Skip to content

Remove group and project params from runner install

Pedro Pombeiro requested to merge pedropombeiro/326102-remove-group-project-params into master

What does this MR do?

In https://gitlab.com/gitlab-org/gitlab/-/issues/326018, we have discovered an issue where instance registration tokens were shown incorrectly to instance admins on groups CI/CD settings.

This did not show any information that users didn't already have access to, but it did reveal the security risk posed by programmatic access to registration tokens. A similar mistake that would show an instance token to everyone is a very real risk with huge implications.

So let's prevent this from happening by removing programmatic access to those tokens. The installation instructions work just as well if the token is not prefilled and has a placeholder like <paste your registration token here> instead.

This MR cleans up the methods made redundant by !57524 (merged), updating the specs, and deprecating projectId and groupId from the GraphQL query as those parameters are no longer used. The Runner installation instructions no longer depend on the user, project ID, or group ID.

Follow-up: we should update the frontend component to support the new graphQL query and cleanup the project/group parameters there as well. @mrincon will take care of this.

Screenshots (strongly suggested)

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team

Part of #326102 (closed)

Edited by Pedro Pombeiro

Merge request reports