Merge branch 'new-gitlab-users-clear_all_authentication_tokens-task' into 'master'

Add a new gitlab:users:clear_all_authentication_tokens task

## What are the relevant issue numbers?

Part of #22537.

See merge request !6745

5 files changed, 70 insertions, 0 deletions

diff --git a/CHANGELOG b/CHANGELOG
index 05d6d6118a1..06dc2993b73 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -78,6 +78,7 @@ v 8.13.0 (unreleased)
   - API: expose pipeline data in builds API (!6502, Guilherme Salazar)
   - Notify the Merger about merge after successful build (Dimitris Karakasilis)
   - Reorder issue and merge request titles to show IDs first. !6503 (Greg Laubenstein)
+  - Add a new gitlab:users:clear_all_authentication_tokens task. !6745
   - Reduce queries needed to find users using their SSH keys when pushing commits
   - Prevent rendering the link to all when the author has no access (Katarzyna Kobierska Ula Budziszewska)
   - Fix broken repository 500 errors in project list
diff --git a/app/models/user.rb b/app/models/user.rb
index 892ac28d5b3..f367f4616fb 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -589,6 +589,11 @@ class User < ActiveRecord::Base
   end
 
   def set_projects_limit
+    # `User.select(:id)` raises
+    # `ActiveModel::MissingAttributeError: missing attribute: projects_limit`
+    # without this safeguard!
+    return unless self.has_attribute?(:projects_limit)
+
     connection_default_value_defined = new_record? && !projects_limit_changed?
     return unless self.projects_limit.nil? || connection_default_value_defined
 
diff --git a/doc/raketasks/user_management.md b/doc/raketasks/user_management.md
index 8a5e2d6e16b..044b104f5c2 100644
--- a/doc/raketasks/user_management.md
+++ b/doc/raketasks/user_management.md
@@ -70,3 +70,18 @@ sudo gitlab-rake gitlab:two_factor:disable_for_all_users
 # installation from source
 bundle exec rake gitlab:two_factor:disable_for_all_users RAILS_ENV=production
 ```
+
+## Clear authentication tokens for all users. Important! Data loss!
+
+Clear authentication tokens for all users in the GitLab database. This
+task is useful if your users' authentication tokens might have been exposed in
+any way. All the existing tokens will become invalid, and new tokens are
+automatically generated upon sign-in or user modification.
+
+```
+# omnibus-gitlab
+sudo gitlab-rake gitlab:users:clear_all_authentication_tokens
+
+# installation from source
+bundle exec rake gitlab:users:clear_all_authentication_tokens RAILS_ENV=production
+```
diff --git a/lib/tasks/gitlab/users.rake b/lib/tasks/gitlab/users.rake
new file mode 100644
index 00000000000..3a16ace60bd
--- /dev/null
+++ b/lib/tasks/gitlab/users.rake
@@ -0,0 +1,11 @@
+namespace :gitlab do
+  namespace :users do
+    desc "GitLab | Clear the authentication token for all users"
+    task clear_all_authentication_tokens: :environment  do |t, args|
+      # Do small batched updates because these updates will be slow and locking
+      User.select(:id).find_in_batches(batch_size: 100) do |batch|
+        User.where(id: batch.map(&:id)).update_all(authentication_token: nil)
+      end
+    end
+  end
+end
diff --git a/spec/tasks/gitlab/users_rake_spec.rb b/spec/tasks/gitlab/users_rake_spec.rb
new file mode 100644
index 00000000000..e6ebef82b78
--- /dev/null
+++ b/spec/tasks/gitlab/users_rake_spec.rb
@@ -0,0 +1,38 @@
+require 'spec_helper'
+require 'rake'
+
+describe 'gitlab:users namespace rake task' do
+  let(:enable_registry) { true }
+
+  before :all do
+    Rake.application.rake_require 'tasks/gitlab/task_helpers'
+    Rake.application.rake_require 'tasks/gitlab/users'
+
+    # empty task as env is already loaded
+    Rake::Task.define_task :environment
+  end
+
+  def run_rake_task(task_name)
+    Rake::Task[task_name].reenable
+    Rake.application.invoke_task task_name
+  end
+
+  describe 'clear_all_authentication_tokens' do
+    before do
+      # avoid writing task output to spec progress
+      allow($stdout).to receive :write
+    end
+
+    context 'gitlab version' do
+      it 'clears the authentication token for all users' do
+        create_list(:user, 2)
+
+        expect(User.pluck(:authentication_token)).to all(be_present)
+
+        run_rake_task('gitlab:users:clear_all_authentication_tokens')
+
+        expect(User.pluck(:authentication_token)).to all(be_nil)
+      end
+    end
+  end
+end