Fix bugs on accessing CI Job Token Authentication logs and AllowList

Jayakrishnan Mallisseryrequested to merge
jay-fix-gql-error-on-job-token-auhentication-log into master

Why this MR ?

  • To fix this issue - #507309 (closed)
  • We have a bug in the system wherein a user tries to see the CI job token authorization logs of a project and it has authentication logs from projects that the user do not have access to, they encounter a GQL error - Cannot return null for non-nullable field CiJobTokenAuthLog.originProject. This error prevents the user from being able to see the authentication logs of the CI/CD Job token
  • Due to the same root cause, a user CANNOT see all the projects in the allowlist of the CI/CD Job token. The projects in the allowlist of the CI/CD Job token that the current user cannot access are NOT displayed even though they are present in the Allowlist

What does this MR do ?

  • We create a basic minimal Project GQL type called Types::Ci::JobTokenAccessingProjectType. This newly added GQL type does NOT have any authorization check and only exposes minimal set of fields to display the auth logs and allowlist tables - id name path fullPath webUrl avatarUrl
  • We use the newly created minimal project type JobTokenAccessingProjectType instead of the main ProjectType in the following 3 places.
    • For the sourceProject GQL field in Types::Ci::JobTokenAuthLogType - To see auth logs from inaccessible projects
    • For the inboundAllowlist GQL field in Types::Ci::JobTokenScope - To see inaccessible projects in Allowlist
    • For the target field in Types::Ci::JobTokenScope -> Ci::JobTokenScope::TargetType -> ProjectType -> This is a fix in advance as in the near future we will replace the JobTokenScope.inboundAllowlist with Types::Ci::JobTokenScope::AllowlistEntryType . For more details see this thread discussion

References

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots

Before After
Screenshot_2025-01-21_at_13.11.07 Screenshot_2025-01-23_at_13.26.23
before_2 after_one

How to set up and validate locally

  1. Need two users - user A and user B to reproduce this scenario
  2. Login as user A, create a project called Source Project. Give Maintainer access to user B
  3. Login as user B, create a project called Target Project. Give Maintainer access to user A
  4. In the Source Project - allow Project B to access the CI/CD Job Token by following this docs
  5. In the Target Project create a new build pipeline and add an action to clone the Source Project following docs here
  6. Now execute the pipeline of Target Project - This will create an authentication log for the Source Project accessed from the Target Project
  7. Now login as user B and remove the access for user A to the Target Project.
  8. Now login as user A and visit the Job token Authentication logs section docs here
  9. You can see the error mentioned in the issue. Also you can see that in the allowlist the inaccessible project will be missing although it exists
  10. Once you pull this branch and reload the same page, the issue will be gone and you can see the authentication logs and Allowlist correctly
Edited by Jayakrishnan Mallissery

Merge request reports