Token prefixes: add support for Pipeline trigger tokens

• Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you receive complimentary access to GitLab Duo.

Problem to solve

All pipelines trigger tokens that use the standard glptt- prefix. When tokens leak publicly, it's difficult to determine which specific GitLab instance they belong to. Quick identification of leaked credentials is essential for incident response.

Proposal

Custom instance prefixes like <prefix>-glptt- make it immediately clear which organization's tokens have been compromised. it is easier to identify leaked tokens, because users can now skip all leaked tokens that start with glptt. Instead users only need to look at tokens starting with <prefix>-glptt-.

Persona

• GitLab maintainers that manage multiple self-managed GitLab instances

What does this MR do and why?

This MR adds support for instance wide token prefixes to Pipeline trigger tokens.

Instance wide token prefix have been added with !179852 (merged)

The new prefix format is: #{instance_prefix}#{token_type_prefix}. E.g. for Pipeline trigger tokens, we'd get: #{instance_prefix}glptt-. By default, this is the current token prefix glptt-. However, we can now customize the instance prefix to create a new prefix: mycompanynameglptt-.

With this custom prefix, it is easier to identify leaked tokens, because we can now skip all leaked tokens that start with glptt. Now, we only need to look at tokens starting with mycompanynameglptt-.

🛠️ with ❤️ at Siemens

References

• Allow custom instance token prefix for all toke... (#388379)
• Previous MR that adds support for OAuth Application Tokens
• Instance Token Prefix Documentation

How to set up and validate locally

Verify token prefix

1. Enable feature flag via rails c:

Feature.enable(:custom_prefix_for_all_token_types)

2. Create a new pipeline trigger token to query. Project > Settings > CI / CD > Pipeline trigger tokens > Add new token

3. Now, change the instance wide token prefix: Admin area > General > Account and limit > Instance token prefix, e.g. to mycustomprefix

4. Create another trigger token - it should now contain the new prefix.

Verify short_token

To verify that the short_token does not contain the instance prefix, you can send a POST request to trigger a pipeline. You will likely need to adjust the project id in the URL to match the project that you've generated the trigger token for:

curl -X POST \             
     --fail \
     -F token=<your glptt token> \
     -F ref=master \
     http://gdk.test:3000/api/v4/projects/19/trigger/pipeline

You can now go to the pipeline and select a job to see a shortened version of the token in the right column.

MR acceptance checklist

MR Checklist ( @nwittstruck)

• Changelog entry added, if necessary
• Documentation created/updated via this MR
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Tested in all supported browsers
• Conforms to the code review guidelines
• Conforms to the merge request performance guidelines
• Conforms to the style guides
• Conforms to the javascript style guides
• Conforms to the database guides

Related to #388379