Revert "bin/ci: Add GitLab basic token validation"
This validation code has 2 bugs, the main one being that it is wrong and is refusing perfectly valid codes. Let's remove this until we come up with a valid check. This reverts commitcd8b546205. Fixes:cd8b546205("bin/ci: Add GitLab basic token validation") Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/27312>
This commit is contained in:
Eric Engestrom
committed by
Marge Bot
Marge Bot
parent
2f4d6df372
commit
e39fed5737
@@ -8,29 +8,13 @@
|
|||||||
# SPDX-License-Identifier: MIT
|
# SPDX-License-Identifier: MIT
|
||||||
'''Shared functions between the scripts.'''
|
'''Shared functions between the scripts.'''
|
||||||
|
|
||||||
import logging
|
|
||||||
import os
|
import os
|
||||||
import re
|
|
||||||
import time
|
import time
|
||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
|
|
||||||
GITLAB_URL = "https://gitlab.freedesktop.org"
|
GITLAB_URL = "https://gitlab.freedesktop.org"
|
||||||
TOKEN_DIR = Path(os.getenv("XDG_CONFIG_HOME") or Path.home() / ".config")
|
TOKEN_DIR = Path(os.getenv("XDG_CONFIG_HOME") or Path.home() / ".config")
|
||||||
|
|
||||||
# Known GitLab token prefixes: https://docs.gitlab.com/ee/security/token_overview.html#token-prefixes
|
|
||||||
TOKEN_PREFIXES: dict[str, str] = {
|
|
||||||
"Personal access token": "glpat-",
|
|
||||||
"OAuth Application Secret": "gloas-",
|
|
||||||
"Deploy token": "gldt-",
|
|
||||||
"Runner authentication token": "glrt-",
|
|
||||||
"CI/CD Job token": "glcbt-",
|
|
||||||
"Trigger token": "glptt-",
|
|
||||||
"Feed token": "glft-",
|
|
||||||
"Incoming mail token": "glimt-",
|
|
||||||
"GitLab Agent for Kubernetes token": "glagent-",
|
|
||||||
"SCIM Tokens": "glsoat-"
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
def pretty_duration(seconds):
|
def pretty_duration(seconds):
|
||||||
"""Pretty print duration"""
|
"""Pretty print duration"""
|
||||||
@@ -87,61 +71,25 @@ def get_token_from_default_dir() -> str:
|
|||||||
raise ex
|
raise ex
|
||||||
|
|
||||||
|
|
||||||
def validate_gitlab_token(token: str) -> bool:
|
|
||||||
token_suffix = token.split("-")[-1]
|
|
||||||
# Basic validation of the token suffix based on:
|
|
||||||
# https://gitlab.com/gitlab-org/gitlab/-/blob/master/gems/gitlab-secret_detection/lib/gitleaks.toml
|
|
||||||
if not re.match(r"(\w+-)?[0-9a-zA-Z_\-]{20,64}", token_suffix):
|
|
||||||
raise ValueError("The provided token does not match valid GitLab token format.")
|
|
||||||
|
|
||||||
for token_type, token_prefix in TOKEN_PREFIXES.items():
|
|
||||||
if token.startswith(token_prefix):
|
|
||||||
logging.info(f"Found probable token type: {token_type}")
|
|
||||||
return True
|
|
||||||
|
|
||||||
# If the token type is not recognized, return False
|
|
||||||
return False
|
|
||||||
|
|
||||||
|
|
||||||
def get_token_from_arg(token_arg: str | Path | None) -> str | None:
|
|
||||||
if not token_arg:
|
|
||||||
logging.info("No token provided.")
|
|
||||||
return None
|
|
||||||
|
|
||||||
token_path = Path(token_arg)
|
|
||||||
if token_path.is_file():
|
|
||||||
return read_token_from_file(token_path)
|
|
||||||
|
|
||||||
return handle_direct_token(token_path, token_arg)
|
|
||||||
|
|
||||||
|
|
||||||
def read_token_from_file(token_path: Path) -> str:
|
|
||||||
token = token_path.read_text().strip()
|
|
||||||
logging.info(f"Token read from file: {token_path}")
|
|
||||||
return token
|
|
||||||
|
|
||||||
|
|
||||||
def handle_direct_token(token_path: Path, token_arg: str | Path) -> str | None:
|
|
||||||
if token_path == Path(get_token_from_default_dir()):
|
|
||||||
logging.warning(
|
|
||||||
f"The default token file {token_path} was not found. "
|
|
||||||
"Please provide a token file or a token directly via --token arg."
|
|
||||||
)
|
|
||||||
return None
|
|
||||||
logging.info("Token provided directly as an argument.")
|
|
||||||
return str(token_arg)
|
|
||||||
|
|
||||||
|
|
||||||
def read_token(token_arg: str | Path | None) -> str | None:
|
def read_token(token_arg: str | Path | None) -> str | None:
|
||||||
token = get_token_from_arg(token_arg)
|
"""
|
||||||
if token and not validate_gitlab_token(token):
|
Reads the token from the given file path or returns the token argument if it is not a file.
|
||||||
logging.warning("The provided token is either an old token or does not seem to "
|
|
||||||
"be a valid token.")
|
Args:
|
||||||
logging.warning("Newer tokens are the ones created from a Gitlab 14.5+ instance.")
|
token_arg (str | Path | None): The file path or the token itself.
|
||||||
logging.warning("See https://about.gitlab.com/releases/2021/11/22/"
|
|
||||||
"gitlab-14-5-released/"
|
Returns:
|
||||||
"#new-gitlab-access-token-prefix-and-detection")
|
str | None: The token string or None if the token is not provided.
|
||||||
return token
|
"""
|
||||||
|
if token_arg:
|
||||||
|
token_path = Path(token_arg)
|
||||||
|
if token_path.is_file():
|
||||||
|
# if is a file, read it
|
||||||
|
return token_path.read_text().strip()
|
||||||
|
return str(token_arg)
|
||||||
|
|
||||||
|
# if the token is not provided neither its file, return None
|
||||||
|
return None
|
||||||
|
|
||||||
|
|
||||||
def wait_for_pipeline(projects, sha: str, timeout=None):
|
def wait_for_pipeline(projects, sha: str, timeout=None):
|
||||||
|
|||||||
Reference in New Issue
Block a user