Add a rake task to invoke Personal Access Token Cleanup class

Proposal

Since %14.5 (!74439 (merged)) tokens are created with a prefix. This makes it much easier to detect a leaked token quickly and revoke it. Unfortunately, there are many tokens pre-dating this era in the wild that are breaches waiting to happen.

It would help GitLab (the company) and all of our self-managed users trying to improve their security posture to have an easy rake task to revoke all tokens without a prefix.

The cleanup class to revoke tokens created before a specific date exists but it is not invoked via a task currently (must be invoked in a write console). Once the rake task is written, it should be documented alongside our other cleanup Rake tasks: https://docs.gitlab.com/ee/raketasks/cleanup.html

The class to be invoked works like this: (this would be used to revoke all tokens created before the date that we started prefixing PATs on GitLab.com for all members of gitlab-org):

# dry run 
Gitlab::Cleanup::PersonalAccessTokens.new(
  cut_off_date: DateTime.parse("2021-10-28"),
  group_full_path: 'gitlab-org')
  .run!(revoke_active_tokens: true)

# real run
Gitlab::Cleanup::PersonalAccessTokens.new(
  cut_off_date: DateTime.parse("2021-10-28"),
  group_full_path: 'gitlab-org')
  .run!(revoke_active_tokens: true, dry_run: false)

If the revoke_active_tokens arg is not passed, it will only revoke tokens that were created before and last used before the cut_off_date.

So the args that the rake task would need would be:

GROUP_FULL_PATH
DRY_RUN (optional, defaults to true)
CUT_OFF_DATE (optional, otherwise defaults to a year)
REVOKE_ACTIVE_TOKENS (optional, defaults to false)

Edited Sep 23, 2022 by Jessie Young