go middleware: lower the needed personnal access token scope/capability for go get (!22331) · Merge requests · GitLab.org / GitLab

Edouard Hur requested to merge hekmon/gitlab:go_middleware_scope into master Dec 30, 2019

What does this MR do?

Actually, to go get a private repository we need:

a recent go tool chain in order to have go get supporting the .netrc file
a .netrc file with a 'Personal Access Tokens' as password with the api scope in order to match the :read_project capability in the go middleware

The api scope means the token (which is stored in plain text on the .netrc file) has read/write to the whole API while go get only needing to download the code. So why requiring this scope as it forces the user to store a read/write token in plain text on its computer ?

While looking at the Personal Access Tokens, one should think that only the read_repository is needed as go get only download the code. Not sure if this is the best internal ability to use but I successfully made go get work with only the read_repository scope by replacing the :read_project required capability by the :download_code one.

TL;DR

The go middleware should only need a personal access token with the read_repository scope, not the full read/write API scope.

Screenshots

go get .netrc token should work with only the read_repository scope:

Does this MR meet the acceptance criteria?

Conformity

Security

Label as security and @ mention @gitlab-com/gl-security/appsec

@gitlab-com/gl-security/appsec Not really security related but it does relate to authentication for private repo & the go middleware.

Edited Dec 30, 2019 by Edouard Hur

go middleware: lower the needed personnal access token scope/capability for go get