Draft: When rotating a token delay revocation of the old token until the new token is used
What does this MR do and why?
When a personal token is rotated, the MR delays the revocation of the rotated token until the new token is used:
- When used the
PersonalAccessTokens::RotateService
doesn't revoke anymore the rotated token. - Instead the rotated token is revoked, when the new token is used for the 1st time.
- If the same personal access token is rotated more than once, the
PersonalAccessTokens::RotateService
- revokes the previous created linked tokens generated by previous rotation of the same token (they obviously have not been used)
- If a token, resulting from the rotation of a personal access token, is also rotated before it has been used,
the
PersonalAccessTokens::RotateService
- revokes also the old rotated personal access token.
So instead of a chain of tokens (each one resulting from the rotation of the previous one), we will have, if this MR is merged, a tree of tokens each one generated by the rotation of its direct ancestor.
In this tree at most two tokens can be active: a leaf and its direct ancestor (if the leaf token has not been used...). Then the chain of rotated tokens is the tree branch between the root and the active leaf.
This MR is supposed to mitigate the risk of disruption due to a failure of an automated token rotation process and described in #428256.
Requires: !142995
Related to #418238 #428256
Closes #428256
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
How to set up and validate locally
- Create a PAT/GrAT/PrAT token with
api
orself_rotate
scope - Rotate the token:
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/personal_access_tokens/self/rotate"
- Verify that the rotated token has not been revoked and is still valid:
curl --request GET --header "PRIVATE-TOKEN: <your_old_access_token>" "https://gitlab.example.com/api/v4/personal_access_tokens/self"
- Verify that the new token works:
curl --request GET --header "PRIVATE-TOKEN: <your_new_access_token>" "https://gitlab.example.com/api/v4/personal_access_tokens/self"
- Verify that the old token has been revoked:
curl --request GET --header "PRIVATE-TOKEN: <your_old_access_token>" "https://gitlab.example.com/api/v4/personal_access_tokens/self"
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.