Commit 3a1dae66 authored by Fabio Huser's avatar Fabio Huser

Add missing Git authentication support for group level bot build tokens

This commit adds the missing functionality to access a Git repository
per HTTPS by authenticating using a group level bot build token. Prior
to this this, trying to access a Git repository with said token would
lead to an authentication error. Accessing Git repositories using
project level bot build tokens worked perfectly fine, but the same
check for group level bots was missing. This access scenario occurs
if a group level bot (group level access token) is used to trigger
a CI pipeline (e.g. pipeline trigger API) and the CI job tries to
clone the desired repository.

Closes https://gitlab.com/gitlab-org/gitlab/-/issues/345543

Changelog: fixed
parent ff777213
...@@ -207,7 +207,7 @@ module Gitlab ...@@ -207,7 +207,7 @@ module Gitlab
return unless valid_scoped_token?(token, all_available_scopes) return unless valid_scoped_token?(token, all_available_scopes)
if project && token.user.project_bot? if project && token.user.project_bot?
return unless token_bot_in_project?(token.user, project) || token_bot_in_group?(token.user, project) return unless token_bot_in_resource?(token.user, project)
end end
if token.user.can_log_in_with_non_expired_password? || token.user.project_bot? if token.user.can_log_in_with_non_expired_password? || token.user.project_bot?
...@@ -229,6 +229,10 @@ module Gitlab ...@@ -229,6 +229,10 @@ module Gitlab
end end
# rubocop: enable CodeReuse/ActiveRecord # rubocop: enable CodeReuse/ActiveRecord
def token_bot_in_resource?(user, project)
token_bot_in_project?(user, project) || token_bot_in_group?(user, project)
end
def valid_oauth_token?(token) def valid_oauth_token?(token)
token && token.accessible? && valid_scoped_token?(token, Doorkeeper.configuration.scopes) token && token.accessible? && valid_scoped_token?(token, Doorkeeper.configuration.scopes)
end end
...@@ -309,7 +313,7 @@ module Gitlab ...@@ -309,7 +313,7 @@ module Gitlab
return unless build.project.builds_enabled? return unless build.project.builds_enabled?
if build.user if build.user
return unless build.user.can_log_in_with_non_expired_password? || (build.user.project_bot? && build.project.bots&.include?(build.user)) return unless build.user.can_log_in_with_non_expired_password? || (build.user.project_bot? && token_bot_in_resource?(build.user, build.project))
# If user is assigned to build, use restricted credentials of user # If user is assigned to build, use restricted credentials of user
Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities) Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)
......
...@@ -156,8 +156,9 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do ...@@ -156,8 +156,9 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
let(:username) { 'gitlab-ci-token' } let(:username) { 'gitlab-ci-token' }
context 'for running build' do context 'for running build' do
let!(:build) { create(:ci_build, :running) } let!(:group) { create(:group) }
let(:project) { build.project } let!(:project) { create(:project, group: group) }
let!(:build) { create(:ci_build, :running, project: project) }
it 'recognises user-less build' do it 'recognises user-less build' do
expect(subject).to have_attributes(actor: nil, project: build.project, type: :ci, authentication_abilities: described_class.build_authentication_abilities) expect(subject).to have_attributes(actor: nil, project: build.project, type: :ci, authentication_abilities: described_class.build_authentication_abilities)
...@@ -169,6 +170,20 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do ...@@ -169,6 +170,20 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
expect(subject).to have_attributes(actor: build.user, project: build.project, type: :build, authentication_abilities: described_class.build_authentication_abilities) expect(subject).to have_attributes(actor: build.user, project: build.project, type: :build, authentication_abilities: described_class.build_authentication_abilities)
end end
it 'recognises project level bot access token' do
build.update(user: create(:user, :project_bot))
project.add_maintainer(build.user)
expect(subject).to have_attributes(actor: build.user, project: build.project, type: :build, authentication_abilities: described_class.build_authentication_abilities)
end
it 'recognises group level bot access token' do
build.update(user: create(:user, :project_bot))
group.add_maintainer(build.user)
expect(subject).to have_attributes(actor: build.user, project: build.project, type: :build, authentication_abilities: described_class.build_authentication_abilities)
end
it 'fails with blocked user token' do it 'fails with blocked user token' do
build.update(user: create(:user, :blocked)) build.update(user: create(:user, :blocked))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment