Validate JWT issued for moving a project within the same top-level-namespace
Context
Following the investigation conducted in gitlab#388675 (comment 1699410288) , we need to be able to validate JWTs that will be used to move a projects (and as a result all its repositories) from one namespace to another (within the same top-level-namespace) (i.e. PATCH /gitlab/v1/repositories/:project_path/?dry_run=true|false
{namespace:"new_project_namespace"})` . In the registry a project move rename translates to a rename of the namespace of all the repositories under the project path.
For the purpose of this endpoint a valid token is a JWT issued/signed by the GitLab auth service that grants push
access to the group (that the project is being moved to) as well as all (i.e push
and pull
) access to the project's root repository.
This JWT can only be granted to the rails backend (hence a move request to the registry can only be processed when rails is the initiator).
A valid token contains all the necessary access rights required to conduct a repository move in the registry.
For example a project my-project
in the group my-namespace/my-group-1
wanting to transfer to my-namespace/my-group-2
will need to have access to both my-namespace/my-group-2
and the project/root-repository my-namespace/my-group-1/my-project
. This access can be encapsulated in the JWT as follows:
{
"auth_type": "....",
"access": [
{
"type": "repository",
"name": "my-namespace/my-group-1/my-project/*",
"actions": [
"pull"
],
"meta": {
"project_path": "my-namespace/my-group-1/my-project"
}
},
{
"type": "repository",
"name": "my-namespace/my-group-1/my-project",
"actions": [
"pull",
"push"
],
"meta": {
"project_path": "my-namespace/my-group-1/my-project"
}
},
{
"type": "repository",
"name": "my-namespace/my-group-2/*",
"actions": [
"push"
],
"meta": {
"project_path": "my-namespace/my-group-1/my-project"
}
}
],
"jti": "...................",
"aud": "container_registry",
"sub": ".....",
"iss": ".....",
"iat": .....,
"nbf": .....,
"exp": ....
}