Skip to content

Unified auth for NuGet package manager

What does this MR do?

Per the discussion on &3807 and !35110 (closed), this MR implements an MVC custom authorization framework for Package Managers.

Package Managers often need custom modes of authentication, beyond the existing GitLab API authentication and authorization schemes. Over time, a variety of helpers and methods have grown up to meet this need, leading to technical debt. The goal of this MR is to provide the beginning (MVC) of a comprehensive solution for custom authentication for API endpoints, in a way that clearly expresses allowed authentication mechanisms and can be shared across all endpoints that need it.

The end result is that every endpoint requiring custom authentication expresses it along the following lines:

authenticate_with do |accept|
    accept.token_types(:personal_access_token, :deploy_token, :job_token)
        .sent_through(:http_basic_auth, :conan_jwt)
end

In the future, allow statements should be usable at the root level of an endpoint, for namespaces, and for single routes, and should encompass all custom authentication. This MVC is the minimal set of changes necessary to migrate NuGet to this new authentication configuration scheme.

Note: This MR makes subtle changes to personal access token and deploy token authentication (for NuGet only), in that the main authentication subsystem ignores the username field for HTTP basic auth, whereas this MR requires that it match the token.

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team

Relates to: #202012 (closed)

Edited by Ethan Reesor

Merge request reports

Loading