Respect partition prefix for runner tokens
Problem
We don't recognize the latest runner token in config/ruleset/session_token.json
Why
We expected the runner token is prefixed with glrt-
: #70 (closed)
However it's also prefixed with the "partition prefix" t{1,2,3}_
: gitlab-org/gitlab!168017 (merged)
We can see that when we try to update runner token to be routable: gitlab-org/gitlab!170634 (merged)
What kinds of runner tokens are there?
It seems that there are a few different types of runner tokens:
- (deprecated) Runner registration token (looks like
GRXX_XX
)- This token is not routable, which can only work in legacy cell
- This token is used to register a new runner
- (deprecated) Runner token from a runner registered via a registration token
- This token doesn't have
glrt-
prefix. - It can have a partition prefix
t{1,2,3}_
if it's generated after gitlab-org/gitlab!168017 (merged) (it looks liket3_XXX
orXXX
)- This token is not routable either way because we haven't made runner tokens routable at this point yet
- After we enable feature flag
routable_runner_token
to generate routable runner token, it must be after the partition prefix, so it will have partition prefixt{1,2,3}_
(it looks liket3_XXXX.XX
)- This token is routable, but given the current rules, it'll be treated like a personal access token! Because it's interpreted that
t3_
is the personal access token prefix.
- This token is routable, but given the current rules, it'll be treated like a personal access token! Because it's interpreted that
- This token doesn't have
- Standard runner token (looks like
glrt-t3_XXX
when not routable andglrt-t3_XXXX.XX
when routable)- This token has 2 prefixes:
glrt-
andt{1,2,3}_
- This token can be routable if we enable feature flag
routable_runner_token
- This token has 2 prefixes:
A short breakdown:
- (not routable) Registration token
GRXX_XX
- (not routable) Older runner token
XXX
- (not routable) Old runner token
t3_XXX
- (not routable) Standard runner token
glrt-t3_XXX
- (routable) Old runner token
t3_XXXX.XX
- (routable) Standard runner token
glrt-t3_XXXX.XX
This means we have to take into account that:
-
glrt-
might not be always there - It must have
t{1,2,3}_
prefix!
Proposed change
diff --git a/config/ruleset/session_token.json b/config/ruleset/session_token.json
index 8dd612c..0fa5a70 100644
--- a/config/ruleset/session_token.json
+++ b/config/ruleset/session_token.json
@@ -63,7 +63,7 @@
"match": {
"type": "header",
"name": "private-token",
- "regex_value": "^glrt-(?<payload>[0-9A-Za-z_-]{27,300})\\.(?<payload_length>[0-9a-z]{2})[0-9a-z]{7}$"
+ "regex_value": "^(glrt-)?t\\d+_(?<payload>[0-9A-Za-z_-]{27,300})\\.(?<payload_length>[0-9a-z]{2})[0-9a-z]{7}$"
},
"transform": {
"type": "routable-token-payload",
References
- This was discovered when we're trying to record a demo for running CI jobs in another cell: gitlab-org&15281 (comment 2367766834)