Skip to content

Add support for PAT masking in trace

Romuald Atchadé requested to merge mask-pat-token into main

What does this MR do?

This MR adds masking for token using a predefined prefix.

As for now, the prefixes runner is looking for are set through GitLabFeatures property TokenMaskPrefixes. This variable is a list of string and is sent through the JobResponse object. GitLab Runner will then mask all the {prefix}{alphabet} where the alphabet is all the sane characters we would expect to see in a token.

All the sane characters are the following:

Sane characters 
-, .,

0, 1, 2, 3, 4, 5, 6,
7, 8, 9,

A, B, C, D, E, F, G,
H, I, J, K, L, M, N,
O, P, Q, R, S, T, U,
V, W, X, Y, Z,

_,

a, b, c, d, e, f, g,
h, i, j, k, l, m, n,
o, p, q, r, s, t, u,
v, w, x, y, z,

=,

Why was this MR needed?

This MR is needed to ensure all the PAT token are masked

What's the best way to test this MR?

All tests in Test stage must succeed

Manual Test for the glpat- token mask prefix

gitlab-ci.yaml 
test:
  script:
    - echo "Lorem ipsum dolor sit amet, ex ea commodo glpat-imperdiet in voluptate velit esse"
    - echo "Lorem ipsum dolor sit amet, ex ea commodo  in voluptate velit esseglpat-imperdiet"
    - echo "Lorem ipsum dolor sit glpat-amet, ex ea glpat-commodo  in voluptate velit esse glpat-imperdiet"
    - echo "Lorem ipsum dolor sit amet, ex ea commodo  in voluptate velit esse glpat-imperdiet"
    - echo "Lorem ipsum dolor sit amet, ex ea glpat-commodo  in voluptate velit esseglpat-imperdiet"
    - echo "glpat-imperdiet Lorem ipsum dolor sit amet, ex ea commodo  in voluptate velit esse"
    - echo "esseglpat-imperdiet end Lglpat-orem ipsum dolor sit amet, ex ea commodo  in voluptate velit"
    - echo "Excepteur sint occaecat cupidatat non proident, glpat-iglpat-imperdiet sunt in culpa qui officia deserunt mollit anim id est laborum."
config.toml 
concurrent = 1
check_interval = 1
log_level = "debug"

[session_server]
  session_timeout = 1800

[[runners]]
  url = "https://gitlab.com/"
  token = "__TOKEN__"
  executor = "kubernetes"
  [runners.kubernetes]
    image = "alpine:latest"
    terminationGracePeriodSeconds = 0
    [runners.kubernetes.affinity]
    [runners.kubernetes.volumes]
    [runners.kubernetes.dns_config]

glpat- prefixed tokens are well masked as seen in the following log

What are the relevant issue numbers?

close https://gitlab.com/gitlab-org/gitlab/-/issues/372796

Edited by Romuald Atchadé

Merge request reports