Add write repository scope for personal access tokens
Problem to solve
Currently the personal access tokens support only api
scope with permission to change all content which can easily lead to a security breach. We need to split the scope for writing repository out of to API scope and ensure that the user can have better control over the access tokens scope.
Target audience
- Sam, Security Analyst, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#sam-security-analyst
Further details
A Gitlab user (with owner role for this UC) wants to change the content of a git repository (ie. push commits, create tags) from cli.
The user needs to create an access token with api
scope that is the only scope currently that also allows to change the git repository.
The user is pushing the changes to a protected branch/tag which are rejected by Gitlab.
The user can use the same access token to change the protected branches/tags settings for the project using API calls.
The user can now push the changes to the repository.
If the access token is leaked and looses the privacy then the other person that gains access to it can manipulate all projects/groups where the user has access (create, delete, move, membership, protected branches/tags). This can easily become a major security issue, which can be mitigated by providing more scopes with limited access for the user, in this case only repository write permissions would be enough to cover the need of only changing the git repository.
Proposal
The problem can be solved by splitting the repository write permissions out of the api
scope as a new write_repository
scope. The new scope will include the read_repository
scope to ensure complete access (read-write) to the git repository and at the same time will be included in the api
scope to ensure that all existing token will work as expected after the change.
Permissions and Security
The change would not require any change in the permissions concept and will increase the security by providing a smaller granularity and better control over the scopes of the access tokens.
Documentation
What does success look like, and how can we measure that?
A user that created an access token with the write_repository
scope will have permissions to do all the changes to the git repository as defined by the role of the user in the project.
The same access token with the write_repository
scope can not be used to make any API calls:
{"error":"insufficient_scope","error_description":"The request requires higher privileges than provided by the access token.","scope":"api"}