Skip to content

Refactor to pass personal access token scopes in policy code

Radamanthus Batnag requested to merge 434291-refactor-pat-policy-redux into master

What does this MR do and why?

This reintroduces the changes in !141358 (merged) and fixes the issue that caused the query timeouts by using a different method to get the dependency proxy group.

  • Modified Auth::DependencyProxyAuthenticationService to include the PersonalAccessToken's token in the encoded JsonWebToken response
  • Modified the spec helper DependencyProxyHelpers#build_jwt to mirror the change in Auth::DependencyProxyAuthenticationService
  • Modified DependencyProxy::AuthTokenService to extract the token string, and return the matching PersonalAccessToken.
  • Modified Groups::DependencyProxy::ApplicationController to handle PersonalAccessTokens, in addition to Users and DeployTokens. - -
  • Memoized the token to the instance var @auth_token.
  • Modified DependencyProxy::GroupAccess. If auth_token is present and the user is a group access token user, pass auth_token instead of auth_user to the can?(...) call
  • Created a new policy class, DependencyProxy::GroupPolicy and moved the dependency-proxy specific rules into this class

Query Analysis

Group.find_by_full_path(params[:group_id], follow_redirects: true)
Query 1 
SELECT "routes".* FROM "routes" WHERE "routes"."path" = '<redacted>' LIMIT 1

https://console.postgres.ai/gitlab/gitlab-production-main/sessions/27605/commands/86124 (internal)

Query 2 
SELECT 
  "namespaces"."id", 
  "namespaces"."name", 
  "namespaces"."path", 
  "namespaces"."owner_id", 
  "namespaces"."created_at", 
  "namespaces"."updated_at", 
  "namespaces"."type", 
  "namespaces"."description", 
  "namespaces"."avatar", 
  "namespaces"."share_with_group_lock", 
  "namespaces"."visibility_level", 
  "namespaces"."request_access_enabled", 
  "namespaces"."description_html", 
  "namespaces"."lfs_enabled", 
  "namespaces"."parent_id", 
  "namespaces"."require_two_factor_authentication", 
  "namespaces"."two_factor_grace_period", 
  "namespaces"."cached_markdown_version", 
  "namespaces"."runners_token", 
  "namespaces"."project_creation_level", 
  "namespaces"."runners_token_encrypted", 
  "namespaces"."auto_devops_enabled", 
  "namespaces"."custom_project_templates_group_id", 
  "namespaces"."file_template_project_id", 
  "namespaces"."ldap_sync_error", 
  "namespaces"."ldap_sync_last_successful_update_at", 
  "namespaces"."ldap_sync_last_sync_at", 
  "namespaces"."ldap_sync_last_update_at", 
  "namespaces"."repository_size_limit", 
  "namespaces"."saml_discovery_token", 
  "namespaces"."shared_runners_minutes_limit", 
  "namespaces"."extra_shared_runners_minutes_limit", 
  "namespaces"."ldap_sync_status", 
  "namespaces"."membership_lock", 
  "namespaces"."last_ci_minutes_notification_at", 
  "namespaces"."last_ci_minutes_usage_notification_level", 
  "namespaces"."subgroup_creation_level", 
  "namespaces"."max_pages_size", 
  "namespaces"."max_artifacts_size", 
  "namespaces"."mentions_disabled", 
  "namespaces"."default_branch_protection", 
  "namespaces"."max_personal_access_token_lifetime", 
  "namespaces"."push_rule_id", 
  "namespaces"."shared_runners_enabled", 
  "namespaces"."allow_descendants_override_disabled_shared_runners", 
  "namespaces"."traversal_ids", 
  "namespaces"."organization_id"
FROM "namespaces" 
WHERE "namespaces"."type" = 'Group' 
AND "namespaces"."id" = <redacted> 
LIMIT 1

https://console.postgres.ai/gitlab/gitlab-production-main/sessions/27605/commands/86154

Query in !141358 (merged):

https://console.postgres.ai/gitlab/gitlab-production-main/sessions/27605/commands/86113

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

No UI changes 🌈

How to set up and validate locally

Same as the validation steps in !141358 (merged)

Related to #434291

Edited by Radamanthus Batnag

Merge request reports