Skip to content

Disable Personal Access Tokens in FIPS mode

Drew Blessing requested to merge dblessing_disable_pats into master

What does this MR do and why?

Fixes #351350 (closed)

Describe in detail what your merge request does and why.

This MR disables the use of Personal Access Tokens of all types, including user PATs, group access tokens, project access tokens and impersonation tokens. Existing tokens will still exist in the database but cannot be used. This ensures the enablement/disablement are reversible. In the future we may implement a mechanism to revoke all existing PATs.

A subsequent MR (!98702 (merged)) will block creation of all PAT types.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

This change disabled PAT authentication for all types - personal, group and projects.

How to set up and validate locally

  1. Enable FIPS mode in your instance. For GDK:
    FIPS_MODE=1 gdk restart
  2. Create a personal access token via user profile -> Access Tokens.
  3. Attempt to use the token. You will receive access denied.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Drew Blessing

Merge request reports

Loading