Personal and Group access token support for new virtual registry scopes

Radamanthus Batnagrequested to merge
336800-pat-and-grat-should-accept-virtual-registry-scopes-for-dependency-proxy into master

What does this MR do and why?

When authenticating personal access tokens and group access tokens for dependency proxy for containers, accept tokens that have the virtual registry scopes read_virtual_registry and write_virtual_registry.

References

#336800 (closed)

Screenshots or screen recordings

NA

How to set up and validate locally

🧰 Setup

Permissions for Dependency Proxy for Containers are set at the group level. You'll need a group and a user that has at least guest access to the group. The example commands here use the Flightjs group, http://gdk.test:3000/flightjs (group ID 33).

Prepare a personal access token with only the read_virtual_registry and write_virtual_registry scopes. Prepare a group access token with only the read_virtual_registry and write_virtual_registry scopes.

🔬 Tests

Login using the personal access token

docker login gdk.test:3000/33/dependency_proxy/containers -u root

Paste the personal access token when prompted for the password.

Expected result on the MR branch: Login Succeeded

rad@rbatnag--20230104-VWDXG ~/p/t/depproxytest (master)> docker login gdk.test:3000/33/dependency_proxy/containers -u root
Password: 
WARNING! Your password will be stored unencrypted in /Users/rad/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

Expected result on the master branch

Error response from daemon: Get "http://gdk.test:3000/v2/": error parsing HTTP 403 response body: no error details found in HTTP response body: "{\"message\":\"access forbidden\",\"status\":\"error\",\"http_status\":403}"

On the MR branch, also verify that docker pull works:

docker pull gdk.test:3000/flightjs/dependency_proxy/containers/busybox:latest

After pulling, delete the image so that we can use the same commands for testing the group access token.

docker rmi gdk.test:3000/flightjs/dependency_proxy/containers/busybox

Login using the group access token

docker login gdk.test:3000/33/dependency_proxy/containers -u root

Paste the group access token when prompted for the password.

Expected result on the MR branch: Login Succeeded

rad@rbatnag--20230104-VWDXG ~/p/t/depproxytest (master)> docker login gdk.test:3000/33/dependency_proxy/containers -u root
Password: 
WARNING! Your password will be stored unencrypted in /Users/rad/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

Expected result on the master branch

Error response from daemon: Get "http://gdk.test:3000/v2/": error parsing HTTP 403 response body: no error details found in HTTP response body: "{\"message\":\"access forbidden\",\"status\":\"error\",\"http_status\":403}"

On the MR branch, also verify that docker pull works:

docker pull gdk.test:3000/flightjs/dependency_proxy/containers/busybox:latest

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #336800 (closed)

Edited by Radamanthus Batnag

Merge request reports