Allow admins to revoke PAT tokens via API

Problem to solve

In #214811 (closed) we will implement a manual Revoke button inside the credentials inventory to enable administrators to revoke access tokens they know to be out of date.

A manual Revoke button does not sufficiently support larger organizations that rely on GitLab's APIs to programmatically carry out many functions within the application. Further, there's no way for a compliance-minded organization to automatically enforce their credential rotation policy.

Intended users

• Sidney (Systems Administrator)
• Cameron (Compliance Manager)

Further details

Striking a balance between disruptive workflows and what compliance-minded organizations require from GitLab is a challenge. With this issue, part of &3084, I believe we can find that balance.

This implementation would allow for organizations to implement an enforcement policy for their users without GitLab building in native, programmatic enforcement that may not be desirable for all scenarios.

Proposal

Create an API endpoint, e.g. /tokens, that allows anyone who can revoke a particular PAT credential within the UI to do the following:

• Define PAT expiration duration (should update the setting within the admin area)
• Revoke a single PAT from a single user
• Revoke all PATs from a single user

Note: Revoking all PATs from all users seems potentially too heavy-handed and may be unnecessary with a script to revoke all PATs from a single user

Permissions and Security

Only administrators or users who own the PAT credential should be able to use this feature via API.

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references