Accept RPC name as action param to `/allowed` endpoint
Overview
Gitaly performs /allowed
request to Gitlab Rails to verify whether an RPCs can be performed to mutate a Git repository.
Currently, it always sends git-receive-pack
and action
params which is used for access check and in the places like:
- https://gitlab.com/gitlab-org/gitlab/blob/d97ce3baab7fbf459728ce18766fefd3abb8892f/lib/gitlab/git_access.rb#L275
- https://gitlab.com/gitlab-org/gitlab/blob/d97ce3baab7fbf459728ce18766fefd3abb8892f/lib/api/helpers/internal_helpers.rb#L172-188
The action is checked to be either of these values: git-receive-pack
/git-upload-pack
/git-upload-archive
Proposal
Gitaly plans to change this behavior and send the RPC name as action
instead: Action is hardcoded in calls to `/internal/allo... (gitaly#4581). Granular RPCs will better reflect what actually happens to the repository which improves the audit.
This issue is about accepting RPC names as action
param: https://gitlab.com/gitlab-org/gitaly/-/blob/bd5eeb024c5b3c05d647ef62b4adf54441e1f128/internal/gitlab/gitlabaction/action.go