Prevent deploy token bypass for external authentication (!122670) · Merge requests · GitLab.org / GitLab

Aboobacker MK requested to merge deploy-token-bypass-registry into master Jun 05, 2023

What does this MR do and why?

Prevent deploy token bypass for external authentication (Part 2)

Fix deploy token bypass when by disabling access to the container registry and dependency proxy when external authorization is enabled. Resolves https://gitlab.com/gitlab-org/gitlab/-/issues/382159+

Original MR https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/2950

How to set up and validate locally

Save follwing file as external_auth.rb

# frozen_string_literal: true

require 'bundler/inline'

gemfile do
  source 'https://rubygems.org'
  gem 'puma'
  gem 'sinatra'
end

require 'sinatra'

post '/' do
  status 403
  'Hello'
end

Sinatra::Application.run!

Run that file

ruby external_auth.rb

Goto Admin -> Settings -> External authorisation
Enter localhost:4567 as the Endpoint and test as the classification label
Ensure that dependency proxy and container registry are not accessinle

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited May 06, 2024 by Aboobacker MK

Prevent deploy token bypass for external authentication

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports