Skip to content

Admin Mode: Add `admin_mode` scope for PATs

Jonas Wälter requested to merge siemens/gitlab:admin-mode/add-new-PAT-scope into master

What does this MR do and why?

This MR is part of the implementation plan in #42692 (comment 1222832412) to extend the Admin Mode feature to the API access using a personal access token (PAT).

This MR:

  • adds a background migration to add the admin_mode scope to all active personal access tokens of administrators
  • prohibits users from selecting the new admin_mode scope when creating a personal access token (UI & API) at the moment
  • adds a model callback to automatically add the admin_mode scope if a persoanl access token is created for an administrator

Further information:

🛠 with at Siemens

/cc @bufferoverflow

How to set up and validate locally

  1. Before checking out this MR (branch): add some personal access tokens for administrators and other users
  2. Check out this MR (branch) and run database migrations
  3. Verify that all active (not revoked, not expired) personal access tokens of administrators also contains the admin_mode scope
$ gdk psql
gitlabhq_development=# select * from personal_access_tokens;
  1. Add new personal access token for an administrator (UI or API) and verify that it also contains the admin_mode scope
$ curl --request POST --header "PRIVATE-TOKEN: <token>" --data "name=mytoken" --data "scopes[]=api" "http://localhost:3000/api/v4/users/1/personal_access_tokens"
{"id":6,"name":"mytoken","revoked":false,"created_at":"2022-12-28T12:38:18.625Z","scopes":["api","admin_mode"],"user_id":1,"last_used_at":null,"active":true,"expires_at":null,"token":"***"}
  1. Add new personal access token for a normal user (UI or API) and verify that it does not contain the admin_mode scope
$ curl --request POST --header "PRIVATE-TOKEN: <token>" --data "name=mytoken" --data "scopes[]=api" "http://localhost:3000/api/v4/users/5/personal_access_tokens"
{"id":10,"name":"mytoken","revoked":false,"created_at":"2022-12-28T14:07:05.405Z","scopes":["api"],"user_id":5,"last_used_at":null,"active":true,"expires_at":null,"token":"***"}
  1. Try to add a new personal access token for an administrator selecting the and verify that it fails
$ curl --request POST --header "PRIVATE-TOKEN: <token>" --data "name=mytoken" --data "scopes[]=admin_mode" "http://localhost:3000/api/v4/users/1/personal_access_tokens"
{"message":"Scopes can only contain available scopes"}

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports