Fix project access token build authentication error
What does this MR do?
After creating a new branch using a project access token, a new pipeline is created that is using the credentials of the bot user that is associated with the project access token. In this pipeline, jobs would fail with HTTP Basic: Access denied
. This was because the build job would authenticate with the CI_JOB_TOKEN
of the bot user instead of with the project access token itself, causing an authentication failure.
This MR introduces an additional check to lib/gitlab/auth.rb
to check if the build user is a project bot and if so, uses the access token to authenticate.
More info in the issue, summary of discussion here: #259665 (comment 435008435). Thorough steps to reproduce the bug in the issue description, including a simple sample .gitlab-ci.yml
that neatly causes the error.
Screenshots (strongly suggested)
Before:
(Green avatar is Administrator, brown avatar is the project access token bot)
Admin runs a pipeline. The second step of the pipeline triggers the pipeline to run again, but this time with the project bot as the CI job user. The job fails because lib/gitlab/auth.rb#build_access_token_check: return unless build.user.can?(:log_in)
and the early return causes an authentication error.
remote: HTTP Basic: Access denied
fatal: Authentication failed for 'http://127.0.0.1:3000/root/test3.git/'
After:
(Green avatar is Administrator, yellow avatar is the project access token bot)
Admin runs a pipeline. The second step of the pipeline triggers the pipeline to run again, but this time with the project bot as the CI job user. The job passes because lib/gitlab/auth.rb#build_token_project_bot_check
checks if the build user is a project bot and uses the bot's credentials to complete the job.
(The latest pipeline is blocked
because the second stage requires a manual trigger to prevent infinite pipelines, but if I were to manually trigger it the pipeline it creates would pass, as shown in the second-to-latest pipeline.)
Job succeeded
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Related to #259665 (closed)