Unified auth for NuGet package manager
What does this MR do?
Per the discussion on &3807 and !35110 (closed), this MR implements an MVC custom authorization framework for Package Managers.
Package Managers often need custom modes of authentication, beyond the existing GitLab API authentication and authorization schemes. Over time, a variety of helpers and methods have grown up to meet this need, leading to technical debt. The goal of this MR is to provide the beginning (MVC) of a comprehensive solution for custom authentication for API endpoints, in a way that clearly expresses allowed authentication mechanisms and can be shared across all endpoints that need it.
The end result is that every endpoint requiring custom authentication expresses it along the following lines:
authenticate_with do |accept|
accept.token_types(:personal_access_token, :deploy_token, :job_token)
.sent_through(:http_basic_auth, :conan_jwt)
end
In the future, allow
statements should be usable at the root level of an endpoint, for namespaces, and for single routes, and should encompass all custom authentication. This MVC is the minimal set of changes necessary to migrate NuGet to this new authentication configuration scheme.
Note: This MR makes subtle changes to personal access token and deploy token authentication (for NuGet only), in that the main authentication subsystem ignores the username field for HTTP basic auth, whereas this MR requires that it match the token.
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry - [-] Documentation (if required)
-
Code review guidelines -
Merge request performance guidelines -
Style guides - [-] Database guides
- [-] Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. - [-] Tested in all supported browsers
- [-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
- [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
-
Security reports checked/validated by a reviewer from the AppSec team
Relates to: #202012 (closed)