GitLab.com Group access tokens continue working after group loses ability to revoke them
Summary
Context
Group access tokens on GitLab.com are only available to organizations on a Premium/Ultimate plan.
Problem
GitLab.com group access tokens can be created for groups with a paid subscription.
Once the paid subscription ends, the group access tokens continue working as before, but there's no way for the end user to revoke them.
This is a problem because if a subscription expires and a Group access token created during a paid subscription is leaked, the group access token will continue providing privileged access to group resources after the group members have lost their ability to revoke these tokens.
Steps to reproduce
- Create group on GitLab.com.
- Have Support switch that Group's plan to Premium/Premium Trial or Ultimate/Ultimate Trial.
- Create a Group Access Token. (note: default is no exipration date
😅 ) - Verify that the group access token works by making an API request to an endpoint that requires authentication/authorization (eg. query private project in the group)
- Have Support change the Group's plan back to Free
- Verify that the group access token still works
- Verify that Group access token cannot be revoked via the UI or the API
Example of how this is a security risk
-
acmecorp
group pays for a Premium license and creates a bunch of group access tokens. -
acmecorp
team member accidentally publishes one of their group access token somewhere publicly visible -
acmecorp
decides not to renew -
acmecorp
team member realizes they accidentally leaked their group access token with all the api scopes -
acmecorp
team is blocked from revoking the leaked Group access token in the UI or API - malicious actor finds the leaked Group access token and uses it to exfiltrate all the
acmecorp
group's private data before permanently deleting all projects and assets in the group
Example Project
I used this group https://gitlab.com/greg-testgroup.
I verified that the Group access tokens continue working after the group was downgraded from Ultimate to Free, and that they couldn't be revoked via UI or API.
What is the current bug behavior?
Group access tokens tokens continue working after a subscription expires even though the ability for group members to create or revoke their Group access tokens is blocked.
What is the expected correct behavior?
When a subscription expires, group access tokens should stop working until a new subscription is applied. OR When subscription expires, the option to create Group access tokens is removed but the option to revoke Group access tokens is still available in UI/API.
Relevant logs and/or screenshots
Output of checks
This bug only happens on GitLab.com. (Group access tokens are available in Free tier for self-managed)