Skip to content

Add GitLab git-over-HTTP support to the default accept file#110

Merged
ryanduffin merged 2 commits into
mainfrom
cd-242-gitlab-scaffolder-accept-rule
Jun 16, 2026
Merged

Add GitLab git-over-HTTP support to the default accept file#110
ryanduffin merged 2 commits into
mainfrom
cd-242-gitlab-scaffolder-accept-rule

Conversation

@ryanduffin

@ryanduffin ryanduffin commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Summary

Add GitLab git-over-HTTP support to the default snyk-broker accept file (accept.gitlab.json).

Background

Accept files inject upstream credentials per matched rule. The GitLab default shipped with a single bearer-auth rule, which is correct for the GitLab REST/GraphQL API. Git operations over HTTP (clone / fetch / push), however, authenticate with HTTP Basic (the token is sent as the password), not bearer. With no Basic-auth rule, a relay-routed git clone has no usable credentials injected and the upstream returns 401, then 404, on /info/refs?service=git-upload-pack (GitLab returns 404 rather than 403 for unauthorized access to private repos).

GitHub's accept file already covers git clones this way; GitLab's did not — this closes that parity gap.

Change

  • Add Basic-auth rules for the three git smart-HTTP endpoints — GET /*/info/refs, POST /*/git-upload-pack, POST /*/git-receive-pack — ordered before the existing catch-all bearer API rule. Matching is first-match-wins, so non-git API traffic continues to use the bearer rule unchanged.
  • Username is ${GITLAB_USERNAME:oauth2}: GitLab git-over-HTTP accepts any non-empty username alongside a token, so this honors a configured GITLAB_USERNAME and otherwise falls back to oauth2 — no new mandatory environment variable.
  • Document GITLAB_USERNAME as an optional GitLab variable in the relay README.

Tests

  • Guardrail unit test asserting the rule shape and ordering in accept.gitlab.json.
  • New arm in the relay e2e harness: a /gitlab/* Basic-auth rule routed to the echo origin, asserting the broker injects Authorization: Basic on a git smart-HTTP path (covers the auth-scheme injection the unit test can't). Verified locally with both relay-test-no-proxy and relay-test-with-proxy.

@ryanduffin ryanduffin marked this pull request as draft June 15, 2026 23:17
The default GitLab accept file had only a bearer-auth rule, which works for the
GitLab REST/GraphQL API. Git operations over HTTP (clone/fetch/push) authenticate
with HTTP Basic (token as the password), not bearer, so a relay-routed git clone
got no usable credentials injected and the upstream returned 401 then 404 on
/info/refs?service=git-upload-pack (GitLab returns 404 for unauthorized access to
private repos).

Add Basic-auth rules for the three git smart-HTTP endpoints (info/refs,
git-upload-pack, git-receive-pack), ordered before the catch-all bearer API rule
so API traffic is unaffected. The Basic username is ${GITLAB_USERNAME:oauth2}:
GitLab git-over-HTTP accepts any non-empty username with a token, so this honors a
configured GITLAB_USERNAME and otherwise falls back to oauth2 -- no new mandatory
env var. Mirrors how the GitHub accept file already handles git clones.

Add a guardrail test asserting the rule shape and ordering.
…ERNAME

- relay-test: add a /gitlab/* Basic-auth rule routed to the echo origin and assert
  the broker injects Authorization: Basic base64(oauth2:${GITLAB_TOKEN}) on a git
  smart-HTTP path. GITLAB_USERNAME is left unset so this also exercises the
  ${GITLAB_USERNAME:oauth2} fallback. Covers the auth-scheme injection that the
  file-shape unit test cannot. Verified with relay-test-no-proxy and
  relay-test-with-proxy.
- README.relay.md: document GITLAB_USERNAME as an optional GitLab var.
@ryanduffin ryanduffin force-pushed the cd-242-gitlab-scaffolder-accept-rule branch from 9324731 to ee000d5 Compare June 15, 2026 23:42
@ryanduffin ryanduffin changed the title [CD-242] Add GitLab scaffolder rule to default accept file Add GitLab git-over-HTTP support to the default accept file Jun 15, 2026
@ryanduffin ryanduffin marked this pull request as ready for review June 16, 2026 19:52
@ryanduffin ryanduffin requested review from akwirick and rychang03 June 16, 2026 19:53
@ryanduffin ryanduffin merged commit 5db358b into main Jun 16, 2026
18 checks passed
@ryanduffin ryanduffin deleted the cd-242-gitlab-scaffolder-accept-rule branch June 16, 2026 20:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants