Skip to content

Draft: Check personal access token scopes during dependency proxy authorization

Radamanthus Batnag requested to merge 426887-add-scope-check-for-pat into 434291-rollout-packages_dependency_proxy_pass_token_to_policy

What does this MR do and why?

This adds scope checks for personal access tokens (human users and service account users). In this MR, and with the feature flag packages_dependency_proxy_containers_scope_check turned on, human personal access tokens and service account personal access tokens without the required scopes for Dependency proxy will get access forbidden responses to docker login or docker pull.

The changes are behind the feature flag packages_dependency_proxy_containers_scope_check. This flag was added in !136655 (merged) to add scope checks for group access tokens. In this MR, we add scope checks for personal access tokens, also behind this feature flag.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

No UI changes 🌈

How to set up and validate locally

Enable the packages_dependency_proxy_containers_scope_check feature flag on the Rails console:

Feature.enable(:packages_dependency_proxy_containers_scope_check)

Test docker login and docker pull:

docker logout http://gdk.test:3000
docker login gdk.test:3000 -p <token>
docker pull gdk.test:3000/flightjs/dependency_proxy/containers/busybox:latest

# Note down the Image ID of busybox:latest
docker images
# Delete busybox:latest so we can pull it again
docker rmi <image-id-of-busybox-latest>

Test for the following token cases:

  • 1️⃣ A human user personal access token with the read_registry and write_registry scopes
  • 2️⃣ A human user personal access token with the api scpoe
  • 3️⃣ A human user personal access token with create_runner scope only (make sure it does not have read_registry, write_registry or api scopes)
  • 4️⃣ A service account personal access token with the read_registry and write_registry scopes
  • 5️⃣ A service account personal access token with the api scope
  • 6️⃣ A service account personal access token with the create_runner scope only (make sure it does not have read_registry, write_registry or api scopes)
  • 7️⃣ A group access token with the read_registry and write_registry scopes
  • 8️⃣ A group access token with the api scopes
  • 9️⃣ A group access token with the create_runner scope only (make sure it does not have read_registry, write_registry or api scopes)
  • 🔟 A group deploy token with the read_registry and write_registry scopes
  • 1️⃣ 1️⃣ A group deploy token with the read_registry scope only

NOTE: Be sure to supply the correct username for the group deploy tokens

The following cases will encounter a forbidden response with the MR branch, but will be successful with the master branch:

  • 3️⃣
  • 6️⃣
  • 9️⃣
  • 1️⃣ 1️⃣

Related to #426887

Edited by Radamanthus Batnag

Merge request reports