Add deploy-token-{id} identifier

Emma Parkrequested to merge
570235/introduce-a-deploy-token-id into master

What does this MR do and why?

Adds deploy-token-{id} identifier support to Gitlab::Identifier and GitAccessActor so the system can deserialize deploy token identifiers.

Currently, Gitlab::GlId.gl_id generates user-{id} for all actors including deploy tokens, causing ID collisions with real users. The fix for git audit event HTTP requests consists of three parts:

  1. (this MR) Introduce deploy-token-{id} identifier

  • Fix the deserializer so Identifier#identify and GitAccessActor.from_identifier can resolve deploy-token-{id} back to a DeployToken object.

  1. Fix GlId generation for DeployToken (!222599 (merged))

  • Fix the serializer to produce deploy-token-{id}.

  1. Migrate the Audit system from using username to identifier (#570236 (closed))

  • Update Workhorse to send GL_ID as identifier param (instead of only GL_USERNAME as username) to the internal/shellhorse/git_audit_event endpoint, so GitAccessActor.from_params can resolve deploy tokens via the params[:identifier] branch.

These changes must be deployed in this order.

Impact analysis

Investigated all consumers of GL_ID across the GitLab ecosystem to verify the format change is safe:

  1. Workhorse: Treats GL_ID as an opaque string. The two places that pass it to Gitaly (receive-pack.go, ssh.go) are push-only paths. Deploy tokens have no write_repository scope (doc), so they cannot push. The audit event path (git-http.go) uses GL_USERNAME, not GL_ID. No impact.
  2. Gitaly: parseAndSetGLID in internal/gitlab/http_client.go parses GL_ID and only recognizes user-, key-, and username- prefixes. deploy-token-{id} would fail validation. However, this is only called from preReceiveHook (push only). PostReceive at line 269 passes GL_ID as an opaque identifier string without parsing. No impact.
  3. gitlab-shell: Deploy tokens do not support SSH authentication (doc). deploy-token-{id} will never enter gitlab-shell. No impact.
  4. Rails: Identifier#identify is the only code that parses GL_ID and would break. This MR fixes it. Other consumers (GitPostReceive#identify, Geo::PushUser, Geo::GitPushHttp) are either push-only paths or don't parse the format. Fixed by this MR.

References

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Emma Park

Merge request reports