Merge branch 'add-basic-auth-for-generic-packages' into 'master'

Add basic auth and deploy token support for generic packages See merge request gitlab-org/gitlab!48540

Merge branch 'add-basic-auth-for-generic-packages' into 'master'
Add basic auth and deploy token support for generic packages See merge request gitlab-org/gitlab!48540
d19d9aab · Fabio Pitino · 004cd454 · 8ab67149 · d19d9aab · d19d9aab
Commit d19d9aab authored Jan 08, 2021 by Fabio Pitino
4 changed files
--- a/changelogs/unreleased/276965-allow-basic-auth-for-generic-packages.yml
+++ b/changelogs/unreleased/276965-allow-basic-auth-for-generic-packages.yml
+---
+title: "Allow HTTP Basic Auth and deploy token authentication for generic packages"
+merge_request: 48540
+author: Moshe Katz @kohenkatz
+type: added
--- a/doc/user/packages/generic_packages/index.md
+++ b/doc/user/packages/generic_packages/index.md
@@ -20,8 +20,14 @@ Publish generic files, like release binaries, in your project’s Package Regist

 ## Authenticate to the Package Registry

-To authenticate to the Package Registry, you need either a [personal access token](../../../api/README.md#personalproject-access-tokens)
-or [CI job token](../../../api/README.md#gitlab-ci-job-token).
+To authenticate to the Package Registry, you need either a [personal access token](../../../api/README.md#personalproject-access-tokens),
+[CI job token](../../../api/README.md#gitlab-ci-job-token), or [deploy token](../../project/deploy_tokens/index.md).
+
+In addition to the standard API authentication mechanisms, the generic package
+API allows authentication with HTTP Basic authentication for use with tools that
+do not support the other available mechanisms. The `user-id` is not checked and
+may be any value, and the `password` must be either a [personal access token](../../../api/README.md#personalproject-access-tokens),
+a [CI job token](../../../api/README.md#gitlab-ci-job-token), or a [deploy token](../../project/deploy_tokens/index.md).

 ## Publish a package file

@@ -31,7 +37,7 @@ If a package with the same name, version, and filename already exists, it is als

 Prerequisites:

- You need to [authenticate with the API](../../../api/README.md#authentication).
+- You need to [authenticate with the API](../../../api/README.md#authentication). If authenticating with a deploy token, it must be configured with the `write_package_registry` scope.

 ```plaintext
 PUT /projects/:id/packages/generic/:package_name/:package_version/:file_name
@@ -70,7 +76,7 @@ If multiple packages have the same name, version, and filename, then the most re

 Prerequisites:

- You need to [authenticate with the API](../../../api/README.md#authentication).
+- You need to [authenticate with the API](../../../api/README.md#authentication). If authenticating with a deploy token, it must be configured with the `read_package_registry` and/or `write_package_registry` scope.

 ```plaintext
 GET /projects/:id/packages/generic/:package_name/:package_version/:file_name
@@ -92,6 +98,13 @@ curl --header "PRIVATE-TOKEN: <your_access_token>" \
     "https://gitlab.example.com/api/v4/projects/24/packages/generic/my_package/0.0.1/file.txt"
 ```

+Example request that uses HTTP Basic authentication:
+
+```shell
+curl --user "user:<your_access_token>" \
+     https://gitlab.example.com/api/v4/projects/24/packages/generic/my_package/0.0.1/file.txt
+```
+
 ## Publish a generic package by using CI/CD

 To work with generic packages in [GitLab CI/CD](../../../ci/README.md), you can use

--- a/lib/api/generic_packages.rb
+++ b/lib/api/generic_packages.rb
@@ -21,7 +21,7 @@ module API
    end

    resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
-      route_setting :authentication, job_token_allowed: true
+      route_setting :authentication, job_token_allowed: true, basic_auth_personal_access_token: true, deploy_token_allowed: true

      namespace ':id/packages/generic' do
        namespace ':package_name/*package_version/:file_name', requirements: GENERIC_PACKAGES_REQUIREMENTS do
@@ -29,7 +29,7 @@ module API
            detail 'This feature was introduced in GitLab 13.5'
          end

-          route_setting :authentication, job_token_allowed: true
+          route_setting :authentication, job_token_allowed: true, basic_auth_personal_access_token: true, deploy_token_allowed: true

          params do
            requires :package_name, type: String, desc: 'Package name', regexp: Gitlab::Regex.generic_package_name_regex, file_path: true
@@ -52,7 +52,7 @@ module API
            requires :file, type: ::API::Validations::Types::WorkhorseFile, desc: 'The package file to be published (generated by Multipart middleware)'
          end

-          route_setting :authentication, job_token_allowed: true
+          route_setting :authentication, job_token_allowed: true, basic_auth_personal_access_token: true, deploy_token_allowed: true

          put do
            authorize_upload!(project)
@@ -82,7 +82,7 @@ module API
            requires :file_name, type: String, desc: 'Package file name', regexp: Gitlab::Regex.generic_package_file_name_regex, file_path: true
          end

-          route_setting :authentication, job_token_allowed: true
+          route_setting :authentication, job_token_allowed: true, basic_auth_personal_access_token: true, deploy_token_allowed: true

          get do
            authorize_read_package!(project)

--- a/spec/requests/api/generic_packages_spec.rb
+++ b/spec/requests/api/generic_packages_spec.rb
@@ -3,8 +3,16 @@
 require 'spec_helper'

 RSpec.describe API::GenericPackages do
+  include HttpBasicAuthHelpers
+
  let_it_be(:personal_access_token) { create(:personal_access_token) }
  let_it_be(:project, reload: true) { create(:project) }
+  let_it_be(:deploy_token_rw) { create(:deploy_token, read_package_registry: true, write_package_registry: true) }
+  let_it_be(:project_deploy_token_rw) { create(:project_deploy_token, deploy_token: deploy_token_rw, project: project) }
+  let_it_be(:deploy_token_ro) { create(:deploy_token, read_package_registry: true, write_package_registry: false) }
+  let_it_be(:project_deploy_token_ro) { create(:project_deploy_token, deploy_token: deploy_token_ro, project: project) }
+  let_it_be(:deploy_token_wo) { create(:deploy_token, read_package_registry: false, write_package_registry: true) }
+  let_it_be(:project_deploy_token_wo) { create(:project_deploy_token, deploy_token: deploy_token_wo, project: project) }
  let(:workhorse_token) { JWT.encode({ 'iss' => 'gitlab-workhorse' }, Gitlab::Workhorse.secret, 'HS256') }
  let(:workhorse_header) { { 'GitLab-Workhorse' => '1.0', Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER => workhorse_token } }
  let(:user) { personal_access_token.user }
@@ -22,6 +30,23 @@ RSpec.describe API::GenericPackages do
      personal_access_token_header('wrong token')
    when :invalid_job_token
      job_token_header('wrong token')
+    when :user_basic_auth
+      user_basic_auth_header(user)
+    when :invalid_user_basic_auth
+      basic_auth_header('invalid user', 'invalid password')
+    end
+  end
+
+  def deploy_token_auth_header
+    case authenticate_with
+    when :deploy_token_rw
+      deploy_token_header(deploy_token_rw.token)
+    when :deploy_token_ro
+      deploy_token_header(deploy_token_ro.token)
+    when :deploy_token_wo
+      deploy_token_header(deploy_token_wo.token)
+    when :invalid_deploy_token
+      deploy_token_header('wrong token')
    end
  end

@@ -33,6 +58,10 @@ RSpec.describe API::GenericPackages do
    { Gitlab::Auth::AuthFinders::JOB_TOKEN_HEADER => value || ci_build.token }
  end

+  def deploy_token_header(value)
+    { Gitlab::Auth::AuthFinders::DEPLOY_TOKEN_HEADER => value }
+  end
+
  shared_examples 'secure endpoint' do
    before do
      project.add_developer(user)
@@ -54,19 +83,35 @@ RSpec.describe API::GenericPackages do
        'PUBLIC'  | :guest     | true  | :personal_access_token         | :forbidden
        'PUBLIC'  | :developer | true  | :invalid_personal_access_token | :unauthorized
        'PUBLIC'  | :guest     | true  | :invalid_personal_access_token | :unauthorized
+        'PUBLIC'  | :developer | true  | :user_basic_auth               | :success
+        'PUBLIC'  | :guest     | true  | :user_basic_auth               | :forbidden
+        'PUBLIC'  | :developer | true  | :invalid_user_basic_auth       | :unauthorized
+        'PUBLIC'  | :guest     | true  | :invalid_user_basic_auth       | :unauthorized
        'PUBLIC'  | :developer | false | :personal_access_token         | :forbidden
        'PUBLIC'  | :guest     | false | :personal_access_token         | :forbidden
        'PUBLIC'  | :developer | false | :invalid_personal_access_token | :unauthorized
        'PUBLIC'  | :guest     | false | :invalid_personal_access_token | :unauthorized
+        'PUBLIC'  | :developer | false | :user_basic_auth               | :forbidden
+        'PUBLIC'  | :guest     | false | :user_basic_auth               | :forbidden
+        'PUBLIC'  | :developer | false | :invalid_user_basic_auth       | :unauthorized
+        'PUBLIC'  | :guest     | false | :invalid_user_basic_auth       | :unauthorized
        'PUBLIC'  | :anonymous | false | :none                          | :unauthorized
        'PRIVATE' | :developer | true  | :personal_access_token         | :success
        'PRIVATE' | :guest     | true  | :personal_access_token         | :forbidden
        'PRIVATE' | :developer | true  | :invalid_personal_access_token | :unauthorized
        'PRIVATE' | :guest     | true  | :invalid_personal_access_token | :unauthorized
+        'PRIVATE' | :developer | true  | :user_basic_auth               | :success
+        'PRIVATE' | :guest     | true  | :user_basic_auth               | :forbidden
+        'PRIVATE' | :developer | true  | :invalid_user_basic_auth       | :unauthorized
+        'PRIVATE' | :guest     | true  | :invalid_user_basic_auth       | :unauthorized
        'PRIVATE' | :developer | false | :personal_access_token         | :not_found
        'PRIVATE' | :guest     | false | :personal_access_token         | :not_found
        'PRIVATE' | :developer | false | :invalid_personal_access_token | :unauthorized
        'PRIVATE' | :guest     | false | :invalid_personal_access_token | :unauthorized
+        'PRIVATE' | :developer | false | :user_basic_auth               | :not_found
+        'PRIVATE' | :guest     | false | :user_basic_auth               | :not_found
+        'PRIVATE' | :developer | false | :invalid_user_basic_auth       | :unauthorized
+        'PRIVATE' | :guest     | false | :invalid_user_basic_auth       | :unauthorized
        'PRIVATE' | :anonymous | false | :none                          | :unauthorized
        'PUBLIC'  | :developer | true  | :job_token                     | :success
        'PUBLIC'  | :developer | true  | :invalid_job_token             | :unauthorized
@@ -90,6 +135,21 @@ RSpec.describe API::GenericPackages do
          expect(response).to have_gitlab_http_status(expected_status)
        end
      end
+
+      where(:authenticate_with, :expected_status) do
+        :deploy_token_rw      | :success
+        :deploy_token_wo      | :success
+        :deploy_token_ro      | :forbidden
+        :invalid_deploy_token | :unauthorized
+      end
+
+      with_them do
+        it "responds with #{params[:expected_status]}" do
+          authorize_upload_file(workhorse_header.merge(deploy_token_auth_header))
+
+          expect(response).to have_gitlab_http_status(expected_status)
+        end
+      end
    end

    context 'application security' do
@@ -138,20 +198,34 @@ RSpec.describe API::GenericPackages do

      where(:project_visibility, :user_role, :member?, :authenticate_with, :expected_status) do
        'PUBLIC'  | :guest     | true  | :personal_access_token         | :forbidden
+        'PUBLIC'  | :guest     | true  | :user_basic_auth               | :forbidden
        'PUBLIC'  | :developer | true  | :invalid_personal_access_token | :unauthorized
        'PUBLIC'  | :guest     | true  | :invalid_personal_access_token | :unauthorized
+        'PUBLIC'  | :developer | true  | :invalid_user_basic_auth       | :unauthorized
+        'PUBLIC'  | :guest     | true  | :invalid_user_basic_auth       | :unauthorized
        'PUBLIC'  | :developer | false | :personal_access_token         | :forbidden
        'PUBLIC'  | :guest     | false | :personal_access_token         | :forbidden
+        'PUBLIC'  | :developer | false | :user_basic_auth               | :forbidden
+        'PUBLIC'  | :guest     | false | :user_basic_auth               | :forbidden
        'PUBLIC'  | :developer | false | :invalid_personal_access_token | :unauthorized
        'PUBLIC'  | :guest     | false | :invalid_personal_access_token | :unauthorized
+        'PUBLIC'  | :developer | false | :invalid_user_basic_auth       | :unauthorized
+        'PUBLIC'  | :guest     | false | :invalid_user_basic_auth       | :unauthorized
        'PUBLIC'  | :anonymous | false | :none                          | :unauthorized
        'PRIVATE' | :guest     | true  | :personal_access_token         | :forbidden
+        'PRIVATE' | :guest     | true  | :user_basic_auth               | :forbidden
        'PRIVATE' | :developer | true  | :invalid_personal_access_token | :unauthorized
        'PRIVATE' | :guest     | true  | :invalid_personal_access_token | :unauthorized
+        'PRIVATE' | :developer | true  | :invalid_user_basic_auth       | :unauthorized
+        'PRIVATE' | :guest     | true  | :invalid_user_basic_auth       | :unauthorized
        'PRIVATE' | :developer | false | :personal_access_token         | :not_found
        'PRIVATE' | :guest     | false | :personal_access_token         | :not_found
+        'PRIVATE' | :developer | false | :user_basic_auth               | :not_found
+        'PRIVATE' | :guest     | false | :user_basic_auth               | :not_found
        'PRIVATE' | :developer | false | :invalid_personal_access_token | :unauthorized
        'PRIVATE' | :guest     | false | :invalid_personal_access_token | :unauthorized
+        'PRIVATE' | :developer | false | :invalid_user_basic_auth       | :unauthorized
+        'PRIVATE' | :guest     | false | :invalid_user_basic_auth       | :unauthorized
        'PRIVATE' | :anonymous | false | :none                          | :unauthorized
        'PUBLIC'  | :developer | true  | :invalid_job_token             | :unauthorized
        'PUBLIC'  | :developer | false | :job_token                     | :forbidden
@@ -175,6 +249,21 @@ RSpec.describe API::GenericPackages do
          expect(response).to have_gitlab_http_status(expected_status)
        end
      end
+
+      where(:authenticate_with, :expected_status) do
+        :deploy_token_ro      | :forbidden
+        :invalid_deploy_token | :unauthorized
+      end
+
+      with_them do
+        it "responds with #{params[:expected_status]}" do
+          headers = workhorse_header.merge(deploy_token_auth_header)
+
+          upload_file(params, headers)
+
+          expect(response).to have_gitlab_http_status(expected_status)
+        end
+      end
    end

    context 'when user can upload packages and has valid credentials' do
@@ -182,8 +271,9 @@ RSpec.describe API::GenericPackages do
        project.add_developer(user)
      end

-      it 'creates package and package file when valid personal access token is used' do
-        headers = workhorse_header.merge(personal_access_token_header)
+      shared_examples 'creates a package and package file' do
+        it 'creates a package and package file' do
+          headers = workhorse_header.merge(auth_header)

          expect { upload_file(params, headers) }
            .to change { project.packages.generic.count }.by(1)
@@ -195,30 +285,44 @@ RSpec.describe API::GenericPackages do
            package = project.packages.generic.last
            expect(package.name).to eq('mypackage')
            expect(package.version).to eq('0.0.1')
+
+            if should_set_build_info
+              expect(package.original_build_info.pipeline).to eq(ci_build.pipeline)
+            else
              expect(package.original_build_info).to be_nil
+            end

            package_file = package.package_files.last
            expect(package_file.file_name).to eq('myfile.tar.gz')
          end
        end
+      end

-      it 'creates package, package file, and package build info when valid job token is used' do
-        headers = workhorse_header.merge(job_token_header)
-
-        expect { upload_file(params, headers) }
-          .to change { project.packages.generic.count }.by(1)
-          .and change { Packages::PackageFile.count }.by(1)
+      context 'when valid personal access token is used' do
+        it_behaves_like 'creates a package and package file' do
+          let(:auth_header) { personal_access_token_header }
+          let(:should_set_build_info) { false }
+        end
+      end

-        aggregate_failures do
-          expect(response).to have_gitlab_http_status(:created)
+      context 'when valid basic auth is used' do
+        it_behaves_like 'creates a package and package file' do
+          let(:auth_header) { user_basic_auth_header(user) }
+          let(:should_set_build_info) { false }
+        end
+      end

-          package = project.packages.generic.last
-          expect(package.name).to eq('mypackage')
-          expect(package.version).to eq('0.0.1')
-          expect(package.original_build_info.pipeline).to eq(ci_build.pipeline)
+      context 'when valid deploy token is used' do
+        it_behaves_like 'creates a package and package file' do
+          let(:auth_header) { deploy_token_header(deploy_token_wo.token) }
+          let(:should_set_build_info) { false }
+        end
+      end

-          package_file = package.package_files.last
-          expect(package_file.file_name).to eq('myfile.tar.gz')
+      context 'when valid job token is used' do
+        it_behaves_like 'creates a package and package file' do
+          let(:auth_header) { job_token_header }
+          let(:should_set_build_info) { true }
        end
      end

@@ -309,21 +413,37 @@ RSpec.describe API::GenericPackages do
      where(:project_visibility, :user_role, :member?, :authenticate_with, :expected_status) do
        'PUBLIC'  | :developer | true  | :personal_access_token         | :success
        'PUBLIC'  | :guest     | true  | :personal_access_token         | :success
+        'PUBLIC'  | :developer | true  | :user_basic_auth               | :success
+        'PUBLIC'  | :guest     | true  | :user_basic_auth               | :success
        'PUBLIC'  | :developer | true  | :invalid_personal_access_token | :unauthorized
        'PUBLIC'  | :guest     | true  | :invalid_personal_access_token | :unauthorized
+        'PUBLIC'  | :developer | true  | :invalid_user_basic_auth       | :unauthorized
+        'PUBLIC'  | :guest     | true  | :invalid_user_basic_auth       | :unauthorized
        'PUBLIC'  | :developer | false | :personal_access_token         | :success
        'PUBLIC'  | :guest     | false | :personal_access_token         | :success
+        'PUBLIC'  | :developer | false | :user_basic_auth               | :success
+        'PUBLIC'  | :guest     | false | :user_basic_auth               | :success
        'PUBLIC'  | :developer | false | :invalid_personal_access_token | :unauthorized
        'PUBLIC'  | :guest     | false | :invalid_personal_access_token | :unauthorized
+        'PUBLIC'  | :developer | false | :invalid_user_basic_auth       | :unauthorized
+        'PUBLIC'  | :guest     | false | :invalid_user_basic_auth       | :unauthorized
        'PUBLIC'  | :anonymous | false | :none                          | :unauthorized
        'PRIVATE' | :developer | true  | :personal_access_token         | :success
        'PRIVATE' | :guest     | true  | :personal_access_token         | :forbidden
+        'PRIVATE' | :developer | true  | :user_basic_auth               | :success
+        'PRIVATE' | :guest     | true  | :user_basic_auth               | :forbidden
        'PRIVATE' | :developer | true  | :invalid_personal_access_token | :unauthorized
        'PRIVATE' | :guest     | true  | :invalid_personal_access_token | :unauthorized
+        'PRIVATE' | :developer | true  | :invalid_user_basic_auth       | :unauthorized
+        'PRIVATE' | :guest     | true  | :invalid_user_basic_auth       | :unauthorized
        'PRIVATE' | :developer | false | :personal_access_token         | :not_found
        'PRIVATE' | :guest     | false | :personal_access_token         | :not_found
+        'PRIVATE' | :developer | false | :user_basic_auth               | :not_found
+        'PRIVATE' | :guest     | false | :user_basic_auth               | :not_found
        'PRIVATE' | :developer | false | :invalid_personal_access_token | :unauthorized
        'PRIVATE' | :guest     | false | :invalid_personal_access_token | :unauthorized
+        'PRIVATE' | :developer | false | :invalid_user_basic_auth       | :unauthorized
+        'PRIVATE' | :guest     | false | :invalid_user_basic_auth       | :unauthorized
        'PRIVATE' | :anonymous | false | :none                          | :unauthorized
        'PUBLIC'  | :developer | true  | :job_token                     | :success
        'PUBLIC'  | :developer | true  | :invalid_job_token             | :unauthorized
@@ -347,6 +467,21 @@ RSpec.describe API::GenericPackages do
          expect(response).to have_gitlab_http_status(expected_status)
        end
      end
+
+      where(:authenticate_with, :expected_status) do
+        :deploy_token_rw      | :success
+        :deploy_token_wo      | :success
+        :deploy_token_ro      | :success
+        :invalid_deploy_token | :unauthorized
+      end
+
+      with_them do
+        it "responds with #{params[:expected_status]}" do
+          download_file(deploy_token_auth_header)
+
+          expect(response).to have_gitlab_http_status(expected_status)
+        end
+      end
    end

    context 'event tracking' do