Draft: Start logging authorizations made by CI_JOB_TOKEN
What does this MR do and why?
This is POC to log and display permissions needed by CI_JOB_TOKEN to run a pipeline.
This MR will be split into multiple smaller MRs once ready.
It is WIP
Right now it can do:
- logs authorizations made by a ci token
- retrieve all the permissions for a pipeline/build using a graphql endpoint
Things that need to be added to made it ready to merge:
- add specs
- create services & finders how they should be
- add validations, authorizations, make sure it does not fail
Things to discuss (besides the basic question: "Is this the right approach?")
- log only unique permissions per build?
- store the logs in the database?
- modules / naming
- should we log only successful permission checks (= permission allowed = true) or also the restricted authorizations (that could make the debugging for users easier)
- ...
The work is under log_ci_job_authorizations FF
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Example of the detected permission checks
How to set up and validate locally
- Setup a runner for your gdk
- Enable FF for this experiment
Feature.enable(:log_ci_job_authorizations) - Add a
.gitlab-ci.ymlfile for one project (see example below)
Example
stages:
- test
test-curl:
stage: test
script:
- 'curl --header "PRIVATE-TOKEN: $CI_JOB_TOKEN" "http://gdk.test:3000/api/v4/projects/$CI_PROJECT_ID/environments"'- You can also test multi-project pipelines, in that case, add
.gitlab-ci.ymlfile for another project (again, example below)
Example
before_script:
- gem install bundler
stages:
- just-bundle
- external
bundle:
stage: just-bundle
script:
- bundle install
external-test:
stage: external
trigger:
project: flightjss/ci-pipeline-test- Wait for pipelines to finish
- Check the permission checks
Edited by Jarka Košanová