Add GitLab git-over-HTTP support to the default accept file#110
Merged
Conversation
The default GitLab accept file had only a bearer-auth rule, which works for the
GitLab REST/GraphQL API. Git operations over HTTP (clone/fetch/push) authenticate
with HTTP Basic (token as the password), not bearer, so a relay-routed git clone
got no usable credentials injected and the upstream returned 401 then 404 on
/info/refs?service=git-upload-pack (GitLab returns 404 for unauthorized access to
private repos).
Add Basic-auth rules for the three git smart-HTTP endpoints (info/refs,
git-upload-pack, git-receive-pack), ordered before the catch-all bearer API rule
so API traffic is unaffected. The Basic username is ${GITLAB_USERNAME:oauth2}:
GitLab git-over-HTTP accepts any non-empty username with a token, so this honors a
configured GITLAB_USERNAME and otherwise falls back to oauth2 -- no new mandatory
env var. Mirrors how the GitHub accept file already handles git clones.
Add a guardrail test asserting the rule shape and ordering.
…ERNAME
- relay-test: add a /gitlab/* Basic-auth rule routed to the echo origin and assert
the broker injects Authorization: Basic base64(oauth2:${GITLAB_TOKEN}) on a git
smart-HTTP path. GITLAB_USERNAME is left unset so this also exercises the
${GITLAB_USERNAME:oauth2} fallback. Covers the auth-scheme injection that the
file-shape unit test cannot. Verified with relay-test-no-proxy and
relay-test-with-proxy.
- README.relay.md: document GITLAB_USERNAME as an optional GitLab var.
9324731 to
ee000d5
Compare
akwirick
approved these changes
Jun 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add GitLab git-over-HTTP support to the default snyk-broker accept file (
accept.gitlab.json).Background
Accept files inject upstream credentials per matched rule. The GitLab default shipped with a single bearer-auth rule, which is correct for the GitLab REST/GraphQL API. Git operations over HTTP (clone / fetch / push), however, authenticate with HTTP Basic (the token is sent as the password), not bearer. With no Basic-auth rule, a relay-routed
git clonehas no usable credentials injected and the upstream returns401, then404, on/info/refs?service=git-upload-pack(GitLab returns404rather than403for unauthorized access to private repos).GitHub's accept file already covers git clones this way; GitLab's did not — this closes that parity gap.
Change
GET /*/info/refs,POST /*/git-upload-pack,POST /*/git-receive-pack— ordered before the existing catch-all bearer API rule. Matching is first-match-wins, so non-git API traffic continues to use the bearer rule unchanged.${GITLAB_USERNAME:oauth2}: GitLab git-over-HTTP accepts any non-empty username alongside a token, so this honors a configuredGITLAB_USERNAMEand otherwise falls back tooauth2— no new mandatory environment variable.GITLAB_USERNAMEas an optional GitLab variable in the relay README.Tests
accept.gitlab.json./gitlab/*Basic-auth rule routed to the echo origin, asserting the broker injectsAuthorization: Basicon a git smart-HTTP path (covers the auth-scheme injection the unit test can't). Verified locally with bothrelay-test-no-proxyandrelay-test-with-proxy.