From 5f9bb026c1b7a03de9e17c4f98eb151c130e9460 Mon Sep 17 00:00:00 2001
From: Adrien Kohlbecker <adrien.kohlbecker@gmail.com>
Date: Fri, 26 Mar 2021 13:08:42 +0100
Subject: [PATCH] Remove programatic access to runner registration tokens

---
 changelogs/unreleased/ak-fix-registration-token.yml | 5 +++++
 lib/gitlab/ci/runner_instructions.rb                | 6 +++---
 spec/lib/gitlab/ci/runner_instructions_spec.rb      | 6 +++---
 3 files changed, 11 insertions(+), 6 deletions(-)
 create mode 100644 changelogs/unreleased/ak-fix-registration-token.yml

diff --git a/changelogs/unreleased/ak-fix-registration-token.yml b/changelogs/unreleased/ak-fix-registration-token.yml
new file mode 100644
index 00000000000..5c40f8072b3
--- /dev/null
+++ b/changelogs/unreleased/ak-fix-registration-token.yml
@@ -0,0 +1,5 @@
+---
+title: Remove programmatic access to registration tokens
+merge_request: 57524
+author:
+type: changed
diff --git a/lib/gitlab/ci/runner_instructions.rb b/lib/gitlab/ci/runner_instructions.rb
index dd0bfa768a8..cc92dfe7806 100644
--- a/lib/gitlab/ci/runner_instructions.rb
+++ b/lib/gitlab/ci/runner_instructions.rb
@@ -117,20 +117,20 @@ module Gitlab
         return unless @project
         raise Gitlab::Access::AccessDeniedError unless can?(@current_user, :admin_pipeline, @project)
 
-        @project.runners_token
+        '$REGISTRATION_TOKEN'
       end
 
       def group_token
         return unless @group
         raise Gitlab::Access::AccessDeniedError unless can?(@current_user, :admin_group, @group)
 
-        @group.runners_token
+        '$REGISTRATION_TOKEN'
       end
 
       def instance_token
         raise Gitlab::Access::AccessDeniedError unless @current_user&.admin?
 
-        Gitlab::CurrentSettings.runners_registration_token
+        '$REGISTRATION_TOKEN'
       end
     end
   end
diff --git a/spec/lib/gitlab/ci/runner_instructions_spec.rb b/spec/lib/gitlab/ci/runner_instructions_spec.rb
index d1020026fe6..34fe56bfe68 100644
--- a/spec/lib/gitlab/ci/runner_instructions_spec.rb
+++ b/spec/lib/gitlab/ci/runner_instructions_spec.rb
@@ -123,7 +123,7 @@ RSpec.describe Gitlab::Ci::RunnerInstructions do
             result = subject.register_command
 
             expect(result).to include("#{commands[commands.each_key.first]} register")
-            expect(result).to include("--registration-token #{group.runners_token}")
+            expect(result).to include("--registration-token $REGISTRATION_TOKEN")
             expect(result).to include("--url #{Gitlab::Routing.url_helpers.root_url(only_path: false)}")
           end
         end
@@ -166,7 +166,7 @@ RSpec.describe Gitlab::Ci::RunnerInstructions do
             result = subject.register_command
 
             expect(result).to include("#{commands[commands.each_key.first]} register")
-            expect(result).to include("--registration-token #{project.runners_token}")
+            expect(result).to include("--registration-token $REGISTRATION_TOKEN")
             expect(result).to include("--url #{Gitlab::Routing.url_helpers.root_url(only_path: false)}")
           end
         end
@@ -205,7 +205,7 @@ RSpec.describe Gitlab::Ci::RunnerInstructions do
             result = subject.register_command
 
             expect(result).to include("#{commands[commands.each_key.first]} register")
-            expect(result).to include("--registration-token #{Gitlab::CurrentSettings.runners_registration_token}")
+            expect(result).to include("--registration-token $REGISTRATION_TOKEN")
             expect(result).to include("--url #{Gitlab::Routing.url_helpers.root_url(only_path: false)}")
           end
         end
-- 
2.30.9