Add Token Verification Request Service (!197819) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

This MR implements the GitLab-side Token Verification Request Service for Secret Detection. It adds the ability to verify the status of partner platform tokens (such as GitHub PATs, AWS access keys, etc.) by sending verification requests to the Secret Detection Response Service (SDRS).

I have broken down the issue #551358 (closed) into 2 mrs:

This one adds PartnerTokenVerificationService
Other one adds PartnerTokenVerificationWorker Add partner token verification worker for Secre... (!197843 - merged)

I broke it down into 2 mrs for the ease of review.

What's included:

TokenVerificationRequestService - Main service that:
- Validates prerequisites (feature flag, SDRS configuration, user permissions)
- Generates JWT tokens for secure communication with SDRS
- Sends asynchronous verification requests to SDRS
- Updates token status to track verification progress
- Handles errors and network issues gracefully

Why this is important:

Security Enhancement: Helps security teams identify which leaked tokens are still active and pose immediate risk
Prioritization: Allows teams to focus remediation efforts on active tokens first
Compliance: Provides audit trail for token verification attempts
Multi-platform Support: Extends beyond GitLab tokens to verify partner platform credentials

References

Issue: #551358 (closed) - Implement partner token verification for Secret Detection

How to set up and validate locally

Prerequisites:

Enable required feature flags and configure SDRS:

# In rails console
Feature.enable(:token_verification_flow)

ApplicationSetting.current.update!(
  sdrs_enabled: true,
  sdrs_url: 'https://sdrs.example.com',
  sdrs_jwt_signing_key: OpenSSL::PKey::RSA.generate(2048).to_pem
)

Create a test vulnerability finding with a partner token:

project = Project.find(1) # Use your test project
user = User.find(1) # Use your test user

finding = Vulnerabilities::Finding.create!(
  project: project,
  report_type: 'secret_detection',
  severity: 'critical',
  confidence: 'high',
  name: 'GitHub Personal Access Token detected',
  raw_metadata: {
    'token_type' => 'github_pat',
    'raw_source_code_extract' => 'ghp_test123abc'
  }.to_json,
  # ... other required attributes
)

Testing the service:

Test successful verification request:

service = Security::SecretDetection::TokenVerificationRequestService.new(user, finding)
result = service.execute

# Should return success and update status to 'pending'
puts result.success? # => true
puts finding.reload.finding_token_status.status # => "pending"

Test with SDRS disabled:

ApplicationSetting.current.update!(sdrs_enabled: false)

service = Security::SecretDetection::TokenVerificationRequestService.new(user, finding)
result = service.execute

# Should return error
puts result.error? # => true
puts result.message # => "SDRS not configured"

Test unauthorized access:

unauthorized_user = create(:user) # User without project access

service = Security::SecretDetection::TokenVerificationRequestService.new(unauthorized_user, finding)
result = service.execute

# Should return error
puts result.error? # => true
puts result.message # => "Unauthorized"

Monitoring logs:

Check the application logs for detailed information about the verification process:

tail -f log/development.log | grep -E "TokenVerificationRequestService|token_status"

MR acceptance checklist

Code review guidelines
Unit tests with comprehensive coverage
Feature flag for gradual rollout (token_verification_flow)
Error handling and logging
Security review (JWT authentication, permission checks)
Documentation updates
Performance considerations (async processing via workers)

Related to #551358 (closed)

Edited Jul 28, 2025 by Aditya Tiwari

Add Token Verification Request Service