Skip to content

Draft: When rotating a token delay revocation of the old token until the new token is used

Stéphane Talbot requested to merge stalb/gitlab:feature/delayed-token-revoke into master

What does this MR do and why?

When a personal token is rotated, the MR delays the revocation of the rotated token until the new token is used:

  • When used the PersonalAccessTokens::RotateService doesn't revoke anymore the rotated token.
  • Instead the rotated token is revoked, when the new token is used for the 1st time.
  • If the same personal access token is rotated more than once, the PersonalAccessTokens::RotateService
    • revokes the previous created linked tokens generated by previous rotation of the same token (they obviously have not been used)
  • If a token, resulting from the rotation of a personal access token, is also rotated before it has been used, the PersonalAccessTokens::RotateService
    • revokes also the old rotated personal access token.

So instead of a chain of tokens (each one resulting from the rotation of the previous one), we will have, if this MR is merged, a tree of tokens each one generated by the rotation of its direct ancestor.

In this tree at most two tokens can be active: a leaf and its direct ancestor (if the leaf token has not been used...). Then the chain of rotated tokens is the tree branch between the root and the active leaf.

This MR is supposed to mitigate the risk of disruption due to a failure of an automated token rotation process and described in #428256.

Requires: !142995
Related to #418238 #428256
Closes #428256

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

  1. Create a PAT/GrAT/PrAT token with api or self_rotate scope
  2. Rotate the token:
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/personal_access_tokens/self/rotate"
  1. Verify that the rotated token has not been revoked and is still valid:
curl --request GET --header "PRIVATE-TOKEN: <your_old_access_token>" "https://gitlab.example.com/api/v4/personal_access_tokens/self"
  1. Verify that the new token works:
curl --request GET --header "PRIVATE-TOKEN: <your_new_access_token>" "https://gitlab.example.com/api/v4/personal_access_tokens/self"
  1. Verify that the old token has been revoked:
curl --request GET --header "PRIVATE-TOKEN: <your_old_access_token>" "https://gitlab.example.com/api/v4/personal_access_tokens/self"

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Stéphane Talbot

Merge request reports