Skip to content

WIP: Unify Conan auth

Ethan Reesor requested to merge ethan.reesor/contrib/gitlab:215574-unified-api-auth-mvc into master

What does this MR do?

Per the discussion on #215574 (closed) and my proposal #215574 (comment 343649634), this MR implements an MVC custom authorization framework for Package Managers.

Package Managers often need custom modes of authentication, beyond the existing GitLab API authentication and authorization schemes. Over time, a variety of helpers and methods have grown up to meet this need, leading to technical debt. The goal of this MR is to provide the beginning (MVC) of a comprehensive solution for custom authentication for API endpoints, in a way that clearly expresses allowed authentication mechanisms and can be shared across all endpoints that need it.

The end result is that every endpoint requiring custom authentication expresses it along the following lines:

allow :personal_access_token, from: :authorization_basic
allow :personal_access_token, from: :private_token_header
allow :personal_access_token, from: :private_token_query

In the future, allow statements should be usable at the root level of an endpoint, for namespaces, and for single routes, and should encompass all custom authentication. This MVC is the minimal set of changes necessary to migrate Conan to this new authentication configuration scheme.

Updates #215574 (closed)

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Ethan Reesor

Merge request reports