Fix CI_JOB_TOKEN storage and removal of credentials
-
Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you receive complimentary access to GitLab Duo.
What does this MR do?
This MR fixes credential management:
- Avoid erasing User defined credential
- Avoid storing CI_JOB_TOKEN
Why was this MR needed?
In the following example setup:
- Windows 11 (desktop)
- gitlab-runner configured with shell executor, started by User
- git User config
git config --listshows at least onecredential.helper(typicallycredential.helper=manager) - User's personal credentials are stored in Windows Credential Manager
git:https://gitlab.com,username=my_token,password=***
-
previous gitlab-runner.exe, FF_GIT_URLS_WITHOUT_TOKENS = false
- User personal credentials in Windows Credential Manager
git:https://gitlab.com,username=my_tokenis not erased -
⚠️ A Windows Credential Manager entrygit:https://gitlab-ci-token.gitlab.com,username=gitlab-ci-tokenis created and remains after the pipeline job finishes.
- User personal credentials in Windows Credential Manager
-
previous gitlab-runner.exe, FF_GIT_URLS_WITHOUT_TOKENS = true
-
⚠️ User personal credentials are removed! (Allgit:https://gitlab.comentries are erased) -
⚠️ A Windows Credential Manager entrygit:https://gitlab.com,username=gitlab-ci-tokenis created and remains after the pipeline job finishes.
Running the older gitlab-runner.exe with environment variable GIT_TRACE=2 produces the following output (filtered on git credential)
git.c:476 trace: built-in: git credential reject run-command.c:668 trace: run_command: 'git credential-manager erase' run-command.c:929 trace: start_command: 'C:/Program Files/Git/usr/bin/sh.exe' -c 'git credential-manager erase' 'git credential-manager-erase' run-command.c:668 trace: run_command: 'git credential-manager erase' run-command.c:929 trace: start_command: 'C:/Program Files/Git/usr/bin/sh.exe' -c 'git credential-manager erase' 'git credential-manager-erase' run-command.c:668 trace: run_command: 'git credential-manager get' run-command.c:929 trace: start_command: 'C:/Program Files/Git/usr/bin/sh.exe' -c 'git credential-manager get' 'git credential-manager get' run-command.c:668 trace: run_command: 'git credential-manager get' run-command.c:929 trace: start_command: 'C:/Program Files/Git/usr/bin/sh.exe' -c 'git credential-manager get' 'git credential-manager get' run-command.c:668 trace: run_command: 'git credential-manager store' run-command.c:929 trace: start_command: 'C:/Program Files/Git/usr/bin/sh.exe' -c 'git credential-manager store' 'git credential-manager store' run-command.c:668 trace: run_command: 'git credential-manager store' run-command.c:929 trace: start_command: 'C:/Program Files/Git/usr/bin/sh.exe' -c 'git credential-manager store' 'git credential-manager store'We can see that git credential erase in the code is performed first. Later, store is executed for each configured credential.helper
git code highlight: https://github.com/git/git/blob/v2.49.0-rc2/credential.c#L560-L561 -
-
Patched gitlab-runner.exe, FF_GIT_URLS_WITHOUT_TOKENS = true
- User personal credentials in Windows Credential Manager
git:https://gitlab.com,username=my_tokenis not erased - CI_JOB_TOKEN is not stored, as only credential.helper credHelperCommand is executed, due to credential.helper being initialized to an empty string first. It's no longer necessary to call
git credential reject
- User personal credentials in Windows Credential Manager
What's the best way to test this MR?
What are the relevant issue numbers?
#38301 (closed)
Might fix #36952 (closed) as user config will be ignored
Related to gitlab-org/ci-cd/runner-tools/base-images#4
Edited by Guillaume Chauvel