[bug]Can't read gitlab repo data

[graphenn]

What happened?
My gitlab source can read repo, but can't read repo branch and repo code.

logs:

13:39Z"}
{"bundles":{"envoy/authz":{"revision":"5a77eaae01248ff64c80444372"}},"decision_id":"5c7021af-ff9045","input":{"attributes":{"destination":{"address":{"socketAddress":{"address":"10.223.18.107","portValue":8080}}},"metadataContext":{},"request":{"http":{"headers":{":authority":"zsxxxxxz",":method":"GET",":path":"/api/aslan/code/codehost/10/branches?repoOwner=xxxxx\u0026repoName=xxxxx\u0026page=1\u0026per_page=200\u0026key=",":scheme":"https","accept":"application/json, text/plain, */*","accept-encoding":"gzip, deflate, br","accept-language":"zh-CN,zh;q=0.9,en;q=0.8,en-US;q=0.7,en-GB;q=0.6,zh-TW;q=0.5","authorization":"Bearer eyJhbGciOiJIUzI1Nxxxxxx","cookie":"_ga=GA1.1.8176337396.1674968183; _ga_ZTD7N9SFY6=GS1.1.1674968182.1.1.1674969319.0.0.0","referer":"https://zadxxxx/v1/projects/detail/xxxxx/services","sec-ch-ua":"\"Microsoft Edge\";v=\"113\", \"Chromium\";v=\"113\", \"Not-A.Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","sec-fetch-dest":"empty","sec-fetch-mode":"cors","sec-fetch-site":"same-origin","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 Edg/113.0.1774.57","x-forwarded-for":"xxx","x-forwarded-proto":"https","x-real-ip":"xxx","x-request-id":"ba44edaf40c1-8191-765ee9f22ded"},"host":"zaxxx","id":"12002934250259331644","method":"GET","path":"/api/aslan/code/codehost/10/branches?repoOwner=xxxxx\u0026repoName=xxxxx\u0026page=1\u0026per_page=200\u0026key=","protocol":"HTTP/1.1","scheme":"https"},"time":"2023-05-30T09:13:40.583807Z"},"source":{"address":{"socketAddress":{"address":"xxx","portValue":39604}}}},"parsed_body":null,"parsed_path":["api","aslan","code","codehost","10","branches"],"parsed_query":{"key":[""],"page":["1"],"per_page":["200"],"repoName":["xxxxx"],"repoOwner":["xxxxx"]},"truncated_body":false,"version":{"encoding":"protojson","ext_authz":"v3"}},"labels":{"id":"8c747837-ce43-4add-be86-f0a14f1c1305","version":"0.33.1-envoy-2"},"level":"info","metrics":{"timer_rego_external_resolve_ns":2420,"timer_rego_query_compile_ns":115811,"timer_rego_query_eval_ns":9694235,"timer_server_handler_ns":10196072},"msg":"Decision Log","query":"data.rbac.response","requested_by":"","result":{"allowed":true,"headers":{"Roles":"[{\"name\":\"admin\",\"namespace\":\"*\"},{\"name\":\"project-admin\",\"namespace\":\"\"}]"}},"time":"2023-05-30T09:13:40Z","timestamp":"2023-05-30T09:13:40.595702457Z","type":"openpolicyagent.org/decision_logs"}

Is this scope right?

zadig 1.17
gitlab 15.10

What did you expect to happen?
get repo branch and data

How To Reproduce it(as minimally and precisely as possible)
create new gitlab auth
check repo result

Install Methods

• Helm
• Script base on K8s
• All in One
• Offline

Versions Used
zadig:
1.17
kubernetes:
1.26

Environment

Cloud Provider:
Self-hosting

Resources:

OS:

Services Status

kubectl version
kubectl get po -n `zadig-installed-namespace`
# paste output here

If there is abnormal service, please provide service log

kubectl describe pods `abnormal-pod`
kubectl logs --tail=500 `abnormal-pod`
# paste output here

[graphenn]

I have test with api token, same user, api token can fetch repo correctly. Authorizaion is OK.

[graphenn]

==> /var/log/gitlab/gitlab-workhorse/current <==
{"content_type":"application/json","correlation_id":"xxx","duration_ms":335,"host":"xxx","level":"info","method":"GET","msg":"access","proto":"HTTP/1.1","referrer":"","remote_addr":"127.0.0.1:0","remote_ip":"127.0.0.1","route":"^/api/","status":200,"system":"http","time":"2023-05-30T16:19:32Z","ttfb_ms":334,"uri":"/api/v4/groups/xxx/projects?order_by=name\u0026page=1\u0026per_page=200\u0026sort=asc","user_agent":"go-gitlab","written_bytes":36085}

==> /var/log/gitlab/nginx/gitlab_access.log <==
xxx - - [30/May/2023:16:19:32 +0000] "GET /api/v4/groups/xxx/projects?order_by=name&page=1&per_page=200&sort=asc HTTP/1.0" 200 36085 "" "go-gitlab" -

==> /var/log/gitlab/gitlab-rails/api_json.log <==
{"time":"2023-05-30T16:19:33.568Z","severity":"INFO","duration_s":0.0009,"db_duration_s":0.0,"view_duration_s":0.0009,"status":404,"method":"GET","path":"/api/v4","params":[],"host":"xxx","remote_ip":"xxx, xxx, 127.0.0.1","ua":"Go-http-client/2.0","route":"/api/:version/*path","db_count":0,"db_write_count":0,"db_cached_count":0,"db_replica_count":0,"db_primary_count":0,"db_main_count":0,"db_main_replica_count":0,"db_replica_cached_count":0,"db_primary_cached_count":0,"db_main_cached_count":0,"db_main_replica_cached_count":0,"db_replica_wal_count":0,"db_primary_wal_count":0,"db_main_wal_count":0,"db_main_replica_wal_count":0,"db_replica_wal_cached_count":0,"db_primary_wal_cached_count":0,"db_main_wal_cached_count":0,"db_main_replica_wal_cached_count":0,"db_replica_duration_s":0.0,"db_primary_duration_s":0.0,"db_main_duration_s":0.0,"db_main_replica_duration_s":0.0,"cpu_s":0.009418,"mem_objects":3402,"mem_bytes":287656,"mem_mallocs":1137,"mem_total_bytes":423736,"pid":435,"worker_id":"puma_0","rate_limiting_gates":[],"correlation_id":"xxx","meta.caller_id":"* /api/:version/*path","meta.remote_ip":"xxx","meta.feature_category":"not_owned","meta.client_id":"ip/xxx","request_urgency":"default","target_duration_s":1}

==> /var/log/gitlab/gitlab-workhorse/current <==
{"content_type":"application/json","correlation_id":"xxx","duration_ms":12,"host":"xxx","level":"info","method":"GET","msg":"access","proto":"HTTP/1.1","referrer":"","remote_addr":"127.0.0.1:0","remote_ip":"127.0.0.1","route":"^/api/","status":404,"system":"http","time":"2023-05-30T16:19:33Z","ttfb_ms":12,"uri":"/api/v4/","user_agent":"Go-http-client/2.0","written_bytes":25}

==> /var/log/gitlab/nginx/gitlab_access.log <==
xxx - - [30/May/2023:16:19:33 +0000] "GET /api/v4/ HTTP/1.0" 404 25 "" "Go-http-client/2.0" -

==> /var/log/gitlab/gitlab-rails/api_json.log <==
{"time":"2023-05-30T16:19:33.584Z","severity":"INFO","duration_s":0.00084,"db_duration_s":0.0,"view_duration_s":0.00084,"status":404,"method":"GET","path":"/api/v4/projects/xxx/xxx/repository/branches","params":[{"key":"page","value":"1"},{"key":"per_page","value":"200"},{"key":"search","value":"[FILTERED]"}],"host":"xxx","remote_ip":"xxx, xxx, 127.0.0.1","ua":"go-gitlab","route":"/api/:version/*path","db_count":0,"db_write_count":0,"db_cached_count":0,"db_replica_count":0,"db_primary_count":0,"db_main_count":0,"db_main_replica_count":0,"db_replica_cached_count":0,"db_primary_cached_count":0,"db_main_cached_count":0,"db_main_replica_cached_count":0,"db_replica_wal_count":0,"db_primary_wal_count":0,"db_main_wal_count":0,"db_main_replica_wal_count":0,"db_replica_wal_cached_count":0,"db_primary_wal_cached_count":0,"db_main_wal_cached_count":0,"db_main_replica_wal_cached_count":0,"db_replica_duration_s":0.0,"db_primary_duration_s":0.0,"db_main_duration_s":0.0,"db_main_replica_duration_s":0.0,"cpu_s":0.00962,"mem_objects":3327,"mem_bytes":288728,"mem_mallocs":1161,"mem_total_bytes":421808,"pid":435,"worker_id":"puma_0","rate_limiting_gates":[],"correlation_id":"xxx","meta.caller_id":"* /api/:version/*path","meta.remote_ip":"xxx","meta.feature_category":"not_owned","meta.client_id":"ip/xxx","request_urgency":"default","target_duration_s":1}

==> /var/log/gitlab/gitlab-workhorse/current <==
{"content_type":"application/json","correlation_id":"xxx","duration_ms":12,"host":"xxx","level":"info","method":"GET","msg":"access","proto":"HTTP/1.1","referrer":"","remote_addr":"127.0.0.1:0","remote_ip":"127.0.0.1","route":"^/api/","status":404,"system":"http","time":"2023-05-30T16:19:33Z","ttfb_ms":12,"uri":"/api/v4/projects/xxx/xxx/repository/branches?page=1\u0026per_page=200\u0026search=","user_agent":"go-gitlab","written_bytes":25}

==> /var/log/gitlab/nginx/gitlab_access.log <==
xxx - - [30/May/2023:16:19:33 +0000] "GET /api/v4/projects/xxx/xxx/repository/branches?page=1&per_page=200&search= HTTP/1.0" 404 25 "" "go-gitlab" -

gitlab's log

[fansi404]

why there exists multi auth records (with wrong permission)?

[graphenn]

why there exists multi auth records (with wrong permission)?

This is the Authorized app by zadig.

And I have test that mannual add extra scope "read_repository" to the zadig authorize uri, and the issue is same.

[graphenn]

OK, I solve this issue.

My gitlab is behand a nginx, and I set

proxy_pass https://gitlab.mydomian.com/

This cause NGINX unescapes %2f to a forward slash. Follow the documents, it is not accepted.

Just change it to

proxy_pass https://gitlab.mydomian.com

Everything work well~