Member check Push Rule prevents push repository mirroring when signed commits are enabled (#587254) · Issues · GitLab.org / GitLab

Member check Push Rule prevents push repository mirroring when signed commits are enabled

<details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=587254) </details>  ### Summary When repository mirroring is enabled with signed commits and the "Confirm committer is a GitLab member" push rule is active, mirror synchronization fails with the error: ``` remote: GitLab: Committer '*****@example.gitlab.com' is not a member of team ``` Enabling signed commits causes `noreply@example.gitlab.com` instance email to be set as committer email, when push rule looks confirm email matches a legitimate user, the check fails: **File**: `ee/lib/ee/gitlab/checks/push_rules/commit_check.rb` (lines 78-91) ```ruby def check_member(commit) return if signed_by_gitlab?(commit) return unless push_rule.member_check unless ::User.find_by_any_email(commit.author_email).present? return "Author '#{commit.author_email}' is not a member of team" end if commit.author_email.casecmp(commit.committer_email) != 0 unless ::User.find_by_any_email(commit.committer_email).present? "Committer '#{commit.committer_email}' is not a member of team" end end end ``` ### Steps to reproduce 1. Enable [signed commits](https://docs.gitlab.com/user/project/repository/signed_commits/) 2. Set up a push mirror between project A and B 3. Tick "[Ensure committer is a gitlab member](https://docs.gitlab.com/user/project/repository/push_rules/#verify-users:~:text=Check%20whether%20the%20commit%20author%20is%20a%20GitLab%20user%3A%20Both%20the%20commit%20author%20and%20committer%20email%20addresses%20must%20match%20a%20GitLab%20user%E2%80%99s%20verified%20email%20addresses.)" push rule in project B 4. Observe mirroring now fails as noreply email associated with push commit is not attached to a gitlab instance user ### Example Project  ### What is the current _bug_ behavior? Push commits by the gitaly RPC call for mirroring fail with: ``` 13:push to mirror: git push: exit status 1, stderr: "remote: GitLab: Committer *****@gitlab.example.com' is not a member of team \nTo <example-repository>.git \n ! [remote rejected] main -> main (pre-receive hook declined) \n ! [remote rejected] 1.0.525 -> 1.0.525 (pre-receive hook declined) \nerror: failed to push some refs to '<example-repository>.git'\n". ``` ### What is the expected _correct_ behavior? Push mirroring should still be possible when signed commits are enabled for the instance and projects are configured with push rule to ensure committer is legitimate. Commits made by the gitaly RPC call should be considered as a member of team, or ignored for push mirroring check_member rule. ### Relevant logs and/or screenshots  ### Output of checks  This bug happens on GitLab Self-Managed when Signed Commits feature is enabled.   #### Results of GitLab environment info  <details> <summary>Expand for output related to GitLab environment info</summary> <pre> (For installations with omnibus-gitlab package run and paste the output of: \`sudo gitlab-rake gitlab:env:info\`) (For installations from source run and paste the output of: \`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production\`) </pre> </details> #### Results of GitLab application Check  <details> <summary>Expand for output related to the GitLab application check</summary> <pre> (For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:check SANITIZE=true`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true`) (we will only investigate if the tests are passing) </pre> </details> ### Possible fixes The `signed_by_gitlab?()` method could check for `:SIGNER_SYSTEM` signer status **without** requiring `updated_from_web?` to be true (I don't think push mirroring is done by web, but by RPC call). **Option 1**: Remove the `updated_from_web?` requirement ```ruby def signed_by_gitlab?(commit) return false unless commit.has_signature? commit_signatures[commit.id][:signer] == :SIGNER_SYSTEM end ``` ### Patch release information for backports If the bug fix needs to be backported in a [patch release](https://handbook.gitlab.com/handbook/engineering/releases/patch-releases) to a version under [the maintenance policy](https://docs.gitlab.com/policy/maintenance/), please follow the steps on the [patch release runbook for GitLab engineers](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/engineers.md). Refer to the [internal "Release Information" dashboard](https://dashboards.gitlab.net/d/delivery-release_info/delivery3a-release-information?orgId=1) for information about the next patch release, including the targeted versions, expected release date, and current status. #### High-severity bug remediation To remediate high-severity issues requiring an [internal release](https://handbook.gitlab.com/handbook/engineering/releases/internal-releases/) for single-tenant SaaS instances, refer to the [internal release process for engineers](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/internal-releases/engineers.md?ref_type=heads).

issue