Disable Personal Access Tokens in FIPS mode (!97299) · Merge requests · GitLab.org / GitLab

Drew Blessing requested to merge dblessing_disable_pats into master Sep 07, 2022

What does this MR do and why?

Describe in detail what your merge request does and why.

This MR disables the use of Personal Access Tokens of all types, including user PATs, group access tokens, project access tokens and impersonation tokens. Existing tokens will still exist in the database but cannot be used. This ensures the enablement/disablement are reversible. In the future we may implement a mechanism to revoke all existing PATs.

A subsequent MR (!98702 (merged)) will block creation of all PAT types.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

This change disabled PAT authentication for all types - personal, group and projects.

How to set up and validate locally

Enable FIPS mode in your instance. For GDK:
```
FIPS_MODE=1 gdk restart
```
Create a personal access token via user profile -> Access Tokens.
Attempt to use the token. You will receive access denied.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Sep 22, 2022 by Drew Blessing

Disable Personal Access Tokens in FIPS mode

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports