diff options
-rw-r--r-- | config/feature_flags/development/pat_reuse_detection.yml | 8 | ||||
-rw-r--r-- | doc/administration/maintenance_mode/index.md | 7 | ||||
-rw-r--r-- | lib/gitlab/auth/auth_finders.rb | 2 | ||||
-rw-r--r-- | spec/lib/gitlab/auth/auth_finders_spec.rb | 20 |
4 files changed, 33 insertions, 4 deletions
diff --git a/config/feature_flags/development/pat_reuse_detection.yml b/config/feature_flags/development/pat_reuse_detection.yml new file mode 100644 index 00000000000..8000b362296 --- /dev/null +++ b/config/feature_flags/development/pat_reuse_detection.yml @@ -0,0 +1,8 @@ +--- +name: pat_reuse_detection +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/126600 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/418336 +milestone: '16.2' +type: development +group: group::authentication and authorization +default_enabled: false diff --git a/doc/administration/maintenance_mode/index.md b/doc/administration/maintenance_mode/index.md index 3bbebe7ecce..336067d1891 100644 --- a/doc/administration/maintenance_mode/index.md +++ b/doc/administration/maintenance_mode/index.md @@ -128,8 +128,12 @@ For most JSON requests, `POST`, `PUT`, `PATCH`, and `DELETE` are blocked, and th ### GraphQL API +> The `GeoRegistriesUpdate` mutation addition in the allowlist was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/124259) in GitLab 16.2. + `POST /api/graphql` requests are allowed but mutations are blocked with the error message `You cannot perform write operations on a read-only instance`. +The only mutation that is allowed is the `GeoRegistriesUpdate` which is used to resync and reverify registries. + ### Continuous Integration - No new jobs or pipelines start, scheduled or otherwise. @@ -194,7 +198,8 @@ When primary is in Maintenance Mode, secondary also automatically goes into Main It is important that you do not disable replication before enabling Maintenance Mode. -Replication and verification continues to work but proxied Git pushes to primary do not work. +Replication, verification and manual actions to resync and reverify registries through the Admin UI +continue to work, but proxied Git pushes to primary don't. ### Secure features diff --git a/lib/gitlab/auth/auth_finders.rb b/lib/gitlab/auth/auth_finders.rb index 7f286ead925..966520655a5 100644 --- a/lib/gitlab/auth/auth_finders.rb +++ b/lib/gitlab/auth/auth_finders.rb @@ -403,6 +403,8 @@ module Gitlab end def revoke_token_family(token) + return unless Feature.enabled?(:pat_reuse_detection) + PersonalAccessTokens::RevokeTokenFamilyService.new(token).execute end end diff --git a/spec/lib/gitlab/auth/auth_finders_spec.rb b/spec/lib/gitlab/auth/auth_finders_spec.rb index 3d61339ba4e..1a1e165c50a 100644 --- a/spec/lib/gitlab/auth/auth_finders_spec.rb +++ b/spec/lib/gitlab/auth/auth_finders_spec.rb @@ -507,9 +507,9 @@ RSpec.describe Gitlab::Auth::AuthFinders, feature_category: :system_access do end context 'automatic reuse detection' do - let_it_be(:token_3) { create(:personal_access_token, :revoked) } - let_it_be(:token_2) { create(:personal_access_token, :revoked, previous_personal_access_token_id: token_3.id) } - let_it_be(:token_1) { create(:personal_access_token, previous_personal_access_token_id: token_2.id) } + let(:token_3) { create(:personal_access_token, :revoked) } + let(:token_2) { create(:personal_access_token, :revoked, previous_personal_access_token_id: token_3.id) } + let(:token_1) { create(:personal_access_token, previous_personal_access_token_id: token_2.id) } context 'when a revoked token is used' do before do @@ -523,6 +523,20 @@ RSpec.describe Gitlab::Auth::AuthFinders, feature_category: :system_access do expect(token_1.reload).to be_revoked end + + context 'when the feature flag is disabled' do + before do + stub_feature_flags(pat_reuse_detection: false) + end + + it 'does not revoke the latest rotated token' do + expect(token_1).not_to be_revoked + + expect { find_user_from_access_token }.to raise_error(Gitlab::Auth::RevokedError) + + expect(token_1.reload).not_to be_revoked + end + end end end end |