Invalidate stored service password if the endpoint URL is changed

https://gitlab.zendesk.com/agent/tickets/7395

As it stands now, when someone changes the project URL of the Jira service, for example, in a way that changes the server_url (i.e. the server name), the old password is preserved: if I can modify the Jira server name and point it to a specially crafted server under my control, and GitLab keeps the old password, the password will be sent to my custom server and revealed to me.

This is why when the endpoint URL of the service is changed and a password has been set for said service, the password should be invalidated and the user should be prompted to enter the password again.

@vsizov you worked on the change that now hides the password in the WebUI if one is set. What do you think about this change?

I think it impacts security, just as much as showing the password in plain text did.

/cc @JobV @rspeicher

Relevant MR regarding the password management in services !1490 (merged)

yes.This makes a lot of sense. I will fix it today.

Reassigned to @vsizov

This issue implies to have two merge requests in CE (bamboo, teamcity) and EE (jira) side.

https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/1558

Thank you @vsizov

TODO:

• the same changes on EE side

https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/38

Reassigned to @patricio

@patricio Please report back.

Thank you @vsizov. I reported back.

Status changed to closed

Mentioned in commit pfjason/gitlab-ce@09637cc9