Skip to content

Add missing Git authentication support for group level bot build tokens

Fabio Huser requested to merge siemens/gitlab:fix/group-bot-build-token-git-access into master

What does this MR do and why?

Closes #345543 (closed)

This MR adds the missing functionality to access a Git repository per HTTPS by authenticating using a group level bot build token. Prior to this this, trying to access a Git repository with said token would lead to an authentication error. Accessing Git repositories using project level bot build tokens worked perfectly fine, but the same check for group level bots was missing. This access scenario occurs if a group level bot (group level access token) is used to trigger a CI pipeline (e.g. using the pipeline trigger API) and the CI job tries to clone the desired repository.

The change is heavily influenced by @serenafang's proposal in #345543, but re-uses the existing token_bot_in_group method which is already used by the main personal_access_token_check method. This ensures that access using a group access token and a build/CI job token are treated identically and also simplifies future refactoring work.

Screenshots or screen recordings

Successful CI pipeline run, triggered by a group level access token
group-level-bot-build-token

How to set up and validate locally

  1. Use the current branch to create a new group.
  2. Within that group, create a new project and add a simple CI pipeline (e.g. echo "it works").
  3. Attach a gitlab-runner to the previously created project, make sure the connection is established and the runner is ready to pick-up new jobs.
  4. Create a new group access token within the previously created group.
  5. Use the token to trigger a new CI pipeline, owned by the group level bot, using the API: 
    curl --request POST --header "PRIVATE-TOKEN: <TOKEN>" --form ref=main "http://127.0.0.1:3000/api/v4/projects/<PROJECT_ID>/pipeline"
  6. Visit the running pipeline on the GitLab UI. Make sure that the repository was cloned and that the pipeline ran trough successfully.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports