go middleware: lower the needed personnal access token scope/capability for go get
What does this MR do?
Actually, to go get
a private repository we need:
- a recent
go
tool chain in order to havego get
supporting the.netrc
file - a
.netrc
file with a 'Personal Access Tokens' as password with theapi
scope in order to match the:read_project
capability in the go middleware
The api
scope means the token (which is stored in plain text on the .netrc
file) has read/write to the whole API while go get
only needing to download the code. So why requiring this scope as it forces the user to store a read/write token in plain text on its computer ?
While looking at the Personal Access Tokens, one should think that only the read_repository
is needed as go get
only download the code. Not sure if this is the best internal ability to use but I successfully made go get
work with only the read_repository
scope by replacing the :read_project
required capability by the :download_code
one.
TL;DR
The go middleware should only need a personal access token with the read_repository
scope, not the full read/write API scope.
Screenshots
go get
.netrc
token should work with only the read_repository
scope:
Does this MR meet the acceptance criteria?
Conformity
Security
-
Label as security and @ mention @gitlab-com/gl-security/appsec
@gitlab-com/gl-security/appsec Not really security related but it does relate to authentication for private repo & the go middleware.