Deploy tokens as API auth method
What does this MR do?
We add find_user_by_deploy_token
to the API auth flow to allow deploy tokens to be a valid authentication method for specified API endpoints using the new scopes added to deploy tokens in !29383 (merged)
Endpoints with route_setting :authentication, deploy_token_allowed: true
will be allowed to authenticate using deploy tokens.
This presents a small difficulty because the API relies on the idea that a user is authenticating, or a user is using an authentication method that is associated to them somehow (they created a PAT, they kicked off a job that uses a job token, etc), however a deploy token is not associated with a user. It is only associated with a Project or Group. So we needed to allow deploy tokens the ability to behave like a user and respond to many of the same methods. This functionality already somewhat exists in the permissions code. Using include PolicyActor
would allow you to let a non-user object ask for permissions using Ability.allowed?
. This adds some additional methods to that concern.
The implementation of deploy tokens as a valid auth method for the API is specifically to allow deploy tokens with new scopes for creating and reading the package apis (for example, pushing and pulling NPM and Maven packages). This MR adds the functionality for Maven and other package managers will be handled in subsequent MRs.
Although package apis are EE, they are starting to be migrated to core, so rather than implement this logic only in EE, I've added it to core so it won't have to be refactored in the next milestone.
What this MR does not do
This MR sets up the authentication to allow deploy tokens to be used for these specific endpoints. The scopes required write_package_registry
and read_package_registry
are not yet visible in the deploy token form. The next MR will update the frontend and API to allow for these new scopes to be set on deploy tokens. That MR will include the updates to the main deploy token docs to show these new scopes.
As mentioned previously, other Package managers will be enabled with deploy token access in other MRs.
Screenshots
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides - [-] Database guides
-
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. - [-] Tested in all supported browsers
- [-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Related #213566 (closed)