Can't access subgroups packages with a group deploy token
Summary
Given
group/subgroup/project
- a
package
on theproject
- a deploy token linked with
group
- the group level API url with
subgroup
The deploy token can't get properly authenticated and gets rejected
This is due to the group_policy.rb
that will grant the read_group
permission only for the directly linked group (group
) but not any of the subgroups.
These requests will fail in a unauthorized
or not found
response depending how the permission rejection is handled.
Yet, according to the documentation:
A deploy token created at the group level can be used across all projects that belong either to the specific group or to one of its subgroups.
these requests should be accepted.
Steps to reproduce
- Create a private group
G
- Create a private subgroup
SG
- Upload a nuget package to
SG
- Create a deploy token for
G
- Locally, in a folder, have this
nuget.config
file:<?xml version="1.0" encoding="utf-8"?> <configuration> <packageSources> <add key="gitlab" value="http://host/api/v4/groups/<SG_ID>/-/packages/nuget/index.json" /> </packageSources> <packageSourceCredentials> <gitlab> <add key="Username" value="<deploy_token_username>" /> <add key="ClearTextPassword" value="<deploy_token_password>" /> </gitlab> </packageSourceCredentials> </configuration>
- Try to pull the package from (3.)
$ nuget install Package.Deeply.Nested.In.Groups -source gitlab Feeds used: http://gdk.test:8000/api/v4/groups/118/-/packages/nuget/index.json Installing package 'Package.Deeply.Nested.In.Groups' to '/Users/bananas/projects/sandbox/nuget/pullFromGroup'. MSBuild auto-detection: using msbuild version '15.0' from '/Library/Frameworks/Mono.framework/Versions/6.12.0/lib/mono/msbuild/15.0/bin'. Using credentials from config. UserName: gitlab+deploy-token-3 The remote server indicated that the previous request was forbidden. Please provide credentials for: http://gdk.test:8000/api/v4/groups/118/-/packages/nuget/index.json UserName:
=> the request is rejected with 403 Forbidden
What is the current bug behavior?
- The request is rejected.
What is the expected correct behavior?
- The request should be accepted.
Possible fixes
Credits to @sabrams
- Create a
#has_access_to_group?
function onGroupDeployToken
similar to this one - Update the Maven specs to tests the urls with
group
andsubgroup
with a deploy token linked togroup
- Update the Nuget specs to tests the urls with
group
andsubgroup
with a deploy token linked togroup
Edited by David Fernandez