Update deploy token package permissions (!47675) · Merge requests · GitLab.org / GitLab

Steve Abrams requested to merge 282499-deploy-token-read-package into master Nov 13, 2020

What does this MR do?

Currently, using a deploy token with write_package_registry scope will not work with Maven packages. The mvn deploy command will make a GET request which will require :read_package permission, however the write_package_registry scope does not currently include :read_package, so the package publication will fail.

This MR adds the missing permission to group and project deploy tokens.

Screenshots (strongly suggested)

Before (mvn deploy failure)

mvn deploy -s settings.xml
[INFO] Scanning for projects...
[INFO]
[INFO] --------------------< foo.bar.app:my-maven-package >--------------------
[INFO] Building my-maven-package 1.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-resources-plugin:3.0.2:resources (default-resources) @ my-maven-package ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /Users/steveabrams/workspace/playground/maven/maven-practice/src/main/resources
[INFO]
[INFO] --- maven-compiler-plugin:3.8.0:compile (default-compile) @ my-maven-package ---
[INFO] Nothing to compile - all classes are up to date
[INFO]
[INFO] --- maven-resources-plugin:3.0.2:testResources (default-testResources) @ my-maven-package ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /Users/steveabrams/workspace/playground/maven/maven-practice/src/test/resources
[INFO]
[INFO] --- maven-compiler-plugin:3.8.0:testCompile (default-testCompile) @ my-maven-package ---
[INFO] Nothing to compile - all classes are up to date
[INFO]
[INFO] --- maven-surefire-plugin:2.22.1:test (default-test) @ my-maven-package ---
[INFO]
[INFO] -------------------------------------------------------
[INFO]  T E S T S
[INFO] -------------------------------------------------------
[INFO] Running com.mycompany.app.AppTest
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.023 s - in com.mycompany.app.AppTest
[INFO]
[INFO] Results:
[INFO]
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0
[INFO]
[INFO]
[INFO] --- maven-jar-plugin:3.0.2:jar (default-jar) @ my-maven-package ---
[INFO] Building jar: /Users/steveabrams/workspace/playground/maven/maven-practice/target/my-maven-package-1.0-SNAPSHOT.jar
[INFO]
[INFO] --- maven-install-plugin:2.5.2:install (default-install) @ my-maven-package ---
[INFO] Installing /Users/steveabrams/workspace/playground/maven/maven-practice/target/my-maven-package-1.0-SNAPSHOT.jar to /Users/steveabrams/.m2/repository/foo/bar/app/my-maven-package/1.0-SNAPSHOT/my-maven-package-1.0-SNAPSHOT.jar
[INFO] Installing /Users/steveabrams/workspace/playground/maven/maven-practice/pom.xml to /Users/steveabrams/.m2/repository/foo/bar/app/my-maven-package/1.0-SNAPSHOT/my-maven-package-1.0-SNAPSHOT.pom
[INFO]
[INFO] --- maven-deploy-plugin:2.8.2:deploy (default-deploy) @ my-maven-package ---
Downloading from gitlab-maven: http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/1.0-SNAPSHOT/maven-metadata.xml
[WARNING] Could not transfer metadata foo.bar.app:my-maven-package:1.0-SNAPSHOT/maven-metadata.xml from/to gitlab-maven (http://gdk.test:3001/api/v4/projects/22/packages/maven): Authorization failed for http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/1.0-SNAPSHOT/maven-metadata.xml 403 Forbidden
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  2.299 s
[INFO] Finished at: 2020-11-13T10:12:45-07:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:2.8.2:deploy (default-deploy) on project my-maven-package: Failed to retrieve remote metadata foo.bar.app:my-maven-package:1.0-SNAPSHOT/maven-metadata.xml: Could not transfer metadata foo.bar.app:my-maven-package:1.0-SNAPSHOT/maven-metadata.xml from/to gitlab-maven (http://gdk.test:3001/api/v4/projects/22/packages/maven): Authorization failed for http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/1.0-SNAPSHOT/maven-metadata.xml 403 Forbidden -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

After (mvn deploy success)

mvn deploy -s settings.xml
[INFO] Scanning for projects...
[INFO]
[INFO] --------------------< foo.bar.app:my-maven-package >--------------------
[INFO] Building my-maven-package 1.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-resources-plugin:3.0.2:resources (default-resources) @ my-maven-package ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /Users/steveabrams/workspace/playground/maven/maven-practice/src/main/resources
[INFO]
[INFO] --- maven-compiler-plugin:3.8.0:compile (default-compile) @ my-maven-package ---
[INFO] Nothing to compile - all classes are up to date
[INFO]
[INFO] --- maven-resources-plugin:3.0.2:testResources (default-testResources) @ my-maven-package ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /Users/steveabrams/workspace/playground/maven/maven-practice/src/test/resources
[INFO]
[INFO] --- maven-compiler-plugin:3.8.0:testCompile (default-testCompile) @ my-maven-package ---
[INFO] Nothing to compile - all classes are up to date
[INFO]
[INFO] --- maven-surefire-plugin:2.22.1:test (default-test) @ my-maven-package ---
[INFO]
[INFO] -------------------------------------------------------
[INFO]  T E S T S
[INFO] -------------------------------------------------------
[INFO] Running com.mycompany.app.AppTest
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.027 s - in com.mycompany.app.AppTest
[INFO]
[INFO] Results:
[INFO]
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0
[INFO]
[INFO]
[INFO] --- maven-jar-plugin:3.0.2:jar (default-jar) @ my-maven-package ---
[INFO]
[INFO] --- maven-install-plugin:2.5.2:install (default-install) @ my-maven-package ---
[INFO] Installing /Users/steveabrams/workspace/playground/maven/maven-practice/target/my-maven-package-1.0-SNAPSHOT.jar to /Users/steveabrams/.m2/repository/foo/bar/app/my-maven-package/1.0-SNAPSHOT/my-maven-package-1.0-SNAPSHOT.jar
[INFO] Installing /Users/steveabrams/workspace/playground/maven/maven-practice/pom.xml to /Users/steveabrams/.m2/repository/foo/bar/app/my-maven-package/1.0-SNAPSHOT/my-maven-package-1.0-SNAPSHOT.pom
[INFO]
[INFO] --- maven-deploy-plugin:2.8.2:deploy (default-deploy) @ my-maven-package ---
Downloading from gitlab-maven: http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/1.0-SNAPSHOT/maven-metadata.xml
Uploading to gitlab-maven: http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/1.0-SNAPSHOT/my-maven-package-1.0-20201113.171315-1.jar
Uploaded to gitlab-maven: http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/1.0-SNAPSHOT/my-maven-package-1.0-20201113.171315-1.jar (2.9 kB at 225 B/s)
Uploading to gitlab-maven: http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/1.0-SNAPSHOT/my-maven-package-1.0-20201113.171315-1.pom
Uploaded to gitlab-maven: http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/1.0-SNAPSHOT/my-maven-package-1.0-20201113.171315-1.pom (3.2 kB at 1.7 kB/s)
Downloading from gitlab-maven: http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/maven-metadata.xml
Uploading to gitlab-maven: http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/1.0-SNAPSHOT/maven-metadata.xml
Uploaded to gitlab-maven: http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/1.0-SNAPSHOT/maven-metadata.xml (771 B at 394 B/s)
Uploading to gitlab-maven: http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/maven-metadata.xml
Uploaded to gitlab-maven: http://gdk.test:3001/api/v4/projects/22/packages/maven/foo/bar/app/my-maven-package/maven-metadata.xml (285 B at 156 B/s)
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  31.881 s
[INFO] Finished at: 2020-11-13T10:13:34-07:00
[INFO] ------------------------------------------------------------------------

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
[-] Tested in all supported browsers
[-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

Label as security and @ mention @gitlab-com/gl-security/appsec
[-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
[-] Security reports checked/validated by a reviewer from the AppSec team

Related to #282499 (closed)

Edited Nov 13, 2020 by Steve Abrams

Update deploy token package permissions