Give CI_JOB_TOKEN permission to access internal packages
Summary
In #213723 (closed) we updated permissions to allow CI_JOB_TOKENs the ability to install packages from any public project.
It was noted that the same bug existed for internal projects: On EE instances, if a user is authenticated and has read access to an internal project, they should have read access to the packages within that project.
Unfortunately, this was not fixed in the previous issue and the bug persists.
Steps to reproduce
- Create an internal project
- Add a package to the project
- Add a different to the internal project as a guest
- Attempt to use CI_JOB_TOKEN to install/pull the package from the project
- The installation fails
What is the current bug behavior?
Users with access to an internal project cannot install packages using job tokens in other projects.
What is the expected correct behavior?
Users with access to an internal project should be able to install packages using job tokens in other projects.
Output of checks
This bug happens on GitLab.com
Possible fixes
The find_project!
API helper is overridden for ee, with an different permissions check for CI_JOB_TOKENs: :build_read_project
.
In the project policy code, we see that internal projects are not included in this permission.
A possible fix is to update and include internal_access
:
rule { owner | reporter | internal_access | public_project }.enable :build_read_project
Considerations
There is an effort underway to limit CI_JOB_TOKEN permissions only to have access to the project where they originated by default. We should review how this may or may not be influenced by that update.