Merge branch 'ag-fix-sign-in-maintenance-mode' into 'master'

Allow user sign-in in maintenance mode See merge request gitlab-org/gitlab!50067

Merge branch 'ag-fix-sign-in-maintenance-mode' into 'master'
Allow user sign-in in maintenance mode See merge request gitlab-org/gitlab!50067
ceaa83b8 · Michael Kozono · 78239293 · 60bad970 · ceaa83b8 · ceaa83b8
Commit ceaa83b8 authored Dec 16, 2020 by Michael Kozono
3 changed files
--- a/ee/lib/ee/gitlab/middleware/read_only/controller.rb
+++ b/ee/lib/ee/gitlab/middleware/read_only/controller.rb
@@ -24,6 +24,10 @@ module EE
            'repositories/lfs_locks_api' => %w{verify create unlock}
          }.freeze

+          ALLOWLISTED_SIGN_IN_ROUTES = {
+            'sessions' => %w{create}
+          }.freeze
+
          private

          # In addition to routes allowed in FOSS, allow geo node update route
@@ -36,7 +40,7 @@ module EE
            allowed = super || geo_node_update_route? || geo_api_route? || admin_settings_update?

            return true if allowed
-            return false if ::Gitlab.maintenance_mode?
+            return sign_in_route? if ::Gitlab.maintenance_mode?
            return false unless ::Gitlab::Geo.secondary?

            git_write_routes
@@ -82,6 +86,12 @@ module EE
            end
          end

+          def sign_in_route?
+            return unless request.post? && request.path.start_with?('/users/sign_in')
+
+            ALLOWLISTED_SIGN_IN_ROUTES[route_hash[:controller]]&.include?(route_hash[:action])
+          end
+
          def lfs_locks_route?
            # Calling route_hash may be expensive. Only do it if we think there's a possible match
            unless request.path.end_with?('/info/lfs/locks', '/info/lfs/locks/verify') ||

--- a/ee/spec/support/shared_examples/lib/gitlab/middleware/maintenance_mode_gitlab_ee_instance_shared_examples.rb
+++ b/ee/spec/support/shared_examples/lib/gitlab/middleware/maintenance_mode_gitlab_ee_instance_shared_examples.rb
@@ -77,6 +77,13 @@ RSpec.shared_examples 'write access for a read-only GitLab (EE) instance in main
          expect(subject).to disallow_request
        end
      end
+
+      it "expects a POST to /users/sign_in URL to be allowed" do
+        response = request.post('/users/sign_in')
+
+        expect(response).not_to be_redirect
+        expect(subject).not_to disallow_request
+      end
    end
  end
 end
--- a/spec/support/shared_examples/lib/gitlab/middleware/read_only_gitlab_instance_shared_examples.rb
+++ b/spec/support/shared_examples/lib/gitlab/middleware/read_only_gitlab_instance_shared_examples.rb
@@ -125,6 +125,9 @@ RSpec.shared_examples 'write access for a read-only GitLab instance' do
      where(:description, :path) do
        'LFS request to batch'        | '/root/rouge.git/info/lfs/objects/batch'
        'request to git-upload-pack'  | '/root/rouge.git/git-upload-pack'
+        'user sign out'               | '/users/sign_out'
+        'admin session'               | '/admin/session'
+        'admin session destroy'       | '/admin/session/destroy'
      end

      with_them do