Merge branch '493732_fix_401_error_for_go_get' into 'master'

Go-get: fix 401 error for unauthenticated requests See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/167640 Merged-by: Bojan Marjanovic <bmarjanovic@gitlab.com> Approved-by: Olaoluwa Oluro <olaoluro@gitlab.com> Approved-by: Bojan Marjanovic <bmarjanovic@gitlab.com> Reviewed-by: Vasilii Iakliushin <viakliushin@gitlab.com> Reviewed-by: Duo Code Reviewer <duo-code-review-bot@gitlab.com> Co-authored-by: Vasilii Iakliushin <viakliushin@gitlab.com>

Merge branch '493732_fix_401_error_for_go_get' into 'master'
2daf3a7f · Bojan Marjanovic · GitLab · f429858e · ef703d04 · 2daf3a7f
--- a/config/feature_flags/gitlab_com_derisk/go_get_handle_401_error.yml
+++ b/config/feature_flags/gitlab_com_derisk/go_get_handle_401_error.yml
+---
+name: go_get_handle_401_error
+feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/493732
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/167640
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/496539
+milestone: '17.5'
+group: group::source code
+type: gitlab_com_derisk
+default_enabled: false
--- a/lib/gitlab/middleware/go.rb
+++ b/lib/gitlab/middleware/go.rb
@@ -131,6 +131,10 @@ def project_for_path(path_info)
      def can_read_project?(request, project)
        return true if project.public?
+        if Feature.enabled?(:go_get_handle_401_error, Feature.current_request) && !has_basic_credentials?(request)
+          return false
+        end
        login, password = user_name_and_password(request)
        auth_result = Gitlab::Auth.find_for_git_client(login, password, project: project, request: request)

--- a/spec/lib/gitlab/middleware/go_spec.rb
+++ b/spec/lib/gitlab/middleware/go_spec.rb
@@ -60,6 +60,27 @@
                it 'returns the 2-segment path' do
                  expect_response_with_path(go, enabled_protocol, project.full_path)
                end
+                context 'when instance does not allow password authentication for Git over HTTP(S)' do
+                  before do
+                    stub_application_setting(password_authentication_enabled_for_git: false)
+                  end
+                  it 'returns the 2-segment path' do
+                    expect_response_with_path(go, enabled_protocol, project.full_path)
+                  end
+                  context 'when "go_get_handle_401_error" feature flag disabled' do
+                    before do
+                      stub_feature_flags(go_get_handle_401_error: false)
+                    end
+                    it 'returns 401 error response' do
+                      response = go
+                      expect(response[0]).to eq(401)
+                    end
+                  end
+                end
              end
              context 'when authorization header is present but invalid' do