Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-09-03 00:10:23 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-09-03 00:10:23 +0000
commit: 3bbc597f60f05baae319cc541564bf41639fd14e (patch)
tree: 3454a662854d115ad6f5a5ffc1afb21bc4fde008 /lib/gitlab/cleanup
parent: 36e64e679dfc3e5989445f06aa238962df6ca98d (diff)
download: gitlab-ce-3bbc597f60f05baae319cc541564bf41639fd14e.tar.gz
1 files changed, 28 insertions, 34 deletions
diff --git a/lib/gitlab/cleanup/unused_personal_access_tokens.rb b/lib/gitlab/cleanup/personal_access_tokens.rb
index 97bf808a0ca..88665e6ada5 100644
--- a/lib/gitlab/cleanup/unused_personal_access_tokens.rb
+++ b/lib/gitlab/cleanup/personal_access_tokens.rb
@@ -2,31 +2,23 @@
 
 module Gitlab
   module Cleanup
-    # Unused active Personal Access Tokens pose a risk to organizations
-    # in that they may have been, or may be, leaked to unauthorized
-    # individuals. They are likely providing little / no current value
-    # because they are not actively being used, and should therefore be
-    # proactively revoked.
-    class UnusedPersonalAccessTokens
-      # By default tokens that haven't been used for over 1 year will
-      # be revoked
+    class PersonalAccessTokens
+      # By default tokens that haven't been used for over 1 year will be revoked
       DEFAULT_TIME_PERIOD = 1.year
-      # To prevent inadvertently revoking actively used tokens, we
-      # provide a minimum time
+      # To prevent inadvertently revoking all tokens, we provide a minimum time
       MINIMUM_TIME_PERIOD = 1.day
 
-      attr_reader :logger, :last_used_before, :revocation_time, :group
+      attr_reader :logger, :cut_off_date, :revocation_time, :group
 
-      def initialize(last_used_before: DEFAULT_TIME_PERIOD.ago.beginning_of_day, logger: nil, group_full_path:)
-        # binding.pry
-        # Ensure last_used_before is a Time and far enough in the past
-        @last_used_before = last_used_before
+      def initialize(cut_off_date: DEFAULT_TIME_PERIOD.ago.beginning_of_day, logger: nil, group_full_path:)
+        @cut_off_date = cut_off_date
 
         # rubocop: disable CodeReuse/ActiveRecord
         @group = Group.find_by_full_path(group_full_path)
         # rubocop: enable CodeReuse/ActiveRecord
+
         raise "Group with full_path #{group_full_path} not found" unless @group
-        raise "Invalid time: #{@last_used_before}" unless @last_used_before <= MINIMUM_TIME_PERIOD.ago
+        raise "Invalid time: #{@cut_off_date}" unless @cut_off_date <= MINIMUM_TIME_PERIOD.ago
 
         # Use a static revocation time to make correlation of revoked
         # tokens easier, should it be needed.
@@ -36,27 +28,21 @@ module Gitlab
         raise "Invalid logger: #{@logger}" unless @logger.respond_to?(:info) && @logger.respond_to?(:warn)
       end
 
-      # Revokes unused personal access tokens.
-      # A dry run is performed by default, logging what would be
-      # revoked. Pass `dry_run: false` explicitly to revoke tokens.
-      def run!(dry_run: true)
+      def run!(dry_run: true, revoke_active_tokens: false)
         # rubocop:disable Rails/Output
         if dry_run
           puts "Dry running. No changes will be made"
+        elsif revoke_active_tokens
+          puts "Revoking used and unused access tokens created before #{cut_off_date}..."
         else
-          puts "Revoking access tokens from before #{last_used_before}..."
+          puts "Revoking access tokens last used and created before #{cut_off_date}..."
         end
         # rubocop:enable Rails/Output
 
-        logger.info(
-          dry_run: dry_run,
-          group_full_path: group.full_path,
-          message: "Looking for Personal Access Tokens " \
-          "last used before #{last_used_before}..."
-        )
+        tokens_to_revoke = revocable_tokens(revoke_active_tokens)
 
         # rubocop:disable Cop/InBatches
-        revocable_tokens.in_batches do |access_tokens|
+        tokens_to_revoke.in_batches do |access_tokens|
           revoke_batch(access_tokens, dry_run)
         end
         # rubocop:enable Cop/InBatches
@@ -64,12 +50,20 @@ module Gitlab
 
       private
 
-      def revocable_tokens
-        PersonalAccessToken
-          .active
-          .owner_is_human
-          .last_used_before(last_used_before)
-          .for_users(group.users)
+      def revocable_tokens(revoke_active_tokens)
+        if revoke_active_tokens
+          PersonalAccessToken
+            .active
+            .owner_is_human
+            .created_before(cut_off_date)
+            .for_users(group.users)
+        else
+          PersonalAccessToken
+            .active
+            .owner_is_human
+            .last_used_before(cut_off_date)
+            .for_users(group.users)
+        end
       end
 
       def revoke_batch(access_tokens, dry_run)
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-09-03 00:10:23 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-09-03 00:10:23 +0000
commit	3bbc597f60f05baae319cc541564bf41639fd14e (patch)
tree	3454a662854d115ad6f5a5ffc1afb21bc4fde008 /lib/gitlab/cleanup
parent	36e64e679dfc3e5989445f06aa238962df6ca98d (diff)
download	gitlab-ce-3bbc597f60f05baae319cc541564bf41639fd14e.tar.gz