Commit 4553e8bb authored by Sean McGivern's avatar Sean McGivern

Merge branch 'ci_job_token_delete_registry_images' into 'master'

Allow access to registry API of the current project using the job token [RUN ALL RSPEC] [RUN AS-IF-FOSS]

See merge request gitlab-org/gitlab!49750
parents 96dd516f 49964377
---
title: Allow access to registry API of the current project using the job token
merge_request: 49750
author: Mathieu Parent
type: added
---
name: ci_job_token_scope
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/49750
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/300821
milestone: '13.12'
type: development
group: group::package
default_enabled: false
...@@ -208,6 +208,7 @@ You can use a GitLab CI/CD job token to authenticate with specific API endpoints ...@@ -208,6 +208,7 @@ You can use a GitLab CI/CD job token to authenticate with specific API endpoints
Package Registry, you can use [deploy tokens](../user/project/deploy_tokens/index.md). Package Registry, you can use [deploy tokens](../user/project/deploy_tokens/index.md).
- [Container Registry](../user/packages/container_registry/index.md) - [Container Registry](../user/packages/container_registry/index.md)
(the `$CI_REGISTRY_PASSWORD` is `$CI_JOB_TOKEN`). (the `$CI_REGISTRY_PASSWORD` is `$CI_JOB_TOKEN`).
- [Container Registry API](container_registry.md) (scoped to the job's project, when the `ci_job_token_scope` feature flag is enabled)
- [Get job artifacts](job_artifacts.md#get-job-artifacts). - [Get job artifacts](job_artifacts.md#get-job-artifacts).
- [Get job token's job](jobs.md#get-job-tokens-job). - [Get job token's job](jobs.md#get-job-tokens-job).
- [Pipeline triggers](pipeline_triggers.md), using the `token=` parameter. - [Pipeline triggers](pipeline_triggers.md), using the `token=` parameter.
......
...@@ -6,10 +6,30 @@ info: To determine the technical writer assigned to the Stage/Group associated w ...@@ -6,10 +6,30 @@ info: To determine the technical writer assigned to the Stage/Group associated w
# Container Registry API # Container Registry API
> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/55978) in GitLab 11.8. > - [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/55978) in GitLab 11.8.
> - The use of `CI_JOB_TOKEN` scoped to the current project was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/49750) in GitLab 13.12.
This is the API documentation of the [GitLab Container Registry](../user/packages/container_registry/index.md). This is the API documentation of the [GitLab Container Registry](../user/packages/container_registry/index.md).
When the `ci_job_token_scope` feature flag is enabled (it is **disabled by default**), you can use the below endpoints
from a CI/CD job, by passing the `$CI_JOB_TOKEN` variable as the `JOB-TOKEN` header.
The job token will only have access to its own project.
[GitLab administrators with access to the GitLab Rails console](../administration/feature_flags.md)
can opt to enable it.
To enable it:
```ruby
Feature.enable(:ci_job_token_scope)
```
To disable it:
```ruby
Feature.disable(:ci_job_token_scope)
```
## List registry repositories ## List registry repositories
### Within a project ### Within a project
......
...@@ -87,6 +87,8 @@ module EE ...@@ -87,6 +87,8 @@ module EE
def find_project!(id) def find_project!(id)
project = find_project(id) project = find_project(id)
return forbidden! unless authorized_project_scope?(project)
# CI job token authentication: # CI job token authentication:
# this method grants limited privileged for admin users # this method grants limited privileged for admin users
# admin users can only access project if they are direct member # admin users can only access project if they are direct member
......
...@@ -124,12 +124,22 @@ module API ...@@ -124,12 +124,22 @@ module API
def find_project!(id) def find_project!(id)
project = find_project(id) project = find_project(id)
return forbidden! unless authorized_project_scope?(project)
return project if can?(current_user, :read_project, project) return project if can?(current_user, :read_project, project)
return unauthorized! if authenticate_non_public? return unauthorized! if authenticate_non_public?
not_found!('Project') not_found!('Project')
end end
def authorized_project_scope?(project)
return true unless job_token_authentication?
return true unless route_authentication_setting[:job_token_scope] == :project
::Feature.enabled?(:ci_job_token_scope, project, default_enabled: :yaml) &&
current_authenticated_job.project == project
end
# rubocop: disable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord
def find_group(id) def find_group(id)
if id.to_s =~ /^\d+$/ if id.to_s =~ /^\d+$/
......
...@@ -15,6 +15,7 @@ module API ...@@ -15,6 +15,7 @@ module API
params do params do
requires :id, type: String, desc: 'The ID of a project' requires :id, type: String, desc: 'The ID of a project'
end end
route_setting :authentication, job_token_allowed: true, job_token_scope: :project
resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
desc 'Get a project container repositories' do desc 'Get a project container repositories' do
detail 'This feature was introduced in GitLab 11.8.' detail 'This feature was introduced in GitLab 11.8.'
......
...@@ -3,6 +3,8 @@ ...@@ -3,6 +3,8 @@
require 'spec_helper' require 'spec_helper'
RSpec.describe API::Helpers do RSpec.describe API::Helpers do
using RSpec::Parameterized::TableSyntax
subject { Class.new.include(described_class).new } subject { Class.new.include(described_class).new }
describe '#find_project' do describe '#find_project' do
...@@ -99,6 +101,59 @@ RSpec.describe API::Helpers do ...@@ -99,6 +101,59 @@ RSpec.describe API::Helpers do
end end
end end
describe '#find_project!' do
let_it_be(:project) { create(:project) }
let(:user) { project.owner}
before do
allow(subject).to receive(:current_user).and_return(user)
allow(subject).to receive(:authorized_project_scope?).and_return(true)
allow(subject).to receive(:job_token_authentication?).and_return(false)
allow(subject).to receive(:authenticate_non_public?).and_return(false)
end
shared_examples 'project finder' do
context 'when project exists' do
it 'returns requested project' do
expect(subject.find_project!(existing_id)).to eq(project)
end
it 'returns nil' do
expect(subject).to receive(:render_api_error!).with('404 Project Not Found', 404)
expect(subject.find_project!(non_existing_id)).to be_nil
end
end
end
context 'when ID is used as an argument' do
let(:existing_id) { project.id }
let(:non_existing_id) { non_existing_record_id }
it_behaves_like 'project finder'
end
context 'when PATH is used as an argument' do
let(:existing_id) { project.full_path }
let(:non_existing_id) { 'something/else' }
it_behaves_like 'project finder'
context 'with an invalid PATH' do
let(:non_existing_id) { 'undefined' } # path without slash
it_behaves_like 'project finder'
it 'does not hit the database' do
expect(Project).not_to receive(:find_by_full_path)
expect(subject).to receive(:render_api_error!).with('404 Project Not Found', 404)
subject.find_project!(non_existing_id)
end
end
end
end
describe '#find_namespace' do describe '#find_namespace' do
let(:namespace) { create(:namespace) } let(:namespace) { create(:namespace) }
...@@ -191,6 +246,49 @@ RSpec.describe API::Helpers do ...@@ -191,6 +246,49 @@ RSpec.describe API::Helpers do
it_behaves_like 'user namespace finder' it_behaves_like 'user namespace finder'
end end
describe '#authorized_project_scope?' do
let_it_be(:project) { create(:project) }
let_it_be(:other_project) { create(:project) }
let_it_be(:job) { create(:ci_build) }
let(:send_authorized_project_scope) { subject.authorized_project_scope?(project) }
where(:job_token_authentication, :route_setting, :feature_flag, :same_job_project, :expected_result) do
false | false | false | false | true
false | false | false | true | true
false | false | true | false | true
false | false | true | true | true
false | true | false | false | true
false | true | false | true | true
false | true | true | false | true
false | true | true | true | true
true | false | false | false | true
true | false | false | true | true
true | false | true | false | true
true | false | true | true | true
true | true | false | false | false
true | true | false | true | false
true | true | true | false | false
true | true | true | true | true
end
with_them do
before do
allow(subject).to receive(:job_token_authentication?).and_return(job_token_authentication)
allow(subject).to receive(:route_authentication_setting).and_return(job_token_scope: route_setting ? :project : nil)
allow(subject).to receive(:current_authenticated_job).and_return(job)
allow(job).to receive(:project).and_return(same_job_project ? project : other_project)
stub_feature_flags(ci_job_token_scope: false)
stub_feature_flags(ci_job_token_scope: project) if feature_flag
end
it 'returns the expected result' do
expect(send_authorized_project_scope).to eq(expected_result)
end
end
end
describe '#send_git_blob' do describe '#send_git_blob' do
let(:repository) { double } let(:repository) { double }
let(:blob) { double(name: 'foobar') } let(:blob) { double(name: 'foobar') }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment