feat: Auto-revoke glpats within TokenRevocationService (!103713) · Merge requests · GitLab.org / GitLab

Lucas Charles requested to merge trigger-revocation-on-secret-detection into master Nov 11, 2022

What does this MR do and why?

Automatically revokes GL Personal Access Tokens on detection. This feature is currently behind a feature flag, see #382610 (closed) rollout issue.

Parent issue: #371658 (closed) and handy diagram #371658 (comment 1159759669)

How to set up and validate locally

Emphasis on locally so we don't have a leak prior to this 😬

Feature.enable(:gitlab_pat_auto_revocation)
ApplicationSetting.last.update(secret_detection_token_revocation_enabled: true)
Create a gitlab personal access token (that hopefully relies on the default prefix if it hasn't been modified: glpat-)
Commit PAT to default branch of repository
Let pipeline complete (after build completes ScanSecurityReportSecretsWorker must be ran)
Check if token was revoked via access tokens page

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Nov 15, 2022 by Lucas Charles

feat: Auto-revoke glpats within TokenRevocationService

What does this MR do and why?

How to set up and validate locally

Emphasis on locally so we don't have a leak prior to this 😬

MR acceptance checklist

Merge request reports