Remove CI/CD variable validations on AWS keys

Previously AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY had a strict, 40-character regex based on Amazon's recommendations. However, many S3-compatible providers use values that don't adhere to this regex. To make these CI/CD variables work with other S3 providers, eliminate the validation altogether. Closes https://gitlab.com/gitlab-org/gitlab/-/issues/215557

Remove CI/CD variable validations on AWS keys
Previously AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY had a strict, 40-character regex based on Amazon's recommendations. However, many S3-compatible providers use values that don't adhere to this regex. To make these CI/CD variables work with other S3 providers, eliminate the validation altogether. Closes https://gitlab.com/gitlab-org/gitlab/-/issues/215557
061b842c · Stan Hu · c83daaeb · 061b842c · 061b842c · 061b842c
Commit 061b842c authored Jul 12, 2020 by Stan Hu
5 changed files
--- a/app/assets/javascripts/ci_variable_list/components/ci_variable_autocomplete_tokens.js
+++ b/app/assets/javascripts/ci_variable_list/components/ci_variable_autocomplete_tokens.js
-import { __ } from '~/locale';
-
 import { AWS_ACCESS_KEY_ID, AWS_DEFAULT_REGION, AWS_SECRET_ACCESS_KEY } from '../constants';

 export const awsTokens = {
  [AWS_ACCESS_KEY_ID]: {
    name: AWS_ACCESS_KEY_ID,
-    /* Checks for exactly twenty characters that match key.
-       Based on greps suggested by Amazon at:
-       https://aws.amazon.com/blogs/security/a-safer-way-to-distribute-aws-credentials-to-ec2/
-    */
-    validation: val => /^[A-Za-z0-9]{20}$/.test(val),
-    invalidMessage: __('This variable does not match the expected pattern.'),
  },
  [AWS_DEFAULT_REGION]: {
    name: AWS_DEFAULT_REGION,
  },
  [AWS_SECRET_ACCESS_KEY]: {
    name: AWS_SECRET_ACCESS_KEY,
-    /* Checks for exactly forty characters that match secret.
-       Based on greps suggested by Amazon at:
-       https://aws.amazon.com/blogs/security/a-safer-way-to-distribute-aws-credentials-to-ec2/
-    */
-    validation: val => /^[A-Za-z0-9/+=]{40}$/.test(val),
-    invalidMessage: __('This variable does not match the expected pattern.'),
  },
 };


--- a/changelogs/unreleased/sh-loosen-aws-tokens.yml
+++ b/changelogs/unreleased/sh-loosen-aws-tokens.yml
+---
+title: Remove CI/CD variable validations on AWS keys
+merge_request: 36679
+author:
+type: fixed
--- a/doc/ci/variables/README.md
+++ b/doc/ci/variables/README.md
@@ -233,13 +233,12 @@ be updated or viewed by project members with [maintainer permissions](../../user
 ### Custom variables validated by GitLab

 Some variables are listed in the UI so you can choose them more quickly.
-GitLab validates the values of these variables to ensure they are in the correct format.

 | Variable                | Allowed Values                                     | Introduced in |
 |-------------------------|----------------------------------------------------|---------------|
-| `AWS_ACCESS_KEY_ID`     | 20 characters: letters, digits                     | 12.10         |
+| `AWS_ACCESS_KEY_ID`     | Any                                                | 12.10         |
 | `AWS_DEFAULT_REGION`    | Any                                                | 12.10         |
-| `AWS_SECRET_ACCESS_KEY` | 40 characters: letters, digits, special characters | 12.10         |
+| `AWS_SECRET_ACCESS_KEY` | Any                                                | 12.10         |

 NOTE: **Note:**
 When you store credentials, there are security implications. If you are using AWS keys,

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -24034,9 +24034,6 @@ msgstr ""
 msgid "This variable can not be masked."
 msgstr ""

-msgid "This variable does not match the expected pattern."
-msgstr ""
-
 msgid "This will help us personalize your onboarding experience."
 msgstr ""


--- a/spec/frontend/ci_variable_list/components/ci_variable_modal_spec.js
+++ b/spec/frontend/ci_variable_list/components/ci_variable_modal_spec.js
@@ -4,7 +4,6 @@ import { GlDeprecatedButton } from '@gitlab/ui';
 import { AWS_ACCESS_KEY_ID } from '~/ci_variable_list/constants';
 import CiVariableModal from '~/ci_variable_list/components/ci_variable_modal.vue';
 import CiKeyField from '~/ci_variable_list/components/ci_key_field.vue';
-import { awsTokens } from '~/ci_variable_list/components/ci_variable_autocomplete_tokens';
 import createStore from '~/ci_variable_list/store';
 import mockData from '../services/mock_data';
 import ModalStub from '../stubs';
@@ -176,29 +175,6 @@ describe('Ci variable modal', () => {
  describe('Validations', () => {
    const maskError = 'This variable can not be masked.';

-    describe('when the key state is invalid', () => {
-      beforeEach(() => {
-        const [variable] = mockData.mockVariables;
-        const invalidKeyVariable = {
-          ...variable,
-          key: AWS_ACCESS_KEY_ID,
-          value: 'AKIAIOSFODNN7EXAMPLEjdhy',
-          secret_value: 'AKIAIOSFODNN7EXAMPLEjdhy',
-        };
-        createComponent(mount);
-        store.state.variable = invalidKeyVariable;
-      });
-
-      it('disables the submit button', () => {
-        expect(addOrUpdateButton(1).attributes('disabled')).toBeTruthy();
-      });
-
-      it('shows the correct error text', () => {
-        const errorText = awsTokens[AWS_ACCESS_KEY_ID].invalidMessage;
-        expect(findModal().text()).toContain(errorText);
-      });
-    });
-
    describe('when the mask state is invalid', () => {
      beforeEach(() => {
        const [variable] = mockData.mockVariables;
@@ -222,39 +198,14 @@ describe('Ci variable modal', () => {
      });
    });

-    describe('when the mask and key states are invalid', () => {
-      beforeEach(() => {
-        const [variable] = mockData.mockVariables;
-        const invalidMaskandKeyVariable = {
-          ...variable,
-          key: AWS_ACCESS_KEY_ID,
-          value: 'AKIAIOSFODNN7EXAMPLEjdhyd:;',
-          secret_value: 'AKIAIOSFODNN7EXAMPLEjdhyd:;',
-          masked: true,
-        };
-        createComponent(mount);
-        store.state.variable = invalidMaskandKeyVariable;
-      });
-
-      it('disables the submit button', () => {
-        expect(addOrUpdateButton(1).attributes('disabled')).toBeTruthy();
-      });
-
-      it('shows the correct error text', () => {
-        const errorText = awsTokens[AWS_ACCESS_KEY_ID].invalidMessage;
-        expect(findModal().text()).toContain(maskError);
-        expect(findModal().text()).toContain(errorText);
-      });
-    });
-
    describe('when both states are valid', () => {
      beforeEach(() => {
        const [variable] = mockData.mockVariables;
        const validMaskandKeyVariable = {
          ...variable,
          key: AWS_ACCESS_KEY_ID,
-          value: 'AKIAIOSFODNN7EXAMPLE',
-          secret_value: 'AKIAIOSFODNN7EXAMPLE',
+          value: '12345678',
+          secret_value: '87654321',
          masked: true,
        };
        createComponent(mount);
@@ -265,12 +216,6 @@ describe('Ci variable modal', () => {
      it('does not disable the submit button', () => {
        expect(addOrUpdateButton(1).attributes('disabled')).toBeFalsy();
      });
-
-      it('shows no error text', () => {
-        const errorText = awsTokens[AWS_ACCESS_KEY_ID].invalidMessage;
-        expect(findModal().text()).not.toContain(maskError);
-        expect(findModal().text()).not.toContain(errorText);
-      });
    });
  });
 });