api: add specific connection checking with job token

445a5163 · Geoffrey Arthaud · 3657f7c9 · 445a5163 · 445a5163
Unverified Commit 445a5163 authored 1 year ago by Geoffrey Arthaud
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
+# v0.1609.2 (unreleased)
+## Fixes
+  * Job token authentication is now compliant with its limited permissions.
 # v0.1609.1
 ## Fixes

--- a/src/auth.rs
+++ b/src/auth.rs
@@ -7,8 +7,10 @@
 use http::{HeaderMap, HeaderValue};
 use log::error;
 use serde::Deserialize;
+use std::env;
 use thiserror::Error;
+use crate::api::projects::packages::Packages;
 use crate::api::users::CurrentUser;
 use crate::api::{self, AsyncQuery, Query};
@@ -20,6 +22,22 @@ pub enum AuthError {
        #[from]
        source: http::header::InvalidHeaderValue,
    },
+    /// The CI environment is misconfigured
+    #[error("CI environment is missing `CI_PROJECT_ID`")]
+    CiEnvironmentMissing,
+    /// The CI environment is misconfigured
+    #[error("CI environment has a non-integer `CI_PROJECT_ID`")]
+    CiEnvironmentInvalid,
+}
+impl AuthError {
+    fn ci_environment_missing() -> Self {
+        Self::CiEnvironmentMissing
+    }
+    fn ci_environment_invalid() -> Self {
+        Self::CiEnvironmentInvalid
+    }
 }
 #[derive(Deserialize, Debug)]
@@ -85,11 +103,18 @@ impl Auth {
    where
        C: api::Client,
    {
-        if let Self::None = self {
+        match self {
-            // There does not seem to be an unparameterized endpoint that can be used to reliably
+            Self::None => {
-            // detect whether the connection will work or not.
+                // There does not seem to be an unparameterized endpoint that can be used to reliably
-        } else {
+                // detect whether the connection will work or not.
-            let _: UserPublic = CurrentUser::builder().build().unwrap().query(api)?;
+            },
+            Self::JobToken(_) => {
+                let project_id = Self::_ci_project_id()?;
+                api::ignore(Packages::builder().project(project_id).build().unwrap()).query(api)?;
+            },
+            Self::Token(_) | Self::OAuth2(_) => {
+                let _: UserPublic = CurrentUser::builder().build().unwrap().query(api)?;
+            },
        }
        Ok(())
@@ -99,17 +124,33 @@ impl Auth {
    where
        C: api::AsyncClient + Sync,
    {
-        if let Self::None = self {
+        match self {
-            // There does not seem to be an unparameterized endpoint that can be used to reliably
+            Self::None => {
-            // detect whether the connection will work or not.
+                // There does not seem to be an unparameterized endpoint that can be used to reliably
-        } else {
+                // detect whether the connection will work or not.
-            let _: UserPublic = CurrentUser::builder()
+            },
-                .build()
+            Self::JobToken(_) => {
-                .unwrap()
+                let project_id = Self::_ci_project_id()?;
-                .query_async(api)
+                api::ignore(Packages::builder().project(project_id).build().unwrap())
-                .await?;
+                    .query_async(api)
+                    .await?;
+            },
+            Self::Token(_) | Self::OAuth2(_) => {
+                let _: UserPublic = CurrentUser::builder()
+                    .build()
+                    .unwrap()
+                    .query_async(api)
+                    .await?;
+            },
        }
        Ok(())
    }
+    fn _ci_project_id() -> Result<u64, AuthError> {
+        env::var("CI_PROJECT_ID")
+            .map_err(|_| AuthError::ci_environment_missing())?
+            .parse::<u64>()
+            .map_err(|_| AuthError::ci_environment_invalid())
+    }
 }