Merge branch '376752-deploy-token-prefix' into 'master'

Add a prefix to deploy tokens See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138438 Merged-by: charlie ablett <cablett@gitlab.com> Approved-by: Hunter Stewart <hustewart@gitlab.com> Approved-by: Jay Montal <jmontal@gitlab.com> Approved-by: Russell Dickenson <rdickenson@gitlab.com> Approved-by: charlie ablett <cablett@gitlab.com> Reviewed-by: charlie ablett <cablett@gitlab.com> Reviewed-by: Nick Malcolm <nmalcolm@gitlab.com> Co-authored-by: Russell Dickenson <rdickenson@gitlab.com> Co-authored-by: Nick Malcolm <nmalcolm@gitlab.com>

Merge branch '376752-deploy-token-prefix' into 'master'
4fd29edf · charlie ablett · c7ffb105 · 29d083e7 · 4fd29edf · 4fd29edf
--- a/.gitleaksignore
+++ b/.gitleaksignore
 afedb913baf4203aa688421873fdb9f94649578e:doc/api/users.md:generic-api-key:2201
+spec/frontend/lib/utils/secret_detection_spec.js:generic-api-key:34
--- a/app/assets/javascripts/lib/utils/secret_detection.js
+++ b/app/assets/javascripts/lib/utils/secret_detection.js
@@ -28,6 +28,10 @@ export const containsSensitiveToken = (message) => {
      name: 'GitLab OAuth Application Secret',
      regex: `gloas-[0-9a-zA-Z_-]{64}`,
    },
+    {
+      name: 'GitLab Deploy Token',
+      regex: `gldt-[0-9a-zA-Z_-]{20}`,
+    },
  ];
  for (const rule of sensitiveDataPatterns) {

--- a/app/models/deploy_token.rb
+++ b/app/models/deploy_token.rb
@@ -6,13 +6,14 @@ class DeployToken < ApplicationRecord
  include PolicyActor
  include Gitlab::Utils::StrongMemoize
-  add_authentication_token_field :token, encrypted: :required
  AVAILABLE_SCOPES = %i[read_repository read_registry write_registry
                        read_package_registry write_package_registry].freeze
  GITLAB_DEPLOY_TOKEN_NAME = 'gitlab-deploy-token'
+  DEPLOY_TOKEN_PREFIX = 'gldt-'
  REQUIRED_DEPENDENCY_PROXY_SCOPES = %i[read_registry write_registry].freeze
+  add_authentication_token_field :token, encrypted: :required, format_with_prefix: :prefix_for_deploy_token
  attribute :expires_at, default: -> { Forever.date }
  # Do NOT use this `user` for the authentication/authorization of the deploy tokens.
@@ -141,6 +142,10 @@ def expires_at=(value)
    write_attribute(:expires_at, value.presence || Forever.date)
  end
+  def prefix_for_deploy_token
+    DEPLOY_TOKEN_PREFIX
+  end
  private
  def expired?

--- a/config/gitleaks.toml
+++ b/config/gitleaks.toml
@@ -12,6 +12,7 @@ path = "/gitleaks.toml"
    "glpat-1234567890abcdefghij",
    # spec/frontend/lib/utils/secret_detection_spec.js
    "glpat-cgyKc1k_AsnEpmP-5fRL",
+    "gldt-cgyKc1k_AsnEpmP-5fRL",
    # spec/frontend/lib/utils/secret_detection_spec.js
    "GlPat-abcdefghijklmnopqrstuvwxyz",
    # doc/development/sec/token_revocation_api.md

--- a/doc/security/token_overview.md
+++ b/doc/security/token_overview.md
@@ -234,7 +234,7 @@ The following tables show the prefixes for each type of token where applicable.
 | Impersonation token               | Not applicable.    |
 | Project access token              | Not applicable.    |
 | Group access token                | Not applicable.    |
-| Deploy token                      | Not applicable.    |
+| Deploy token                      | `gldt-` ([Added in GitLab 16.7](https://gitlab.com/gitlab-org/gitlab/-/issues/376752)) |
 | Deploy key                        | Not applicable.    |
 | Runner registration token         | Not applicable.    |
 | Runner authentication token       | `glrt-`            |

--- a/spec/frontend/lib/utils/secret_detection_spec.js
+++ b/spec/frontend/lib/utils/secret_detection_spec.js
@@ -31,6 +31,7 @@ describe('containsSensitiveToken', () => {
      'token: gloas-a8cc74ccb0de004d09a968705ba49099229b288b3de43f26c473a9d8d7fb7693',
      'https://example.com/feed?feed_token=123456789_abcdefghij',
      'glpat-1234567890 and feed_token=ABCDEFGHIJKLMNOPQRSTUVWXYZ',
+      'token: gldt-cgyKc1k_AsnEpmP-5fRL',
    ];
    it.each(sensitiveMessages)('returns true for message: %s', (message) => {

--- a/spec/models/deploy_token_spec.rb
+++ b/spec/models/deploy_token_spec.rb
@@ -473,4 +473,12 @@
      expect(subject.impersonated?).to be(false)
    end
  end
+  describe '.token' do
+    # Specify a blank token_encrypted so that the model's method is used
+    # instead of the factory value
+    subject(:plaintext) { create(:deploy_token, token_encrypted: nil).token }
+    it { is_expected.to match(/gldt-[A-Za-z0-9_-]{20}/) }
+  end
 end
--- a/spec/requests/api/deploy_tokens_spec.rb
+++ b/spec/requests/api/deploy_tokens_spec.rb
@@ -395,6 +395,7 @@
          expect(json_response['scopes']).to eq(['read_repository'])
          expect(json_response['username']).to eq('Bar')
          expect(json_response['expires_at'].to_time.to_i).to eq(expires_time.to_i)
+          expect(json_response['token']).to match(/gldt-[A-Za-z0-9_-]{20}/)
        end
        context 'with no optional params given' do