Remove programmatic access to registration tokens

Review changes
Open in Workspace
Download
Patches
Plain diff

Adrien Kohlbeckerrequested to merge

ak/fix-registration-token into master Mar 25, 2021

Overview 9
Commits 1
Pipelines 1
Changes 3

What does this MR do?

In https://gitlab.com/gitlab-org/gitlab/-/issues/326018, we have discovered an issue where instance registration tokens were shown incorrectly to instance admins on groups CI/CD settings.

This did not show any information that users didn't already have access to, but it did reveal the security risk posed by programmatic access to registration tokens. A similar mistake that would show an instance token to everyone is a very real risk with huge implications.

So let's prevent this from happening by removing programmatic access to those tokens. The installation instructions work just as well if the token is not prefilled and has a placeholder like <paste your registration token here> instead.

A further ~"technical debt" issue has been opened in #326102 (closed) to cleanup those methods and remove the unnecessary code. Removing the security risk is the priority of this MR and cleanup can be handled at a lower priority level.

Screenshots (strongly suggested)

Does this MR meet the acceptance criteria?

Conformity

📋 Does this MR need a changelog?
- I have included a changelog entry.
- I have not included a changelog entry because _____.
Documentation (if required)
Code review guidelines
Merge request performance guidelines
Style guides
Database guides
Separation of EE specific content

Availability and Testing

Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
Tested in all supported browsers
Informed Infrastructure department of a default or new setting change, if applicable per definition of done

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

Label as security and @ mention @gitlab-com/gl-security/appsec
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
Security reports checked/validated by a reviewer from the AppSec team

Edited Mar 26, 2021 by Lucas Charles

Merge request reports

Assignee Loading

Reviewers Loading

Request review from

Loading

Time tracking Loading

Loading