diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-09-03 00:10:23 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-09-03 00:10:23 +0000 |
commit | 3bbc597f60f05baae319cc541564bf41639fd14e (patch) | |
tree | 3454a662854d115ad6f5a5ffc1afb21bc4fde008 /lib/gitlab/cleanup | |
parent | 36e64e679dfc3e5989445f06aa238962df6ca98d (diff) | |
download | gitlab-ce-3bbc597f60f05baae319cc541564bf41639fd14e.tar.gz |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'lib/gitlab/cleanup')
-rw-r--r-- | lib/gitlab/cleanup/personal_access_tokens.rb (renamed from lib/gitlab/cleanup/unused_personal_access_tokens.rb) | 62 |
1 files changed, 28 insertions, 34 deletions
diff --git a/lib/gitlab/cleanup/unused_personal_access_tokens.rb b/lib/gitlab/cleanup/personal_access_tokens.rb index 97bf808a0ca..88665e6ada5 100644 --- a/lib/gitlab/cleanup/unused_personal_access_tokens.rb +++ b/lib/gitlab/cleanup/personal_access_tokens.rb @@ -2,31 +2,23 @@ module Gitlab module Cleanup - # Unused active Personal Access Tokens pose a risk to organizations - # in that they may have been, or may be, leaked to unauthorized - # individuals. They are likely providing little / no current value - # because they are not actively being used, and should therefore be - # proactively revoked. - class UnusedPersonalAccessTokens - # By default tokens that haven't been used for over 1 year will - # be revoked + class PersonalAccessTokens + # By default tokens that haven't been used for over 1 year will be revoked DEFAULT_TIME_PERIOD = 1.year - # To prevent inadvertently revoking actively used tokens, we - # provide a minimum time + # To prevent inadvertently revoking all tokens, we provide a minimum time MINIMUM_TIME_PERIOD = 1.day - attr_reader :logger, :last_used_before, :revocation_time, :group + attr_reader :logger, :cut_off_date, :revocation_time, :group - def initialize(last_used_before: DEFAULT_TIME_PERIOD.ago.beginning_of_day, logger: nil, group_full_path:) - # binding.pry - # Ensure last_used_before is a Time and far enough in the past - @last_used_before = last_used_before + def initialize(cut_off_date: DEFAULT_TIME_PERIOD.ago.beginning_of_day, logger: nil, group_full_path:) + @cut_off_date = cut_off_date # rubocop: disable CodeReuse/ActiveRecord @group = Group.find_by_full_path(group_full_path) # rubocop: enable CodeReuse/ActiveRecord + raise "Group with full_path #{group_full_path} not found" unless @group - raise "Invalid time: #{@last_used_before}" unless @last_used_before <= MINIMUM_TIME_PERIOD.ago + raise "Invalid time: #{@cut_off_date}" unless @cut_off_date <= MINIMUM_TIME_PERIOD.ago # Use a static revocation time to make correlation of revoked # tokens easier, should it be needed. @@ -36,27 +28,21 @@ module Gitlab raise "Invalid logger: #{@logger}" unless @logger.respond_to?(:info) && @logger.respond_to?(:warn) end - # Revokes unused personal access tokens. - # A dry run is performed by default, logging what would be - # revoked. Pass `dry_run: false` explicitly to revoke tokens. - def run!(dry_run: true) + def run!(dry_run: true, revoke_active_tokens: false) # rubocop:disable Rails/Output if dry_run puts "Dry running. No changes will be made" + elsif revoke_active_tokens + puts "Revoking used and unused access tokens created before #{cut_off_date}..." else - puts "Revoking access tokens from before #{last_used_before}..." + puts "Revoking access tokens last used and created before #{cut_off_date}..." end # rubocop:enable Rails/Output - logger.info( - dry_run: dry_run, - group_full_path: group.full_path, - message: "Looking for Personal Access Tokens " \ - "last used before #{last_used_before}..." - ) + tokens_to_revoke = revocable_tokens(revoke_active_tokens) # rubocop:disable Cop/InBatches - revocable_tokens.in_batches do |access_tokens| + tokens_to_revoke.in_batches do |access_tokens| revoke_batch(access_tokens, dry_run) end # rubocop:enable Cop/InBatches @@ -64,12 +50,20 @@ module Gitlab private - def revocable_tokens - PersonalAccessToken - .active - .owner_is_human - .last_used_before(last_used_before) - .for_users(group.users) + def revocable_tokens(revoke_active_tokens) + if revoke_active_tokens + PersonalAccessToken + .active + .owner_is_human + .created_before(cut_off_date) + .for_users(group.users) + else + PersonalAccessToken + .active + .owner_is_human + .last_used_before(cut_off_date) + .for_users(group.users) + end end def revoke_batch(access_tokens, dry_run) |