Skip to content

GitLab Next

GitLab Commit is coming up on August 3-4. Learn how to innovate together using GitLab, the DevOps platform. Register for free: gitlabcommitvirtual2021.com

Closed
Created by Matt Gonzales (ex-GitLab)@mattgonzales-gitlabContributor

Add Revoke buttons to the PAT tab of the credential inventory

Problem to solve

Currently, the credential inventory provides passive insight to administrators and group owners. With the introduction of credential management capabilities like optional SSH key expiration and PAT expiration (#118893 (closed) for gitlab.com), additional functionality is required to enable administrators and group owners to facilitate the rotation of credentials once they're expired.

GitLab would like to strike a balance between necessary policy definition and enforcement that compliance-minded organizations require and maintaining a great developer experience. Abrupt credential revocation is disruptive and frustrating, but an organization unable to rotate credentials for their users faces an increased risk of a credential's compromise.

There's no way to revoke SSH or PAT credentials on behalf of users for administrators and group owners, who need to enforce this action.

Intended users

Solution

In the "Personal Access Tokens" tab of the credentials inventory

  • Add a Revoke button that appears for each PAT that is "active" (not already expired, where expiration is enforced or revoked).
  • Show a modal to confirm the action after clicking revoke
    • Use default browser modal for MVC

    Are you sure you wish to revoke this personal access token? This action cannot be undone. [Cancel|Okay]

    • Implementing Pajamas modal → #228881
Token state Expiry Enforced? Show Revoke button Comments
Active Enforced Yes When admin voluntarily wishes to revoke (e.g. compromised account)
Active Not Enforced Yes When admin voluntarily wishes to revoke (e.g. compromised account)
Expired Enforced No PAT expires automatically
Expired Not Enforced Yes Admin revokes to prevent users from using the PAT indefinitely
Revoked Enforced No Not applicable to revoke an already revoked token
Revoked Not Enforced No Not applicable to revoke an already revoked token
Personal Access Tokens Default Browser Modal
image PAT_with_default_browser_modal

→ Figma

Stretch Goal (moved to #228721): Add a Revoke All button to the top of the inventory that revokes all expired SSH and PAT credentials.

Implementation plan

frontend - 1

  1. Add the revoke button to rows which are not expired or already revoked (see table above). The button should be placed within the Revoked column
  2. On click, show a standard browser modal, on yes, redirect to endpoint
  3. Update tests

backend - 1 | 2

  1. Add new endpoint to ee/app/controllers/concerns/credentials_inventory_actions.rb to handle the revoke
  2. Add new route to ee/config/routes/admin.rb:23
  3. Trigger revoke service from !38501 (merged)
  4. Re-render index with service message
Edited by Austin Regnery