Skip to content

Allow deploy tokens and deploy keys with the external authorization

Aboobacker MK requested to merge 386656-deploy-tokens-stopped-with-external-authentication-after-security-fix into master

What does this MR do and why?

Allow deploy tokens and deploy keys with the external authorization when the external URL is empty. this is to support the using External authorisation feature just for classification labels

Screenshots or screen recordings

Screenshot_2023-02-12_at_9.05.21_PM

How to set up and validate locally

GitLab setup
  1. Create an admin account admin01 and a regular user user01
  2. Log in as admin01
  3. Create a new group called group01, take a note of the group ID
  4. Create a new project in the group called project01 and make sure to check the box initialize the repository with README. Take a note of the project ID
  5. Go to https://gdk.test:3000/groups/group01/-/group_members and invite user01 as a owner
  6. Go to https://gdk.test:3000/admin/application_settings/general#js-external-auth-settings to activate `external authentication
  7. Enable Allow deploy tokens and deploy keys with external authorisation checkbox
  8. Keep Service URL as empty and a Default classification label as anything
  9. The settings will be saved
  10. Log out
  11. Login as user01 and create an access token
  12. Create a deploy token using this access token using the following curl script
curl --request POST \  
     --header "PRIVATE-TOKEN: <TOKEN>" \  
     --header "Content-Type: application/json" \  
     --data '{"name": "My deploy token", "expires_at": "2023-01-01", "username": "token-user", \  
     "scopes": ["read_repository", "write_package_registry", "read_package_registry", \  
     "write_registry", "read_registry"]}' \
     https://gdk.local:3000/api/v4/groups/group01/deploy_tokens/
  1. The response will contain a "token": <DEPLOY-TOKEN> field. Created in the group where we were just restricted from creating a deploy token in step 3
  2. Now try to clone project01 with the personal access token and ensure repo is getting cloned
git clone http://user01:<PERSONAL-TOKEN>[@]gitlab.example.com/group01/project01.git

-->

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #386656 (closed)

Edited by Aboobacker MK

Merge request reports