Add -protected suffix to docker cache volumes if any of the cache keys include the -protected suffix
This MR extends the fix from [docker] Separate cache volumes for builds agai... (!5773 - merged) to close the loop on https://gitlab.com/gitlab-org/gitlab/-/work_items/494478+
The latter describes an attack where the protected cache can be poisoned by a malicious actor. The fix there, which was implemented in tails, is to separate the cache for users with maintainer and greater permission to those with developer and less permissions. The latter group is treated the same way as a protected ref (which is sane, since typically only that group can run pipelines on protected refs), which is add the -protected suffix to cache keys. I other words, pipeline caches now get the -protected` when the reference they run against is protected OR when then user that started the pipeline (or more correctly the CI job) has maintainer or above access. Anyway, that was all implemented in rails.
This HERE change just keeps the fix made in [docker] Separate cache volumes for builds agai... (!5773 - merged) consistent with the new behaviour, which is to add the -protected suffix to the docker volume hosting the cache when the ref is protected or the cache key includes the -protected suffix.
I've also added an integration test for all cases that result in a protected-suffixed docker cache volume.
testing
Run the added integration test, or, if you want to test manually, configure docker executor with a cache, create a CI job with a cache, and the job on a non protected branch. If you run it as a maintainer, the docker cache volume will have the -protected suffix. If you run it as a developer, the docker cache volume will NOT have the -protected suffix.
...
[[runners]]
...
executor = "docker"
[runners.docker]
volumes = [
"/cache",
]stages:
- test
test:
stage: test
image: alpine:latest
script:
- mkdir foo
- echo "hello world" | tee -a foo/bar.txt
cache:
key: blammo
paths:
- foo
``