Commit 0b8f461f authored by Sean Carroll's avatar Sean Carroll

Enable Job-Token authentication in GitLab Core

Closes https://gitlab.com/gitlab-org/gitlab/issues/37898

See merge request https://gitlab.com/gitlab-org/gitlab/merge_requests/21120
parent 740dd848
......@@ -82,7 +82,7 @@ There are four ways to authenticate with the GitLab API:
1. [OAuth2 tokens](#oauth2-tokens)
1. [Personal access tokens](#personal-access-tokens)
1. [Session cookie](#session-cookie)
1. [GitLab CI job token](#gitlab-ci-job-token-premium) **(PREMIUM)**
1. [GitLab CI job token](#gitlab-ci-job-token) **(Specific endpoints only)**
For admins who want to authenticate with the API as a specific user, or who want to build applications or scripts that do so, two options are available:
......@@ -152,13 +152,14 @@ The primary user of this authentication method is the web frontend of GitLab its
which can use the API as the authenticated user to get a list of their projects,
for example, without needing to explicitly pass an access token.
### GitLab CI job token **(PREMIUM)**
### GitLab CI job token
With a few API endpoints you can use a [GitLab CI job token](../user/project/new_ci_build_permissions_model.md#job-token)
to authenticate with the API:
- [Get job artifacts](jobs.md#get-job-artifacts)
- [Pipeline triggers](pipeline_triggers.md)
- [Release creation](releases/index.md#create-a-release)
### Impersonation tokens
......
......@@ -7,28 +7,11 @@ module EE
extend ActiveSupport::Concern
extend ::Gitlab::Utils::Override
JOB_TOKEN_HEADER = "HTTP_JOB_TOKEN".freeze
JOB_TOKEN_PARAM = :job_token
def find_user_from_bearer_token
find_user_from_job_bearer_token ||
find_user_from_access_token
end
def find_user_from_job_token
return unless route_authentication_setting[:job_token_allowed]
token = (params[JOB_TOKEN_PARAM] || env[JOB_TOKEN_HEADER]).to_s
return unless token.present?
job = ::Ci::Build.find_by_token(token)
raise ::Gitlab::Auth::UnauthorizedError unless job
@current_authenticated_job = job # rubocop:disable Gitlab/ModuleWithInstanceVariables
job.user
end
override :find_oauth_access_token
def find_oauth_access_token
return if scim_request?
......
......@@ -63,7 +63,9 @@ module API
end
def find_user_from_sources
find_user_from_access_token || find_user_from_warden
find_user_from_access_token ||
find_user_from_job_token ||
find_user_from_warden
end
private
......
......@@ -24,6 +24,8 @@ module Gitlab
PRIVATE_TOKEN_HEADER = 'HTTP_PRIVATE_TOKEN'
PRIVATE_TOKEN_PARAM = :private_token
JOB_TOKEN_HEADER = "HTTP_JOB_TOKEN".freeze
JOB_TOKEN_PARAM = :job_token
# Check the Rails session for valid authentication details
def find_user_from_warden
......@@ -50,6 +52,20 @@ module Gitlab
User.find_by_feed_token(token) || raise(UnauthorizedError)
end
def find_user_from_job_token
return unless route_authentication_setting[:job_token_allowed]
token = (params[JOB_TOKEN_PARAM] || env[JOB_TOKEN_HEADER]).to_s
return unless token.present?
job = ::Ci::Build.find_by_token(token)
raise ::Gitlab::Auth::UnauthorizedError unless job
@current_authenticated_job = job # rubocop:disable Gitlab/ModuleWithInstanceVariables
job.user
end
# We only allow Private Access Tokens with `api` scope to be used by web
# requests on RSS feeds or ICS files for backwards compatibility.
# It is also used by GraphQL/API requests.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment