Skip to content

Project access token API

Serena Fang requested to merge sfang-project-access-token-api into master

What does this MR do?

Relates to: #238991 (closed)

This MR provides an API endpoint to manage (create, list, revoke) Project Access Tokens.

Additionally, it denies the ability for project access tokens to create other project access tokens by modifying the :admin_resource_access_tokens rule to block project bots from satisfying the policy. A prior MR introduced audit event logging for creating/revoking project access tokens, which will help admins track down misuse of tokens. More discussion on this security risk in the issue.

GET:

curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/<project_id>/access_tokens"

POST:

curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" \
--header "Content-Type:application/json" \
--data '{ "name":"test_token", "scopes":["api", "read_repository"], "expires_at":"2021-01-31" }' \
"http://127.0.0.1:3000/api/v4/projects/20/access_tokens"

DELETE:

curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/<project_id>/access_tokens/<user_id>"

Sample output for GET, POST, and DELETE requests in doc/api/resource_access_tokens.md (in this MR's diffs)

Project access tokens cannot create other project access tokens.

image

Screenshots (strongly suggested)

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Serena Fang

Merge request reports