Deploy tokens as API auth method

Review changes
Download
Patches
Plain diff

Steve Abrams requested to merge 213566-package-deploy-token-auth into master Apr 23, 2020

Overview 94
Commits 1
Pipelines 24
Changes 13

What does this MR do?

We add find_user_by_deploy_token to the API auth flow to allow deploy tokens to be a valid authentication method for specified API endpoints using the new scopes added to deploy tokens in !29383 (merged)

Endpoints with route_setting :authentication, deploy_token_allowed: true will be allowed to authenticate using deploy tokens.

This presents a small difficulty because the API relies on the idea that a user is authenticating, or a user is using an authentication method that is associated to them somehow (they created a PAT, they kicked off a job that uses a job token, etc), however a deploy token is not associated with a user. It is only associated with a Project or Group. So we needed to allow deploy tokens the ability to behave like a user and respond to many of the same methods. This functionality already somewhat exists in the permissions code. Using include PolicyActor would allow you to let a non-user object ask for permissions using Ability.allowed?. This adds some additional methods to that concern.

The implementation of deploy tokens as a valid auth method for the API is specifically to allow deploy tokens with new scopes for creating and reading the package apis (for example, pushing and pulling NPM and Maven packages). This MR adds the functionality for Maven and other package managers will be handled in subsequent MRs.

Although package apis are EE, they are starting to be migrated to core, so rather than implement this logic only in EE, I've added it to core so it won't have to be refactored in the next milestone.

What this MR does not do

This MR sets up the authentication to allow deploy tokens to be used for these specific endpoints. The scopes required write_package_registry and read_package_registry are not yet visible in the deploy token form. The next MR will update the frontend and API to allow for these new scopes to be set on deploy tokens. That MR will include the updates to the main deploy token docs to show these new scopes.

As mentioned previously, other Package managers will be enabled with deploy token access in other MRs.

Screenshots

Does this MR meet the acceptance criteria?

Conformity

Changelog entry
Documentation (if required)
Code review guidelines
Merge request performance guidelines
Style guides
[-] Database guides
Separation of EE specific content

Availability and Testing

Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
[-] Tested in all supported browsers
[-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

Label as security and @ mention @gitlab-com/gl-security/appsec
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
Security reports checked/validated by a reviewer from the AppSec team

Related #213566 (closed)

Edited Apr 29, 2020 by Steve Abrams

Merge request reports

Assignee

Reviewers

Request review from

Time tracking