the secondary. - Create an ssh private/public key pair called
depkey
. - Create a public deploy key on the primary using the contents of the
depkey
public key file. - Try to clone the repo from the primary using the deploy key - fails with "The project you were looking for could not be found or you don't have permission to view it." message:
GIT_SSH_COMMAND="ssh -i ~/.ssh/depkey" git clone git@gitlab-pri.gitlab.example.com:nosync-group/nosync-proj.git`
- Now try to clone from the secondary - clone succeeds with "This request to a Geo secondary node will be forwarded to the Geo primary node" message:
GIT_SSH_COMMAND="ssh -i ~/.ssh/depkey" git clone git@gitlab-sec.gitlab.example.com:nosync-group/nosync-proj.git`
Example Project
What is the current bug behavior?
git clone
from secondary succeeds using public deploy key despite not granting the deploy key access to the project.
What is the expected correct behavior?
git clone
from secondary should fail in the same way as the clone from the primary does, with "The project you were looking for could not be found or you don't have permission to view it."
Relevant logs and/or screenshots
Clone from primary:
~$ GIT_SSH_COMMAND="ssh -i ~/.ssh/depkey1" git clone git@gitlab-pri.jfarmiloe-v14-test-1.gcp.gitlabsandbox.net:group1/group1-proj1.git
Cloning into 'group1-proj1'...
remote:
remote: ========================================================================
remote:
remote: The project you were looking for could not be found or you don't have permission to view it.
remote:
remote: ========================================================================
remote:
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Clone from secondary:
~$ GIT_SSH_COMMAND="ssh -i ~/.ssh/depkey1" git clone git@gitlab-sec.jfarmiloe-v14-test-1.gcp.gitlabsandbox.net:group1/group1-proj1.git
Cloning into 'group1-proj1'...
remote:
remote: This request to a Geo secondary node will be forwarded to the
remote: Geo primary node:
remote:
remote: git@gitlab-pri.jfarmiloe-v14-test-1.gcp.gitlabsandbox.net:group1/group1-proj1.git
remote:
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), done.
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
Primary: System information System: Ubuntu 20.04 Proxy: no Current User: git Using RVM: no Ruby Version: 3.0.6p216 Gem Version: 3.2.33 Bundler Version:2.3.15 Rake Version: 13.0.6 Redis Version: 6.2.11 Sidekiq Version:6.5.7 Go Version: unknown GitLab information Version: 15.11.2-ee Revision: 916d24d1e48 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 13.8 URL: https://gitlab-pri.jfarmiloe-v14-test-1.gcp.gitlabsandbox.net HTTP Clone URL: https://gitlab-pri.jfarmiloe-v14-test-1.gcp.gitlabsandbox.net/some-group/some-project.git SSH Clone URL: git@gitlab-pri.jfarmiloe-v14-test-1.gcp.gitlabsandbox.net:some-group/some-project.git Elasticsearch: no Geo: yes Geo node: Primary Using LDAP: no Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 14.18.0 Repository storages: - default: unix:/var/opt/gitlab/gitaly/gitaly.socket GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Secondary: System information System: Ubuntu 20.04 Proxy: no Current User: git Using RVM: no Ruby Version: 3.0.6p216 Gem Version: 3.2.33 Bundler Version:2.3.15 Rake Version: 13.0.6 Redis Version: 6.2.11 Sidekiq Version:6.5.7 Go Version: unknown GitLab information Version: 15.11.2-ee Revision: 916d24d1e48 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 13.8 URL: https://gitlab-sec.jfarmiloe-v14-test-1.gcp.gitlabsandbox.net HTTP Clone URL: https://gitlab-sec.jfarmiloe-v14-test-1.gcp.gitlabsandbox.net/some-group/some-project.git SSH Clone URL: git@gitlab-sec.jfarmiloe-v14-test-1.gcp.gitlabsandbox.net:some-group/some-project.git Elasticsearch: no Geo: yes Geo node: Secondary Using LDAP: no Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 14.18.0 Repository storages: - default: unix:/var/opt/gitlab/gitaly/gitaly.socket GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Results of GitLab application Check
Expand for output related to the GitLab application check
Primary:
Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 14.18.0 ? ... OK (14.18.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes (cluster/worker) ... 1/1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab App ...
Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Cable config exists? ... yes Resque config exists? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units) Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units) Projects have namespace: ... 2/1 ... yes 2/2 ... yes 2/35 ... yes 2/68 ... yes 2/69 ... yes 2/70 ... yes 2/103 ... yes 2/104 ... yes 2/105 ... yes 2/106 ... yes 2/107 ... yes 2/108 ... yes 113/109 ... yes 115/110 ... yes Redis version >= 6.0.0? ... yes Ruby version >= 2.7.2 ? ... yes (3.0.6) Git user has default SSH configuration? ... yes Active users: ... 4 Is authorized keys file accessible? ... skipped (authorized keys not enabled) GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes Elasticsearch version 7.x-8.x or OpenSearch version 1.x ... skipped (Advanced Search is disabled) All migrations must be finished before doing a major upgrade ... skipped (Advanced Search is disabled)
Checking GitLab App ... Finished
Checking Geo ...
GitLab Geo is available ... GitLab Geo is enabled ... yes This machine's Geo node name matches a database record ... yes, found a primary node named "primary" HTTP/HTTPS repository cloning is enabled ... yes Machine clock is synchronized ... yes Git user has default SSH configuration? ... yes OpenSSH configured to use AuthorizedKeysCommand ... yes GitLab configured to disable writing to authorized_keys file ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes
Checking Geo ... Finished
Checking GitLab subtasks ... Finished
Secondary:
Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 14.18.0 ? ... OK (14.18.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes (cluster/worker) ... 1/1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab App ...
Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Cable config exists? ... yes Resque config exists? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units) Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units) Projects have namespace: ... 2/1 ... yes 2/2 ... yes 2/35 ... yes 2/68 ... yes 2/69 ... yes 2/70 ... yes 2/103 ... yes 2/104 ... yes 2/105 ... yes 2/106 ... yes 2/107 ... yes 2/108 ... yes 113/109 ... yes 115/110 ... yes Redis version >= 6.0.0? ... yes Ruby version >= 2.7.2 ? ... yes (3.0.6) Git user has default SSH configuration? ... yes Active users: ... 4 Is authorized keys file accessible? ... skipped (authorized keys not enabled) GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes Elasticsearch version 7.x-8.x or OpenSearch version 1.x ... skipped (Advanced Search is disabled) All migrations must be finished before doing a major upgrade ... skipped (Advanced Search is disabled)
Checking GitLab App ... Finished
Checking Geo ...
GitLab Geo tracking database is correctly configured ... yes Database replication enabled? ... yes Database replication working? ... yes GitLab Geo HTTP(S) connectivity ...
- Can connect to the primary node ... yes GitLab Geo secondary Git SSH port is the same as the primary ... yes GitLab Geo is available ... GitLab Geo is enabled ... yes This machine's Geo node name matches a database record ... yes, found a secondary node named "secondary" HTTP/HTTPS repository cloning is enabled ... yes Machine clock is synchronized ... yes Git user has default SSH configuration? ... yes OpenSSH configured to use AuthorizedKeysCommand ... yes GitLab configured to disable writing to authorized_keys file ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes
Checking Geo ... Finished
Checking GitLab subtasks ... Finished