3 files changed, 67 insertions, 4 deletions

diff --git a/app/services/error_tracking/list_projects_service.rb b/app/services/error_tracking/list_projects_service.rb
index d52306ef805..35a8179d54d 100644
--- a/app/services/error_tracking/list_projects_service.rb
+++ b/app/services/error_tracking/list_projects_service.rb
@@ -2,8 +2,6 @@
 
 module ErrorTracking
   class ListProjectsService < ErrorTracking::BaseService
-    MASKED_TOKEN_REGEX = /\A\*+\z/.freeze
-
     private
 
     def perform
@@ -46,7 +44,7 @@ module ErrorTracking
     end
 
     def masked_token?
-      MASKED_TOKEN_REGEX.match?(params[:token])
+      ErrorTracking::SentryClient::Token.masked_token?(params[:token])
     end
   end
 end
diff --git a/app/services/projects/operations/update_service.rb b/app/services/projects/operations/update_service.rb
index b2166dc84c7..d0bef9da329 100644
--- a/app/services/projects/operations/update_service.rb
+++ b/app/services/projects/operations/update_service.rb
@@ -93,7 +93,7 @@ module Projects
             sentry_project_id: settings.dig(:project, :sentry_project_id)
           }
         }
-        params[:error_tracking_setting_attributes][:token] = settings[:token] unless /\A\*+\z/.match?(settings[:token]) # Don't update token if we receive masked value
+        params[:error_tracking_setting_attributes][:token] = settings[:token] unless ::ErrorTracking::SentryClient::Token.masked_token?(settings[:token]) # Don't update token if we receive masked value
         params[:error_tracking_setting_attributes][:integrated] = settings[:integrated] unless settings[:integrated].nil?
 
         params
diff --git a/app/services/users/deactivate_service.rb b/app/services/users/deactivate_service.rb
new file mode 100644
index 00000000000..e69ce13d3cc
--- /dev/null
+++ b/app/services/users/deactivate_service.rb
@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module Users
+  class DeactivateService < BaseService
+    def initialize(current_user, skip_authorization: false)
+      @current_user = current_user
+      @skip_authorization = skip_authorization
+    end
+
+    def execute(user)
+      unless allowed?
+        return ::ServiceResponse.error(message: _('You are not authorized to perform this action'),
+          reason: :forbidden)
+      end
+
+      if user.blocked?
+        return ::ServiceResponse.error(message: _('Error occurred. A blocked user cannot be deactivated'),
+          reason: :forbidden)
+      end
+
+      if user.internal?
+        return ::ServiceResponse.error(message: _('Internal users cannot be deactivated'),
+          reason: :forbidden)
+      end
+
+      return ::ServiceResponse.success(message: _('User has already been deactivated')) if user.deactivated?
+
+      unless user.can_be_deactivated?
+        message = _(
+          'The user you are trying to deactivate has been active in the past %{minimum_inactive_days} days ' \
+          'and cannot be deactivated')
+
+        deactivation_error_message = format(message,
+          minimum_inactive_days: Gitlab::CurrentSettings.deactivate_dormant_users_period)
+        return ::ServiceResponse.error(message: deactivation_error_message, reason: :forbidden)
+      end
+
+      unless user.deactivate
+        return ::ServiceResponse.error(message: user.errors.full_messages.to_sentence,
+          reason: :bad_request)
+      end
+
+      log_event(user)
+
+      ::ServiceResponse.success
+    end
+
+    private
+
+    attr_reader :current_user
+
+    def allowed?
+      return true if @skip_authorization
+
+      can?(current_user, :admin_all_resources)
+    end
+
+    def log_event(user)
+      Gitlab::AppLogger.info(message: 'User deactivated', user: user.username.to_s, email: user.email.to_s,
+        deactivated_by: current_user.username.to_s, ip_address: current_user.current_sign_in_ip.to_s)
+    end
+  end
+end
+
+Users::DeactivateService.prepend_mod_with('Users::DeactivateService')