Skip to content

feat: add token prefix

Max Wittig requested to merge siemens/gitlab:feat/token-prefix into master

What does this MR do?

This merge requests adds a prefix to every personal access token, which makes it easier to distinguish them from other tokens and also makes it possible to find them using tools like gitleaks, which in turn uses rules to identify keys.

AWS also uses a prefix to identify their keys: AKIAIOSFODNN7EXAMPLE

🛠 with at Siemens

Screenshots

image

Database

$ bin/rake db:migrate

== 20201119133534 AddPersonalAccessTokenPrefixToApplicationSetting: migrating =
-- add_column(:application_settings, :personal_access_token_prefix, :text)
   -> 0.0016s
== 20201119133534 AddPersonalAccessTokenPrefixToApplicationSetting: migrated (0.0017s)

== 20201119133604 AddTextLimitToApplicationSettingPersonalAccessTokenPrefix: migrating
-- transaction_open?()
   -> 0.0000s
-- current_schema()
   -> 0.0003s
-- execute("ALTER TABLE application_settings\nADD CONSTRAINT check_718b4458ae\nCHECK ( char_length(personal_access_token_prefix) <= 20 )\nNOT VALID;\n")
   -> 0.0026s
-- current_schema()
   -> 0.0002s
-- execute("SET statement_timeout TO 0")
   -> 0.0002s
-- execute("ALTER TABLE application_settings VALIDATE CONSTRAINT check_718b4458ae;")
   -> 0.0013s
-- execute("RESET ALL")
   -> 0.0002s
== 20201119133604 AddTextLimitToApplicationSettingPersonalAccessTokenPrefix: migrated (0.0139s)
$ bin/rake db:rollback STEP=2

== 20201119133604 AddTextLimitToApplicationSettingPersonalAccessTokenPrefix: reverting
-- execute("ALTER TABLE application_settings\nDROP CONSTRAINT IF EXISTS check_718b4458ae\n")
   -> 0.0009s
== 20201119133604 AddTextLimitToApplicationSettingPersonalAccessTokenPrefix: reverted (0.0039s)

== 20201119133534 AddPersonalAccessTokenPrefixToApplicationSetting: reverting =
-- remove_column(:application_settings, :personal_access_token_prefix, :text)
   -> 0.0023s
== 20201119133534 AddPersonalAccessTokenPrefixToApplicationSetting: reverted (0.0024s)

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team

@gitlab-com/gl-security/appsec security

Edited by Diego Louzán

Merge request reports

Loading