Skip to content

Add Dependency Proxy support for group access tokens

Radamanthus Batnag requested to merge 362991-group-access-token-support-for-dependency-proxy into master

What does this MR do and why?

Currently, group access tokens and project access tokens do not work with the Dependency Proxy. The authentication process results in an HTTP 401 because we attempt to sign_in with the token user during Dependency Proxy authentication.

🚑 Solution

During Dependency Proxy authentication, we should only attempt to sign_in only when the user is a human user.

  • Modify Groups::DependencyProxy::ApplicationController#authenticate_user_from_jwt_token! to skip sign_in if the user from the token is a project_bot
  • Modify spec/controllers/groups/dependency_proxy_auth_controller_spec.rb specs:
    • Add contexts for a group access token and an invalid group access token
    • Refactor to DRY up common setup code

NOTE: Although this MR enables docker login for a project access token, docker pull operations will still fail with project access tokens. Changes are needed in GroupPolicy to implement Dependency Proxy support for project access tokens. Project access tokens will be covered in #332411

Screenshots or screen recordings

NA

How to set up and validate locally

  1. Enable Dependency Proxy for a group
  2. Create a Group access token for the group
  3. Clear docker credentials: docker logout http://gdk.test:3000
  4. Login: docker login http://gdk.test:3000 -p <group_access_token>
  5. Pull an image: docker pull gdk.test:3000/flightjs/dependency_proxy/containers/alpine:latest

Expected results:

  • Master branch: The docker pull operation fails with an Error response from daemon: unauthorized: authentication required response
  • MR branch:
    • The docker pull operation succeeds
    • If you open the group dependency proxy page (Group home -> Operate -> Dependency Proxy, or http://gdk.test:3000/groups/<group-namespace>/-/dependency_proxy), you should see the pulled image in the list of images

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #362991 (closed)

Edited by Radamanthus Batnag

Merge request reports