Skip to content

Add Revoke buttons to the PAT tab of the credential inventory

Problem to solve

Currently, the credential inventory provides passive insight to administrators and group owners. With the introduction of credential management capabilities like optional SSH key expiration and PAT expiration (#118893 (closed) for gitlab.com), additional functionality is required to enable administrators and group owners to facilitate the rotation of credentials once they're expired.

GitLab would like to strike a balance between necessary policy definition and enforcement that compliance-minded organizations require and maintaining a great developer experience. Abrupt credential revocation is disruptive and frustrating, but an organization unable to rotate credentials for their users faces an increased risk of a credential's compromise.

There's no way to revoke SSH or PAT credentials on behalf of users for administrators and group owners, who need to enforce this action.

Intended users

Solution

In the "Personal Access Tokens" tab of the credentials inventory

  • Add a Revoke button that appears for each PAT that is "active" (not already expired, where expiration is enforced or revoked).
  • Show a modal to confirm the action after clicking revoke
    • Use default browser modal for MVC

    Are you sure you wish to revoke this personal access token? This action cannot be undone. [Cancel|Okay]

Token state Expiry Enforced? Show Revoke button Comments
Active Enforced Yes When admin voluntarily wishes to revoke (e.g. compromised account)
Active Not Enforced Yes When admin voluntarily wishes to revoke (e.g. compromised account)
Expired Enforced No PAT expires automatically
Expired Not Enforced Yes Admin revokes to prevent users from using the PAT indefinitely
Revoked Enforced No Not applicable to revoke an already revoked token
Revoked Not Enforced No Not applicable to revoke an already revoked token
Personal Access Tokens Default Browser Modal
image PAT_with_default_browser_modal

→ Figma

Stretch Goal (moved to #228721 (closed)): Add a Revoke All button to the top of the inventory that revokes all expired SSH and PAT credentials.

Implementation plan

frontend - 1

  1. Add the revoke button to rows which are not expired or already revoked (see table above). The button should be placed within the Revoked column
  2. On click, show a standard browser modal, on yes, redirect to endpoint
  3. Update tests

backend - 1 | 2

  1. Add new endpoint to ee/app/controllers/concerns/credentials_inventory_actions.rb to handle the revoke
  2. Add new route to ee/config/routes/admin.rb:23
  3. Trigger revoke service from !38501 (merged)
  4. Re-render index with service message

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Edited by 🤖 GitLab Bot 🤖