Prevent hidden projects to be cloned or pulled via git actions

Huzaifa Iftikharrequested to merge
huzaifaiftikhar1-prevent-hidden-projects-to-be-downloaded-via-git into master

What does this MR do and why?

  • This MR disables downloading a project (git clone or git pull) if it is marked for delayed deletion (soft-deleted) and is a free project (i.e. it has hidden set to true)
  • Pushing to such projects (git push) is already blocked.

Screenshots or screen recordings

image

How to set up and validate locally

  1. Ensure that your GDK/local setup has ultimate license.
  2. Enable the check_namespace_plan via the application settings API so that even if the instance is on an ultimate plan, we can still create users without plans or free plans.
  3. Follow this doc so that your setup behaves as SaaS and therefore even if the instance is on an ultimate plan, we can still create users without plans or free plans OR Enable the check_namespace_plan via the application settings API so that even if the instance is on an ultimate plan, we can still create groups without plans.
  4. Enable delayed deletion feature at the instance level by navigating to Admin > Settings > General and enable "Default delayed project deletion" and set "Default deletion delay" to a value greater than 0.
  5. Create a user or use an existing user. Make sure that the user is on free/default plan from the admin panel (https://gdk.test:3000/admin/usesrs/user-name/edit).
  6. Log in to as the above user and create a new project.
  7. Clone the project locally using git clone <git url>. You should be able to clone the repo.
➜ tmp git clone https://gdk.test:3000/root/project1.git
Cloning into 'project1'...
remote: Enumerating objects: 6, done.
remote: Total 6 (delta 0), reused 0 (delta 0), pack-reused 6
Receiving objects: 100% (6/6), done.
  1. Delete the above project from GitLab (GDK) UI by navigating to the project settings and delete this project.
  2. Run git pull locally from inside the project's directory. You shouldn't be able to pull and see the following error.
➜ project1 git:(main) git pull
remote: You are not allowed to download code from this project.
fatal: unable to access 'https://gdk.test:3000/root/project1.git/': The requested URL returned error: 403
  1. Remove the cloned project locally by running rm -rf <project_name> and then clone the project again using git clone <git url>. You should get the following error.
git clone https://gdk.test:3000/root/project1.git
Cloning into 'project1'...
remote: You are not allowed to download code from this project.
fatal: unable to access 'https://gdk.test:3000/root/project1.git/': The requested URL returned error: 403
  1. Login via an admin user and visit the pending deletion dashboard. Restore the above project.
  2. Clone the repo locally again and this time you should be able to clone it successfully.
➜  tmp git clone https://gdk.test:3000/root/project1.git
Cloning into 'project1'...
remote: Enumerating objects: 6, done.
remote: Total 6 (delta 0), reused 0 (delta 0), pack-reused 6
Receiving objects: 100% (6/6), done.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/366568

Edited by Huzaifa Iftikhar

Merge request reports