Refactor to pass personal access token scopes in policy code
What does this MR do and why?
This reintroduces the changes in !141358 (merged) and fixes the issue that caused the query timeouts by using a different method to get the dependency proxy group.
- Modified
Auth::DependencyProxyAuthenticationService
to include thePersonalAccessToken
's token in the encoded JsonWebToken response - Modified the spec helper
DependencyProxyHelpers#build_jwt
to mirror the change inAuth::DependencyProxyAuthenticationService
- Modified
DependencyProxy::AuthTokenService
to extract the token string, and return the matchingPersonalAccessToken
. - Modified
Groups::DependencyProxy::ApplicationController
to handlePersonalAccessToken
s, in addition toUser
s andDeployToken
s. - - - Memoized the token to the instance var
@auth_token
. - Modified
DependencyProxy::GroupAccess
. If auth_token is present and the user is a group access token user, pass auth_token instead of auth_user to thecan?(...)
call - Created a new policy class,
DependencyProxy::GroupPolicy
and moved the dependency-proxy specific rules into this class
Query Analysis
Group.find_by_full_path(params[:group_id], follow_redirects: true)
Query 1
SELECT "routes".* FROM "routes" WHERE "routes"."path" = '<redacted>' LIMIT 1
https://console.postgres.ai/gitlab/gitlab-production-main/sessions/27605/commands/86124 (internal)
Query 2
SELECT
"namespaces"."id",
"namespaces"."name",
"namespaces"."path",
"namespaces"."owner_id",
"namespaces"."created_at",
"namespaces"."updated_at",
"namespaces"."type",
"namespaces"."description",
"namespaces"."avatar",
"namespaces"."share_with_group_lock",
"namespaces"."visibility_level",
"namespaces"."request_access_enabled",
"namespaces"."description_html",
"namespaces"."lfs_enabled",
"namespaces"."parent_id",
"namespaces"."require_two_factor_authentication",
"namespaces"."two_factor_grace_period",
"namespaces"."cached_markdown_version",
"namespaces"."runners_token",
"namespaces"."project_creation_level",
"namespaces"."runners_token_encrypted",
"namespaces"."auto_devops_enabled",
"namespaces"."custom_project_templates_group_id",
"namespaces"."file_template_project_id",
"namespaces"."ldap_sync_error",
"namespaces"."ldap_sync_last_successful_update_at",
"namespaces"."ldap_sync_last_sync_at",
"namespaces"."ldap_sync_last_update_at",
"namespaces"."repository_size_limit",
"namespaces"."saml_discovery_token",
"namespaces"."shared_runners_minutes_limit",
"namespaces"."extra_shared_runners_minutes_limit",
"namespaces"."ldap_sync_status",
"namespaces"."membership_lock",
"namespaces"."last_ci_minutes_notification_at",
"namespaces"."last_ci_minutes_usage_notification_level",
"namespaces"."subgroup_creation_level",
"namespaces"."max_pages_size",
"namespaces"."max_artifacts_size",
"namespaces"."mentions_disabled",
"namespaces"."default_branch_protection",
"namespaces"."max_personal_access_token_lifetime",
"namespaces"."push_rule_id",
"namespaces"."shared_runners_enabled",
"namespaces"."allow_descendants_override_disabled_shared_runners",
"namespaces"."traversal_ids",
"namespaces"."organization_id"
FROM "namespaces"
WHERE "namespaces"."type" = 'Group'
AND "namespaces"."id" = <redacted>
LIMIT 1
https://console.postgres.ai/gitlab/gitlab-production-main/sessions/27605/commands/86154
Query in !141358 (merged):
https://console.postgres.ai/gitlab/gitlab-production-main/sessions/27605/commands/86113
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
No UI changes
How to set up and validate locally
Same as the validation steps in !141358 (merged)
Related to #434291 (closed)
Edited by Radamanthus Batnag