OpenBao - Use secret as field name for create/update secret

Problem to solve

When creating or updating a project secret using GraphQL mutations, the secret itself is visible in GraphQL logs.

For example, the following log entry contains "value\"=\u003e\"recurity-ctf{first-rule-keeping-secrets-is-nothing-on-paper}\".

gitlab-rails/graphql_json.log:{"severity":"INFO","time":"2025-02-27T04:44:06.478Z","correlation_id":"01JN2VG4K2RKQQ4JEX2KD22NHQ","meta.caller_id":"graphql:createSecret","meta.feature_category":"secrets_management","meta.organization_id":1,"meta.remote_ip":"104.241.40.177","meta.user":"testuser","meta.user_id":2,"meta.client_id":"user/2","trace_type":"execute_query","query_fingerprint":"createSecret/gTgClKfuZ7RwE3SV994ozCduFU4JmDVRmhztAVRLjV0=/6/RR_pBZmcB0mcvq1EvhpfBI7jMlBH5LQrg4r1_Cfp1lA=","duration_s":0.31069928999932017,"operation_name":"createSecret","operation_fingerprint":"createSecret/gTgClKfuZ7RwE3SV994ozCduFU4JmDVRmhztAVRLjV0=","is_mutation":true,"variables":"{\"projectPath\"=\u003e\"testuser/pentest-project\", \"branch\"=\u003e\"*\", \"description\"=\u003e\"[FILTERED]\", \"environment\"=\u003e\"*\", \"name\"=\u003e\"REGISTRY_PASS\", \"value\"=\u003e\"recurity-ctf{first-rule-keeping-secrets-is-nothing-on-paper}\"}","query_string":"mutation createSecret {\n  projectSecretCreate(input: {projectPath: \"testuser/pentest-project\", name: \"\u003cREDACTED\u003e\", description: \"\u003cREDACTED\u003e\", value: \"\u003cREDACTED\u003e\", branch: \"\u003cREDACTED\u003e\", environment: \"\u003cREDACTED\u003e\"}) {\n    errors\n    projectSecret {\n      description\n      name\n      __typename\n    }\n    __typename\n  }\n}","query_analysis.duration_s":0.0013279930008138763,"query_analysis.complexity":7,"query_analysis.depth":3,"query_analysis.used_fields":["ProjectSecretCreatePayload.errors","ProjectSecret.description","ProjectSecret.name","ProjectSecret.__typename","ProjectSecretCreatePayload.projectSecret","ProjectSecretCreatePayload.__typename","Mutation.projectSecretCreate"],"query_analysis.used_deprecated_fields":[],"query_analysis.used_deprecated_arguments":[]}

Links

Related GraphQL mutations and implementation issues:

• Mutation.projectSecretUpdate
  • Update secret (Backend) (#470397 - closed)
  • Frontend: Allows users to update secrets (#470398 - closed)
• Mutation.projectSecretCreate
  • Create new secret (Backend) (#470384 - closed)
  • Create new secret (Frontend) (#470385 - closed)

Proposal

Rename the value field of GraphQL mutations handling secrets to secret.

secret fields are redacted from the logs. See https://gitlab.com/gitlab-org/gitlab/-/blob/8e16a6faee547faa85538b1c2616ccccb98799fe/config/application.rb#L193

In the long-term, the design doc has direct provisioning of secrets in OpenBao from users.

Implementation

Rename value field to secret.

• Rename field in Mutation.projectSecretUpdate.
  • Update mutation in backend.
  • Update GraphQL documentation.
  • Update frontend accordingly.
• Rename field in Mutation.projectSecretCreate.
  • Update mutation in backend.
  • Update GraphQL documentation.
  • Update frontend accordingly.

Verification Steps

1. Make sure your gdk is on an Ultimate license.
2. Set up openbao on your gdk.
3. Enable the Secrets Manager on gdk.
4. Go to your project settings (Secure > Secrets manager) and open the form for creating secrets (click New secret on the upper right corner of the table). To make it easier to check the logs after the mutation later, open log/graphql_json.log and check where the logs end.
5. Create a secret using the form. You will be redirected to the secret details page afterwards.
6. Check the GraphQL logs. There should be two new entries after the mutation. In both, check variables and query string and verify that the secret field is masked.
7. From the secret details page, click on the edit icon on the upper right and update your secret with a new value. There should be an additional two new entries in the logs. Similar to the last step, verify that the secret field is masked.