#GitLab Auth in publish:gitlab action

Hey!

I started to work with the scaffolder and have some questions to the publish:gitlab action.

So i created an App in out GitLab and configured Backstage to include GitLab auth. When I use the RepoUrlPicker, it generates a "Login Required" popup for gitlab, when im not already logged in - this works.

But then, in my action, I want only logged in Users, which have Permission to the repo, to be able to publish a project.

- id: publish
  name: Publish
  action: publish:gitlab
  input:
    allowedHosts: ['gitlab.mycompany.com']
    repoUrl: ${{ parameters.RepoUrlPicker }}
    token: ${{ secrets.USER_OAUTH_TOKEN }}
    settings:
      visibility: private
    defaultBranch: develop
    setUserAsOwner: true
    gitCommitMessage: "Initial commit"

The problem: When I login as Guest, and cancel the RepoPicker Popup, I am still able to publish a project to Gitlab. Shouldn't the token property ensure, that only logged in users are able to do so?
Also it is not working to publish, even when I'm logged in, whenever the setUserAsOwner is active.

I want: Only Gitlab authenticated Users should be able to publish to a repo, which belongs to them.
Problem: A guest without any Login can publish to Gitlab (because of the Integration Token? Or why..)

Tested in a new Private Inkognito Tab without Cookies with guest User

Gitlab auth config:

auth:
environment: development
session:
secret: TEST
providers:
microsoft:
development:
clientId: ${AUTH_MICROSOFT_CLIENT_ID}
clientSecret: ${AUTH_MICROSOFT_CLIENT_SECRET}
tenantId: ${AUTH_MICROSOFT_TENANT_ID}
gitlab:
development:
clientId: XXXXX
clientSecret: XXXXX
audience: https://gitlab.mycompany.com

App.tsx:
{
id: 'gitlab-auth-provider',
title: 'my GitLab',
message: 'Sign in using GitLab',
apiRef: gitlabAuthApiRef
}

backend - auth.ts:

gitlab: providers.gitlab.create({
signIn: {
......

app - apis.ts:

export const apis: AnyApiFactory[] = [
createApiFactory({
api: scmIntegrationsApiRef,
deps: { configApi: configApiRef },
factory: ({ configApi }) => ScmIntegrationsApi.fromConfig(configApi),
}),
createApiFactory({
api: scmAuthApiRef,
deps: {
gitlabAuthApi: gitlabAuthApiRef,
},
factory: ({ gitlabAuthApi }) => ScmAuth.forGitlab(gitlabAuthApi),
})
];

This is most likely caused by the fact that you have a GITLAB_TOKEN set for the catalog in integrations.gitlab, so it will fallback to using that in the action. There's a few ways to fix this, you could deploy the scaffolder backend plugin separately, so that it doesn't have the same app config, or you could create an action which validates that ${{ secrets.USER_OAUTH_TOKEN }} is set, and will fail if not causing the flow to break.

thanks for the advice @wheat field
Hmm okey, I think i will try the Secret Validation - because I dont want to split the Backends - sounds good. It's a pity, that it uses the integration token..

There's another option too which is in the token: ${{ secrets.USER_OAUTH_TOKEN }} part of the template you could do token: ${{ secrets.USER_OAUTH_TOKEN or false }}

which would probably fail the template for you

This is working good - thanks 🙂 I can live with that @wheat field

But I still have the problem, that
setUserAsOwner: true
is not working. Even when I Log In with my User and try to publish with that option enabled, i get the following error:

1 2024-02-01T13:24:04.163Z Beginning step Write
2 2024-02-01T13:24:04.167Z Writing catalog-info.yaml
3 2024-02-01T13:24:04.168Z Finished step Write
4 2024-02-01T13:24:04.169Z Beginning step Publish
5 2024-02-01T13:24:05.849Z HTTPError: Response code 403 (Forbidden)

Can I debug this action somehow? Do you have an idea, why it is forbidden? I know, I have permission to publish to my selected repo

The Action is able to create an empty repo in my Gitlab - but it is not pushing any Code into it