Modify /jwt/auth endpoint for registry tag protection feature
What does this MR do and why?
Related to https://gitlab.com/gitlab-org/gitlab/-/issues/499874.
The rational behind the changes in this MR is described in detail here. These changes sit behind a new feature flag (https://gitlab.com/gitlab-org/gitlab/-/issues/505455+).
References
Please include cross links to any resources that are relevant to this MR This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.
- https://gitlab.com/gitlab-org/gitlab/-/issues/499874
- https://gitlab.com/groups/gitlab-org/-/epics/15608#jwt-auth
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Not applicable as the corresponding frontend changes (https://gitlab.com/gitlab-org/gitlab/-/issues/499871) are not yet implemented.
How to set up and validate locally
We'll assume that you have a gitlab-org/gitlab-test project in your GDK, and a PAT from a user with Owner role with read/write registry permissions. Set the CR_PAT environment variable to the PAT value and CR_USER to the username.
For these tests I'm going to use the jq and jwt CLI tools to facilitate parsing the output of requests. Adjust the curl commands if you don't want to use them (in which case you'll have to manually parse and decode the tokens).
-
First make a test with the FF disabled (default). To do so we need to obtain a token from the
/jwt/authendpoint:curl -s -u "$CR_USER:$CR_PAT" \ -G \ --data-urlencode "service=container_registry" \ --data-urlencode "scope=repository:gitlab-org/gitlab-test:pull,push" \ http://gdk.test:3000/jwt/auth | jq -r '.token' | jwt decode -j - | jq -r '.payload.access'[ { "actions": [ "pull", "push" ], "meta": { "project_id": 2, "project_path": "gitlab-org/gitlab-test", "root_namespace_id": 24 }, "name": "gitlab-org/gitlab-test", "type": "repository" } ]
Note that there is no meta.tag_deny_access_patterns key.
-
Now let's enable the FF for our project in the Rails console:
project = Project.find_by_full_path 'gitlab-org/gitlab-test' Feature.enable(:container_registry_protected_tags, project) -
Repeat the request. You should see exactly the same output as there are no configured rules for this project.
-
Now let's create some rules:
project.container_registry_protection_tag_rules.create(tag_name_pattern: 'latest', minimum_access_level_for_push: Gitlab::Access::MAINTAINER, minimum_access_level_for_delete: Gitlab::Access::MAINTAINER) project.container_registry_protection_tag_rules.create(tag_name_pattern: 'precious', minimum_access_level_for_push: Gitlab::Access::OWNER, minimum_access_level_for_delete: Gitlab::Access::OWNER) -
Repeat the request. You should see:
[ { "actions": [ "pull", "push" ], "meta": { "project_id": 2, "project_path": "gitlab-org/gitlab-test", "root_namespace_id": 24, "tag_deny_access_patterns": { "push": [] } }, "name": "gitlab-org/gitlab-test", "type": "repository" } ]
Note the meta.tag_deny_access_patterns object is now present, and the empty push array within, even though our user (as an admin) has no tag restrictions.
-
Now set the
CR_USERandCR_PATvariables to a username/PAT of a user with the Developer role in this project. -
Repeat the request. You should see:
[ { "actions": [ "pull", "push" ], "meta": { "project_id": 2, "project_path": "gitlab-org/gitlab-test", "root_namespace_id": 24, "tag_deny_access_patterns": { "push": [ "latest", "precious" ] } }, "name": "gitlab-org/gitlab-test", "type": "repository" } ] -
Promote the user to Maintainer in this project, and then repeat the request. We can also test the
deleteaction:curl -s -u "$CR_USER:$CR_PAT" \ -G \ --data-urlencode "service=container_registry" \ --data-urlencode "scope=repository:gitlab-org/gitlab-test:pull,push,delete" \ http://gdk.test:3000/jwt/auth | jq -r '.token' | jwt decode -j - | jq -r '.payload.access'[ { "actions": [ "pull", "push", "delete" ], "meta": { "project_id": 2, "project_path": "gitlab-org/gitlab-test", "root_namespace_id": 24, "tag_deny_access_patterns": { "delete": [ "precious" ], "push": [ "precious" ] } }, "name": "gitlab-org/gitlab-test", "type": "repository" } ]
Database Review
Merge request reports
Activity
assigned to @jdrpereira
added devopspackage groupcontainer registry sectionci typefeature labels
added pipelinetier-1 label
- A deleted user
added backend label
9 Warnings 
834d371e: Commits that change 30 or more lines across at least 3 files should describe these changes in the commit body. For more information, take a look at our Commit message guidelines. 3b96dc58: The commit subject must start with a capital letter. For more information, take a look at our Commit message guidelines. 85d40d2c: The commit subject must start with a capital letter. For more information, take a look at our Commit message guidelines. 6be6f881: The commit subject must start with a capital letter. For more information, take a look at our Commit message guidelines. d5d2ec35: The commit subject must start with a capital letter. For more information, take a look at our Commit message guidelines. 84f2c56d: The commit subject must start with a capital letter. For more information, take a look at our Commit message guidelines. 35c8155b: The commit subject must start with a capital letter. For more information, take a look at our Commit message guidelines. 830ff5d1: The commit subject must start with a capital letter. For more information, take a look at our Commit message guidelines. featureaddition and featureenhancement merge requests normally have a documentation change. Consider adding a documentation update or confirming the documentation plan with the Technical Writer counterpart.
For more information, see:
- The Handbook page on merge request types.
- The definition of done documentation.
1 Message 
CHANGELOG missing: If this merge request needs a changelog entry, add the
Changelogtrailer to the commit message you want to add to the changelog.If this merge request doesn't need a CHANGELOG entry, feel free to ignore this message.
Reviewer roulette
Category Reviewer Maintainer backend @rliu-gl
(UTC-5, 5 hours behind author)@harsimarsandhu (UTC+5.5, 5.5 hours ahead of author)database @acroitor (UTC+2, 2 hours ahead of author)@ahegyi (UTC+1, 1 hour ahead of author)groupauthentication Reviewer review is optional for groupauthentication @dblessing (UTC-6, 6 hours behind author)Please refer to documentation page for guidance on how you can benefit from the Reviewer Roulette, or use the GitLab Review Workload Dashboard to find other available reviewers.
If needed, you can retry the
danger-reviewjob that generated this comment.Generated by
Edited by Ghost Useradded 483 commits
-
134ece27...a32c7f57 - 480 commits from branch
master - 387380d5 - Modify registry JWT
- 0f45e560 - Fix path arg
- cc8f2aa2 - Split push/delete patterns
Toggle commit list-
134ece27...a32c7f57 - 480 commits from branch
added 1996 commits
-
cc8f2aa2...f051afac - 1993 commits from branch
master - e71d74c5 - Modify registry JWT
- 864479fc - Fix path arg
- 04b50e34 - Split push/delete patterns
Toggle commit list-
cc8f2aa2...f051afac - 1993 commits from branch
added 582 commits
-
04b50e34...744589f6 - 579 commits from branch
master - 2a92c068 - Modify registry JWT
- 4a2dea6a - Fix path arg
- 84e5e220 - Split push/delete patterns
Toggle commit list-
04b50e34...744589f6 - 579 commits from branch
added 1990 commits
-
84e5e220...90931360 - 1986 commits from branch
master - f0ef9af0 - Modify registry JWT
- 3b3a7bdf - Fix path arg
- 7b6749b3 - Split push/delete patterns
- 7fd8dc2a - Refactor and add simple tests
Toggle commit list-
84e5e220...90931360 - 1986 commits from branch
- A deleted user
added feature flag label
added 2 commits
