Skip to content

Fix project access token build authentication error

What does this MR do?

After creating a new branch using a project access token, a new pipeline is created that is using the credentials of the bot user that is associated with the project access token. In this pipeline, jobs would fail with HTTP Basic: Access denied. This was because the build job would authenticate with the CI_JOB_TOKEN of the bot user instead of with the project access token itself, causing an authentication failure.

This MR introduces an additional check to lib/gitlab/auth.rb to check if the build user is a project bot and if so, uses the access token to authenticate.

More info in the issue, summary of discussion here: #259665 (comment 435008435). Thorough steps to reproduce the bug in the issue description, including a simple sample .gitlab-ci.yml that neatly causes the error.

Screenshots (strongly suggested)

Before:

(Green avatar is Administrator, brown avatar is the project access token bot)

Admin runs a pipeline. The second step of the pipeline triggers the pipeline to run again, but this time with the project bot as the CI job user. The job fails because lib/gitlab/auth.rb#build_access_token_check: return unless build.user.can?(:log_in) and the early return causes an authentication error.

image

remote: HTTP Basic: Access denied
fatal: Authentication failed for 'http://127.0.0.1:3000/root/test3.git/'

After:

(Green avatar is Administrator, yellow avatar is the project access token bot)

Admin runs a pipeline. The second step of the pipeline triggers the pipeline to run again, but this time with the project bot as the CI job user. The job passes because lib/gitlab/auth.rb#build_token_project_bot_check checks if the build user is a project bot and uses the bot's credentials to complete the job.

(The latest pipeline is blocked because the second stage requires a manual trigger to prevent infinite pipelines, but if I were to manually trigger it the pipeline it creates would pass, as shown in the second-to-latest pipeline.)

image

Job succeeded

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team

Related to #259665 (closed)

Edited by Serena Fang

Merge request reports

Loading