Skip to content

Exhaustively test authentication mechanisms for package manager APIs

Ethan Reesor requested to merge ethan.reesor/contrib/gitlab:packages-exhaustive-auth-spec into master

What does this MR do?

This MR adds a spec that tests package manager APIs against a matrix of authentication transport mechanisms and credential types. For each package manager, for each supported scope (project, group, and/or instance), one URL is tested. This serves two purposes: it ensures that refactoring doesn't change authentication support, and it ensures that APIs support only the expected authentication methods.

  • Credential types
    • OAuth access token
    • Personal access token
    • CI job token
    • Deploy token
  • Authentication transport mechanisms
    • Headers
      • Authorization, Basic
      • Authorization, Bearer
      • Private-Token
      • Job-Token
      • Deploy-Token
    • Query parameters
      • token
      • access_token
      • bearer_token
      • private_token
      • job_token
      • deploy_token

Note: The spec does not yet support the Debian repository (because I skipped it).

Note: The spec does not yet check for Conan-specific authentication logic.

Results

The following shows accepted credentials types and transport mechanisms for each package manager API:

Maven NPM Conan NuGet PyPI Composer Generic Go proxy
Authorization: Basic Deploy Deploy PAT, Job, Deploy PAT, Job, Deploy PAT, Job, Deploy OAuth, PAT, Job, Deploy PAT
Authorization: Bearer OAuth, PAT, Job, Deploy OAuth, PAT, Job, Deploy Job OAuth, PAT, Job, Deploy OAuth, PAT OAuth, PAT, Job OAuth, PAT, Job
Private-Token: PAT PAT PAT PAT PAT PAT
Job-Token: Job Job OAuth†, PAT†, Job†, Deploy† Job Job
Deploy-Token: Deploy Deploy Deploy OAuth, PAT, Job, Deploy
token= Job Job OAuth†, PAT†, Job†, Deploy† Job Job
access_token= OAuth, PAT, Job, Deploy OAuth, PAT, Job, Deploy Job OAuth, PAT, Job, Deploy OAuth, PAT OAuth, PAT, Job OAuth, PAT, Job
bearer_token= OAuth, PAT, Job, Deploy OAuth, PAT, Job, Deploy Job OAuth, PAT, Job, Deploy OAuth, PAT OAuth, PAT, Job OAuth, PAT, Job
private_token= PAT PAT PAT PAT PAT PAT
job_token= Job Job OAuth†, PAT†, Job†, Deploy† Job Job
deploy_token= OAuth, PAT, Job, Deploy

† These credential types can be used for the project endpoint but not the group endpoint

Does this MR meet the acceptance criteria?

Conformity

Edited by Ethan Reesor

Merge request reports