Detect fine-grained token and validate classic scopes
What does this MR do and why?
This detects the use of a fine-grained access token when authenticating for github import and warns the user.
It also validates the scopes of a classic token to ensure repo
and/or read:org
scopes are present when required.
As Gitea Import also uses the Github Import Controller and Service, these changes are ignored for Gitea imports.
Demo Videos
read:org
scope
Classic token with Successfully imports collaborators
read
scope
Classic token with Returns error when attempting to import collaborators
Fine-grained token
Shows a warning that token may be not have sufficient access
Gitea Import
Proceeds normally
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
There are a few things to do here.
for fine-grained token
- test the UI warning by using a fine-grained access token when authenticating with GitHub. You should see the warning in the screen shot below:
- watch the importer log for fine-grained token use
tail -f log/importer.log
{"feature_category":"importers","import_type":"github","severity":"INFO","time":"2024-02-15T00:40:52.767Z","correlation_id":"29ba256e-2c85-460c-adc3-ed17968dc150","meta.caller_id":"POST /api/:version/import/github","meta.remote_ip":"127.0.0.1","meta.feature_category":"importers","meta.user":"user1","meta.user_id":143,"meta.client_id":"user/143","message":"Fine grained GitHub personal access token used in API request"}
- test the api response by doing a POST request to the
import/github
endpoint with a fine-grained token (see example curl request below). There should be a warning in the response, and the event should be logged in the importer log.
API response:
{"id":956,"name":"repo-101-another-1","full_path":"/carlad-gl-test-group/repo-101-another-1","full_name":"carlad-gl-test-group / repo-101-another-1","refs_url":"/carlad-gl-test-group/repo-101-another-1/refs","warning":"Your fine-grained personal access token may not support collaborator import. Please use a classic token with 'read:org' scope to import collaborators."}%
for scope validation
-
authenticate with a classic token that does not have the correct scopes and observe the warning in the UI:
-
make a POST request to the
import/github
endpoint and observe errors. -
set
"optional_stages": { "collaborators_import": true }
in the--data
block of the request -
with a token that has only the
repo
scope API response:
{"errors":"Your GitHub access token does not have the correct scope to import collaborators. Please use a token with the 'read:org' scope."}%
-
set
"optional_stages": { "collaborators_import": false }
in the--data
block of the request -
with a token that has only the
repo
scope the response should be success. -
set no
optional_stages
-
with a token that has only the
repo
scope the response should be success.
for Gitea Imports
Gitea Import uses the same service as GitHub Import. If you don't have a try.gitea.io acount set up DM me in slack for some credentials.
Initiate a Gitea Import through the UI and observe:
- there is no fine-grained scope warning message on the authentication page
- there is no fine-grained warning or scope validation error on the import page
An example curl request to POST to the our import/github
endpoint from our docs:
curl --request POST \
--url "https://gitlab.example.com/api/v4/import/github" \
--header "content-type: application/json" \
--header "Authorization: Bearer <your_gitlab_access_token>" \
--data '{
"personal_access_token": "<your_github_access_token>",
"repo_id": "12345",
"target_namespace": "group/subgroup",
"new_name": "NEW-NAME",
"optional_stages": {
"attachments_import": true,
"collaborators_import": true
}
}
Related to #439110 (closed)