Skip to content

Allow GMA groups to specify their own PAT expiry setting (2/2)

Manoj M J [On PTO] requested to merge 118893-allow-gma-groups-to-specify-own-pat-expiry into 118893-extend-pat-expiration-setting-to-gitlab-com

What does this MR do?

This is MR No:2 towards implementing #118893 (closed)

MR No:1 - !25963 (merged)

The required db column has already been added with: !27769 (merged)

This MR adds:

  • All GMA groups inherit the instance-level PAT expiry setting by default

  • UI: Add ability for GMA groups to specify their own PAT expiry setting via Group settings (this setting is not shown for normal groups)

  • When the PAT expiry setting is updated for a GMA, a worker is scheduled 3 hours into the future and, for all users in this GMA:

    * Revoke all `PersonalAccessToken.active` with `expires_at` higher than the maximum lifetime and with `expires_at` not set.
* Notify the users about the revoked tokens

  • UI: When a user in a GMA group tries to create a new PAT, show callout banner in the UI about the expiry rules.

  • Documentation

Screenshots

  1. For a GMA Group

1.1 When the instance has no PAT expiry policy set:

Screenshot_2020-04-06_at_11.09.50_AM

1.2 When the instance has a PAT expiry policy set:

Screenshot_2020-04-06_at_11.11.34_AM

  1. Callout banner when creating a new PAT (this will show group expiry policy date if the user is part of GMA)

Screenshot_2020-03-25_at_3.30.56_PM

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team

Closes #118893 (closed)

Edited by Manoj M J [On PTO]

Merge request reports