Admin should be able reset all credentials and soft-block an account until the password is reset via email

Problem to solve

As GitLab.com grows, we are seeing more events like https://about.gitlab.com/2019/05/03/suspicious-git-activity-security-update/ that require administrators to temporarily block accounts and then manually unblock them to reset credentials. Because of open issues #27284 (closed) and #17176 (closed), the process requires using external tools to communicate properly with users, which manual, error prone, and hard to track.

Intended users

Sidney (Systems Administrator): This is the closest thing for our Support team.

Sam (Security Analyst)

Further details

This mechanism can be used in any cases in which control of the email associated with the account is considered sufficient evidence for account ownership.

Proposal

GitLab should offer a feature to admins that with 1-click or API call:

  1. Soft-blocks the account until the password is reset via email.
  2. Revoke all PATs.
  3. Reset all other tokens: feed and incoming email.
  4. Send an email to the notification and/or primary email address for the account stating that a site Administrator has reset their credentials and instructions for performing a password reset via email.

Being able to include an optional message from admins in the notification email is good, but may not be necessary for a first iteration.

Future work may be to add revoking associated applications or external login ids.

Permissions and Security

Admin users only should be able to perform this via the API route or the /admin/users/:id UI page.

Documentation

Documentation will need to be provided for the API route and the UI.

Testing

The state changes to the User model are pretty contained, so should mostly be covered by unit tests of the model.

What does success look like, and how can we measure that?

Less manual work by support and security teams to communicate to users and reset credentials. Fewer support tickets to ensure that users are not alarmed by "someone reset your password emails" #27284 (closed) and other communication.

Links / references

https://about.gitlab.com/2019/05/03/suspicious-git-activity-security-update/

Edited by Dominic Couture