Allow GitlabApiClient to call the new rename endpoint of the registry
Overview
From #420755 (closed), we are now in a good position to use the new rename repository API exposed by the Container Registry to facilitate renaming a project from Gitlab Rails.
The Container Registry API endpoint will ONLY allow requests of JWTs with both pull scopes ({{repository-path}}/*
, {{repository-path}}
) AND push scope ({{repository-path}}
).
But today,Gitlab Rails only have JWTs with pull scopes ({{repository-path}}/*
, {{repository-path}}
). Please see here.
Given this, we want to extend the code such that Gitlab Rails can also get the push scope {{repository-path}}
to be able to use the new rename repository API.
Once we have this token, then we can extend GitlabApiClient
to call the new rename API endpoint.
Context
Doing a search of pull_nested_repositories_access_token
, it is used whenever the requested token type is nested_repositories_token
and this is used in three places in ContainerRegistry::GitlabApiClient:
def self.deduplicated_size(path)
with_dummy_client(token_config: { type: :nested_repositories_token, path: path&.downcase }) do |client|
...
def self.one_project_with_container_registry_tag(path)
with_dummy_client(token_config: { type: :nested_repositories_token, path: path&.downcase }) do |client|
...
def self.each_sub_repositories_with_tag_page(path:, page_size: 100, &block)
with_dummy_client(token_config: { type: :nested_repositories_token, path: path&.downcase }) do |client|
...
Given this, it would seem prudent to add another token type for a pull + push token since currently, this token type is being used in supposed-to-be read-only operations and updating the token to also have write permissions would not be ideal.
After getting the token, we then allow GitlabApiClient
to call the rename endpoint which we will then in a later issue.
Implementation Plan
-
Add a new function in
Auth::ContainerRegistryAuthenticationService
to return a token with pull and push scopes. Take Auth::ContainerRegistryAuthenticationService.pull_nested_repositories_access_token as an inspiration. -
Add a new class method on
ContainerRegistry::GitlabApiClient
to call the new rename API endpoint and also allowing for thedry run
option.
Relates to #420755 (closed)