Add write repository scope for personal access tokens (#58847) · Issues · GitLab.org / GitLab FOSS

Add write repository scope for personal access tokens

Problem to solve

Currently the personal access tokens support only api scope with permission to change all content which can easily lead to a security breach. We need to split the scope for writing repository out of to API scope and ensure that the user can have better control over the access tokens scope.

Target audience

Sam, Security Analyst, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#sam-security-analyst

Further details

A Gitlab user (with owner role for this UC) wants to change the content of a git repository (ie. push commits, create tags) from cli.
The user needs to create an access token with api scope that is the only scope currently that also allows to change the git repository.
The user is pushing the changes to a protected branch/tag which are rejected by Gitlab.

The user can use the same access token to change the protected branches/tags settings for the project using API calls.
The user can now push the changes to the repository.

If the access token is leaked and looses the privacy then the other person that gains access to it can manipulate all projects/groups where the user has access (create, delete, move, membership, protected branches/tags). This can easily become a major security issue, which can be mitigated by providing more scopes with limited access for the user, in this case only repository write permissions would be enough to cover the need of only changing the git repository.

Proposal

The problem can be solved by splitting the repository write permissions out of the api scope as a new write_repository scope. The new scope will include the read_repository scope to ensure complete access (read-write) to the git repository and at the same time will be included in the api scope to ensure that all existing token will work as expected after the change.

Permissions and Security

The change would not require any change in the permissions concept and will increase the security by providing a smaller granularity and better control over the scopes of the access tokens.

Documentation

What does success look like, and how can we measure that?

A user that created an access token with the write_repository scope will have permissions to do all the changes to the git repository as defined by the role of the user in the project.

The same access token with the write_repository scope can not be used to make any API calls:

{"error":"insufficient_scope","error_description":"The request requires higher privileges than provided by the access token.","scope":"api"}

Links / references

### Problem to solve

Currently the personal access tokens support only `api` scope with permission to change all content which can easily lead to a security breach. We need to split the scope for writing repository out of to API scope and ensure that the user can have better control over the access tokens scope.

### Target audience

<!--- For whom are we doing this? Include a [persona](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/)
listed below, if applicable, along with its [label](https://gitlab.com/groups/gitlab-org/-/labels?utf8=%E2%9C%93&subscribed=&search=persona%3A),
or define a specific company role, e.g. "Release Manager".

Existing personas are: (copy relevant personas out of this comment, and delete any persona that does not apply)

- Parker, Product Manager, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#parker-product-manager

- Delaney, Development Team Lead, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#delaney-development-team-lead

- Sasha, Software Developer, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#sasha-software-developer

- Devon, DevOps Engineer, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#devon-devops-engineer

- Sidney, Systems Administrator, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#sidney-systems-administrator

- Sam, Security Analyst, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#sam-security-analyst
-->

- Sam, Security Analyst, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#sam-security-analyst

### Further details

A Gitlab user (with owner role for this UC) wants to change the content of a git repository (ie. push commits, create tags) from cli. \
The user needs to create an access token with `api` scope that is the only scope currently that also allows to change the git repository. \
The user is pushing the changes to a protected branch/tag which are rejected by Gitlab.

The user can use the same access token to change the protected branches/tags settings for the project using API calls. \
The user can now push the changes to the repository.

### Proposal

The problem can be solved by splitting the repository write permissions out of the `api` scope as a new `write_repository` scope. The new scope will include the `read_repository` scope to ensure complete access (read-write) to the git repository and at the same time will be included in the `api` scope to ensure that all existing token will work as expected after the change.

### Permissions and Security

The change would not require any change in the permissions concept and will increase the security by providing a smaller granularity and better control over the scopes of the access tokens.

### Documentation

### What does success look like, and how can we measure that?

A user that created an access token with the `write_repository` scope will have permissions to do all the changes to the git repository as defined by the role of the user in the project.

The same access token with the `write_repository` scope can not be used to make any API calls:
```
{"error":"insufficient_scope","error_description":"The request requires higher privileges than provided by the access token.","scope":"api"}
```

### Links / references

Discussion
Designs