Change runners_token prefix for Group and Project

This changes the runners_token prefix for Group and Project to a value that cannot be parsed as an Integer and is unlikely to already exist in the database. Relates to https://gitlab.com/gitlab-org/security/gitlab/-/issues/608 Changelog: security

Change runners_token prefix for Group and Project
This changes the runners_token prefix for Group and Project to a value that cannot be parsed as an Integer and is unlikely to already exist in the database. Relates to https://gitlab.com/gitlab-org/security/gitlab/-/issues/608 Changelog: security
08873630 · Matt Kasa · 518468d3 · 08873630 · 08873630 · 08873630
Commit 08873630 authored Feb 25, 2022 by Matt Kasa
3 changed files
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -23,9 +23,9 @@ class Group < Namespace
  extend ::Gitlab::Utils::Override

  # Prefix for runners_token which can be used to invalidate existing tokens.
-  # The value chosen here is a hex encoded YYYYMMDD date corresponding to
-  # the date before which tokens are invalidated.
-  RUNNERS_TOKEN_PREFIX = '1348940'
+  # The value chosen here is GR (for Gitlab Runner) combined with the rotation
+  # date (20220225) decimal to hex encoded.
+  RUNNERS_TOKEN_PREFIX = 'GR1348941'

  def self.sti_name
    'Group'

--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -90,9 +90,9 @@ class Project < ApplicationRecord
  DEFAULT_SQUASH_COMMIT_TEMPLATE = '%{title}'

  # Prefix for runners_token which can be used to invalidate existing tokens.
-  # The value chosen here is a hex encoded YYYYMMDD date corresponding to
-  # the date before which tokens are invalidated.
-  RUNNERS_TOKEN_PREFIX = '1348940'
+  # The value chosen here is GR (for Gitlab Runner) combined with the rotation
+  # date (20220225) decimal to hex encoded.
+  RUNNERS_TOKEN_PREFIX = 'GR1348941'

  cache_markdown_field :description, pipeline: :description


--- a/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb
+++ b/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb
@@ -34,7 +34,7 @@ RSpec.describe TokenAuthenticatableStrategies::Encrypted do
      end

      context 'when a prefix is required' do
-        let(:options) { { encrypted: :required, prefix: '1348940' } }
+        let(:options) { { encrypted: :required, prefix: 'GR1348941' } }

        it 'finds the encrypted resource by cleartext' do
          allow(model).to receive(:where)
@@ -79,7 +79,7 @@ RSpec.describe TokenAuthenticatableStrategies::Encrypted do
      end

      context 'when a prefix is required' do
-        let(:options) { { encrypted: :optional, prefix: '1348940' } }
+        let(:options) { { encrypted: :optional, prefix: 'GR1348941' } }

        it 'finds the encrypted resource by cleartext' do
          allow(model).to receive(:where)
@@ -120,7 +120,7 @@ RSpec.describe TokenAuthenticatableStrategies::Encrypted do
      end

      context 'when a prefix is required' do
-        let(:options) { { encrypted: :migrating, prefix: '1348940' } }
+        let(:options) { { encrypted: :migrating, prefix: 'GR1348941' } }

        it 'finds the encrypted resource by cleartext' do
          allow(model).to receive(:where)