Add support for PAT masking in trace
What does this MR do?
This MR adds masking for token using a predefined prefix.
As for now, the prefixes runner is looking for are set through GitLabFeatures
property TokenMaskPrefixes
. This variable is a list of string and is sent through the JobResponse
object. GitLab Runner will then mask all the {prefix}{alphabet} where the alphabet is all the sane characters we would expect to see in a token.
All the sane characters are the following:
Sane characters
-, .,
0, 1, 2, 3, 4, 5, 6,
7, 8, 9,
A, B, C, D, E, F, G,
H, I, J, K, L, M, N,
O, P, Q, R, S, T, U,
V, W, X, Y, Z,
_,
a, b, c, d, e, f, g,
h, i, j, k, l, m, n,
o, p, q, r, s, t, u,
v, w, x, y, z,
=,
Why was this MR needed?
This MR is needed to ensure all the PAT token are masked
What's the best way to test this MR?
All tests in Test stage must succeed
glpat-
token mask prefix
Manual Test for the gitlab-ci.yaml
test:
script:
- echo "Lorem ipsum dolor sit amet, ex ea commodo glpat-imperdiet in voluptate velit esse"
- echo "Lorem ipsum dolor sit amet, ex ea commodo in voluptate velit esseglpat-imperdiet"
- echo "Lorem ipsum dolor sit glpat-amet, ex ea glpat-commodo in voluptate velit esse glpat-imperdiet"
- echo "Lorem ipsum dolor sit amet, ex ea commodo in voluptate velit esse glpat-imperdiet"
- echo "Lorem ipsum dolor sit amet, ex ea glpat-commodo in voluptate velit esseglpat-imperdiet"
- echo "glpat-imperdiet Lorem ipsum dolor sit amet, ex ea commodo in voluptate velit esse"
- echo "esseglpat-imperdiet end Lglpat-orem ipsum dolor sit amet, ex ea commodo in voluptate velit"
- echo "Excepteur sint occaecat cupidatat non proident, glpat-iglpat-imperdiet sunt in culpa qui officia deserunt mollit anim id est laborum."
config.toml
concurrent = 1
check_interval = 1
log_level = "debug"
[session_server]
session_timeout = 1800
[[runners]]
url = "https://gitlab.com/"
token = "__TOKEN__"
executor = "kubernetes"
[runners.kubernetes]
image = "alpine:latest"
terminationGracePeriodSeconds = 0
[runners.kubernetes.affinity]
[runners.kubernetes.volumes]
[runners.kubernetes.dns_config]
glpat-
prefixed tokens are well masked as seen in the following log
What are the relevant issue numbers?
Edited by Romuald Atchadé