1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
# frozen_string_literal: true
module Gitlab
module Cleanup
class PersonalAccessTokens
# By default tokens that haven't been used for over 1 year will be revoked
DEFAULT_TIME_PERIOD = 1.year
# To prevent inadvertently revoking all tokens, we provide a minimum time
MINIMUM_TIME_PERIOD = 1.day
attr_reader :logger, :cut_off_date, :revocation_time, :group
def initialize(cut_off_date: DEFAULT_TIME_PERIOD.ago.beginning_of_day, logger: nil, group_full_path:)
@cut_off_date = cut_off_date
# rubocop: disable CodeReuse/ActiveRecord
@group = Group.find_by_full_path(group_full_path)
# rubocop: enable CodeReuse/ActiveRecord
raise "Group with full_path #{group_full_path} not found" unless @group
raise "Invalid time: #{@cut_off_date}" unless @cut_off_date <= MINIMUM_TIME_PERIOD.ago
# Use a static revocation time to make correlation of revoked
# tokens easier, should it be needed.
@revocation_time = Time.current.utc
@logger = logger || Gitlab::AppJsonLogger
raise "Invalid logger: #{@logger}" unless @logger.respond_to?(:info) && @logger.respond_to?(:warn)
end
def run!(dry_run: true, revoke_active_tokens: false)
# rubocop:disable Rails/Output
if dry_run
puts "Dry running. No changes will be made"
elsif revoke_active_tokens
puts "Revoking used and unused access tokens created before #{cut_off_date}..."
else
puts "Revoking access tokens last used and created before #{cut_off_date}..."
end
# rubocop:enable Rails/Output
tokens_to_revoke = revocable_tokens(revoke_active_tokens)
# rubocop:disable Cop/InBatches
tokens_to_revoke.in_batches do |access_tokens|
revoke_batch(access_tokens, dry_run)
end
# rubocop:enable Cop/InBatches
end
private
def revocable_tokens(revoke_active_tokens)
if revoke_active_tokens
PersonalAccessToken
.active
.owner_is_human
.created_before(cut_off_date)
.for_users(group.users)
else
PersonalAccessToken
.active
.owner_is_human
.last_used_before_or_unused(cut_off_date)
.for_users(group.users)
end
end
def revoke_batch(access_tokens, dry_run)
# Capture a simplified set of attributes for logging and for
# determining when an error has led some records to not be
# updated
attrs = access_tokens.as_json(only: [:id, :user_id])
# Use `update_all` to bypass any validations which might
# prevent revocation. Manually specify updated_at.
affected_row_count = dry_run ? 0 : access_tokens.update_all(revoked: true, updated_at: @revocation_time)
message = {
dry_run: dry_run,
message: "Revoke token batch",
token_count: attrs.size,
updated_count: affected_row_count,
tokens: attrs,
group_full_path: group.full_path
}
# rubocop:disable Rails/Output
if dry_run
puts "Dry run complete. #{attrs.size} rows would be affected"
logger.info(message)
elsif affected_row_count.eql?(attrs.size)
puts "Finished. #{attrs.size} rows affected"
logger.info(message)
else
# :nocov:
puts "ERROR. #{affected_row_count} tokens deleted, #{attrs.size} tokens should have been deleted"
logger.warn(message)
# :nocov:
end
# rubocop:enable Rails/Output
end
end
end
end
|
