-2

Context

After having been able to add a GitLab personal access token using bash with:

add_gitlab_personal_access_token(){
  local gitlab_username="$1"
  local token_name="$2"
  local personal_access_token="$3"
  local docker_container_id="$4"
  
  output="$(sudo docker exec -i "$docker_container_id" bash -c "gitlab-rails runner \"token = User.find_by_username('$gitlab_username').personal_access_tokens.create(scopes: [:api], name: '$token_name'); token.set_token('$personal_access_token'); token.save! \"")"
}

Attempts I

Using the docker exec and bash -c command as used in setting the token allows one to revoke the token:

revoke_token(){

    local docker_container_id="$1"
    local token="sometokenpersonalgitlabtoken"
    output="$(sudo docker exec -i "$docker_container_id" bash -c "gitlab-rails runner \"PersonalAccessToken.find_by_token('$token').revoke! \"")"
    echo "output=$output"
}

Issue

However, after trying to add the token again, it is still in GitLab, and GitLab returns:

DETAIL:  Key (token_digest)=(somelongkeysasdfasdfasdfkeyending=) already exists.

so the revoke method does not actually delete the token, it merely revokes it.

Question

I was wondering how: *How can one delete the GitLab personal token in the docker container using bash (based on the $token_name)?

a.t.
  • 2,002
  • 3
  • 26
  • 66
  • 1
    Does this answer your question? [Executing 'bash -c' in 'docker exec' command](https://stackoverflow.com/questions/50214436/executing-bash-c-in-docker-exec-command) – sytech Feb 24 '22 at 22:40
  • Thank you for the suggestion, it did not resolve the issue. Primarily I am experiencing some difficulties with the command that is used by `gitlab-rails` to revoke the token. Additionally, I expect that once it has been revoked, it has not yet been deleted. In essence, when I try to create a new token with the same name(which has been revoked) expect GitLab to throw an error saying; that token has already been used. – a.t. Feb 25 '22 at 11:21
  • Are you 100% sure the revoke command completes successfully, as far as gitlab-rails is concerned? Can you get into an interactive bash shell in the container and see those commands working for the sake of diagnosis, if you construct them manually? – Jeff Bowman Feb 25 '22 at 11:41
  • 1
    @JeffBowman no. However, I did verify the revoke method works by seeing the token get removed inside the GitLab server through the browser. I think so, however, the answer of the question I think can be considered that one should not want to delete a GitLab token, merely revoke it. I was unaware of that at the time of writing my question. Hence I see more value in other actions. Thanks for suggesting a different verification strategy. – a.t. Feb 25 '22 at 16:50

1 Answers1

0

The answer to this question I think is: It's a feature, not a bug. I assume it is bad security practice to re-use a token, so instead of trying to delete an old token, I wrote a method that automatically generates random tokens.

The revoke method in the question works. It has been manually verified by checking whether the GitLab personal access token disappeared in GitLab browser.

a.t.
  • 2,002
  • 3
  • 26
  • 66