Skip to content

Group Access token support for Dependency Proxy

Proposal

The Dependency Proxy does not support Group access tokens:

We should expand the Dependency Proxy authentication to allow for use of Group access tokens.

Group access tokens allow the specification of a user role for permission level, as well as scopes.

Dependency Proxy access for a user requires Guest access for users, so we should require the same for these tokens.

Technical notes

At first glance, docker login apparently works:

rad@mjolnirv3 ~/g/gitlab (362991-group-access-token-support-for-dependency-proxy)> docker login http://gdk.test:3000 -p glpat-redacted
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Username: group
WARNING! Your password will be stored unencrypted in /Users/rad/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

But behind the scenes, Gitlab actually responded with an HTTP 401. The next docker pull operation fails with an unathorized response:

rad@mjolnirv3 ~/g/gitlab (362991-group-access-token-support-for-dependency-proxy)> docker pull gdk.test:3000/flightjs/dependency_proxy/containers/alpine:3.14.0
Error response from daemon: unauthorized: authentication required

The code has changed a bit since this issue was created (see #previous-technical-notes section). When passed a group access token, Gitlab::Auth.personal_access_token_check now returns a non-nil result. Despite this, we still get an HTTP 401 response when we attempt to authenticate with a group access token.

The HTTP 401 response happens here .

  case user_or_deploy_token
  when User
    @authentication_result = Gitlab::Auth::Result.new(user_or_deploy_token, nil, :user, [])
    sign_in(user_or_deploy_token)
  when DeployToken
    @authentication_result = Gitlab::Auth::Result.new(user_or_deploy_token, nil, :deploy_token, [])
  end

sign_in(user) results in an HTTP 401 when passed a non-human user, which is what we have with a Group Access Token.

The solution may be to skip the sign_in step unless the passed user is a human user.

Previous Technical notes

The reason Group Access tokens do not work for the Dependency Proxy is the same reason Project Access tokens do not work as noted in this comment: #332411 (comment 862009476):

The dependency proxy works at the group level, meaning most requests supply a group.

When authenticating, there is no group supplied, the credentials are supplied to the JwtController and the user is found via GitLab::Auth#find_for_git_client.

Personal access tokens are processed here. There is a block of code:

        if project && token.user.project_bot?
          return unless token_bot_in_resource?(token.user, project)
        end

Where we check if the bot user for the project_access_token has access to the given project.

The problem is we do not have a project. In the JwtController, we pass nil as the project value.

Looking a bit deeper into the token_bot_in_resource? method from above, we can see that it will actually accept a group as a value.

So to resolve this, we need to find a way to skip the conditional block noted above when the request is for the Dependency Proxy (and possibly container registry, this would be worth checking).

Initial ideas:

If it is a matter of skipping it anytime we are coming from JwtController, we could just pass a specific non-nil value for project, or a flag that will allow us to bypass that conditional.

Edited by Radamanthus Batnag