Commit a4f730c5 authored by Kamil Trzciński's avatar Kamil Trzciński

Merge branch '37898-job-token-authentication-should-be-allowed-at-core-tier' into 'master'

Enable Job-Token authentication in GitLab Core

Closes #37898

See merge request gitlab-org/gitlab!21120
parents 246f6491 0b8f461f
...@@ -82,7 +82,7 @@ There are four ways to authenticate with the GitLab API: ...@@ -82,7 +82,7 @@ There are four ways to authenticate with the GitLab API:
1. [OAuth2 tokens](#oauth2-tokens) 1. [OAuth2 tokens](#oauth2-tokens)
1. [Personal access tokens](#personal-access-tokens) 1. [Personal access tokens](#personal-access-tokens)
1. [Session cookie](#session-cookie) 1. [Session cookie](#session-cookie)
1. [GitLab CI job token](#gitlab-ci-job-token-premium) **(PREMIUM)** 1. [GitLab CI job token](#gitlab-ci-job-token) **(Specific endpoints only)**
For admins who want to authenticate with the API as a specific user, or who want to build applications or scripts that do so, two options are available: For admins who want to authenticate with the API as a specific user, or who want to build applications or scripts that do so, two options are available:
...@@ -152,13 +152,14 @@ The primary user of this authentication method is the web frontend of GitLab its ...@@ -152,13 +152,14 @@ The primary user of this authentication method is the web frontend of GitLab its
which can use the API as the authenticated user to get a list of their projects, which can use the API as the authenticated user to get a list of their projects,
for example, without needing to explicitly pass an access token. for example, without needing to explicitly pass an access token.
### GitLab CI job token **(PREMIUM)** ### GitLab CI job token
With a few API endpoints you can use a [GitLab CI job token](../user/project/new_ci_build_permissions_model.md#job-token) With a few API endpoints you can use a [GitLab CI job token](../user/project/new_ci_build_permissions_model.md#job-token)
to authenticate with the API: to authenticate with the API:
- [Get job artifacts](jobs.md#get-job-artifacts) - [Get job artifacts](jobs.md#get-job-artifacts)
- [Pipeline triggers](pipeline_triggers.md) - [Pipeline triggers](pipeline_triggers.md)
- [Release creation](releases/index.md#create-a-release)
### Impersonation tokens ### Impersonation tokens
......
...@@ -7,28 +7,11 @@ module EE ...@@ -7,28 +7,11 @@ module EE
extend ActiveSupport::Concern extend ActiveSupport::Concern
extend ::Gitlab::Utils::Override extend ::Gitlab::Utils::Override
JOB_TOKEN_HEADER = "HTTP_JOB_TOKEN".freeze
JOB_TOKEN_PARAM = :job_token
def find_user_from_bearer_token def find_user_from_bearer_token
find_user_from_job_bearer_token || find_user_from_job_bearer_token ||
find_user_from_access_token find_user_from_access_token
end end
def find_user_from_job_token
return unless route_authentication_setting[:job_token_allowed]
token = (params[JOB_TOKEN_PARAM] || env[JOB_TOKEN_HEADER]).to_s
return unless token.present?
job = ::Ci::Build.find_by_token(token)
raise ::Gitlab::Auth::UnauthorizedError unless job
@current_authenticated_job = job # rubocop:disable Gitlab/ModuleWithInstanceVariables
job.user
end
override :find_oauth_access_token override :find_oauth_access_token
def find_oauth_access_token def find_oauth_access_token
return if scim_request? return if scim_request?
......
...@@ -63,7 +63,9 @@ module API ...@@ -63,7 +63,9 @@ module API
end end
def find_user_from_sources def find_user_from_sources
find_user_from_access_token || find_user_from_warden find_user_from_access_token ||
find_user_from_job_token ||
find_user_from_warden
end end
private private
......
...@@ -24,6 +24,8 @@ module Gitlab ...@@ -24,6 +24,8 @@ module Gitlab
PRIVATE_TOKEN_HEADER = 'HTTP_PRIVATE_TOKEN' PRIVATE_TOKEN_HEADER = 'HTTP_PRIVATE_TOKEN'
PRIVATE_TOKEN_PARAM = :private_token PRIVATE_TOKEN_PARAM = :private_token
JOB_TOKEN_HEADER = "HTTP_JOB_TOKEN".freeze
JOB_TOKEN_PARAM = :job_token
# Check the Rails session for valid authentication details # Check the Rails session for valid authentication details
def find_user_from_warden def find_user_from_warden
...@@ -50,6 +52,20 @@ module Gitlab ...@@ -50,6 +52,20 @@ module Gitlab
User.find_by_feed_token(token) || raise(UnauthorizedError) User.find_by_feed_token(token) || raise(UnauthorizedError)
end end
def find_user_from_job_token
return unless route_authentication_setting[:job_token_allowed]
token = (params[JOB_TOKEN_PARAM] || env[JOB_TOKEN_HEADER]).to_s
return unless token.present?
job = ::Ci::Build.find_by_token(token)
raise ::Gitlab::Auth::UnauthorizedError unless job
@current_authenticated_job = job # rubocop:disable Gitlab/ModuleWithInstanceVariables
job.user
end
# We only allow Private Access Tokens with `api` scope to be used by web # We only allow Private Access Tokens with `api` scope to be used by web
# requests on RSS feeds or ICS files for backwards compatibility. # requests on RSS feeds or ICS files for backwards compatibility.
# It is also used by GraphQL/API requests. # It is also used by GraphQL/API requests.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment