Merge branch '320875-admin-ui-deactivate-dormant-users' into 'master'

Allow administrators to enable automatic deactivation of dormant users

See merge request gitlab-org/gitlab!62969

app/helpers/application_settings_helper.rb

@@ -368,7 +368,9 @@ module ApplicationSettingsHelper
       :container_registry_cleanup_tags_service_max_list_size,
       :keep_latest_artifact,
       :whats_new_variant
-    ]
+    ].tap do |settings|
+      settings << :deactivate_dormant_users unless Gitlab.com?
+    end
   end
 
   def external_authorization_service_attributes

app/views/admin/application_settings/_account_and_limit.html.haml

@@ -53,6 +53,14 @@
         = _('Specify an e-mail address regex pattern to identify default internal users.')
         = link_to _('More information'), help_page_path('user/permissions', anchor: 'setting-new-users-to-external'),
           target: '_blank'
+    - unless Gitlab.com?
+      .form-group
+        = f.label :deactivate_dormant_users, _('Dormant users'), class: 'label-bold'
+        .form-check
+          = f.check_box :deactivate_dormant_users, class: 'form-check-input'
+          = f.label :deactivate_dormant_users, class: 'form-check-label' do
+            = _('Deactivate dormant users after 90 days of inactivity. Users can return to active status by signing in to their account. While inactive, a user is not counted as an active user in the instance.')
+            = link_to _('More information'), help_page_path('user/admin_area/moderate_users', anchor: 'automatically-deactivate-dormant-users'), target: '_blank'
     .form-group
       = f.label :personal_access_token_prefix, _('Personal Access Token prefix'), class: 'label-light'
       = f.text_field :personal_access_token_prefix, placeholder: _('Max 20 characters'), class: 'form-control gl-form-input'

doc/api/settings.md

@@ -241,6 +241,7 @@ listed in the descriptions of the relevant settings.
 | `check_namespace_plan`                   | boolean          | no                                   | **(PREMIUM)** Enabling this makes only licensed EE features available to projects if the project namespace's plan includes the feature or if the project is public. |
 | `commit_email_hostname`                  | string           | no                                   | Custom hostname (for private commit emails). |
 | `container_registry_token_expire_delay`  | integer          | no                                   | Container Registry token duration in minutes. |
+| `deactivate_dormant_users`               | boolean          | no                                   | Enable [atomatic deactivation of dormant users](../user/admin_area/moderate_users.md#automatically-deactivate-dormant-users). |
 | `default_artifacts_expire_in`            | string           | no                                   | Set the default expiration time for each job's artifacts. |
 | `default_branch_protection`              | integer          | no                                   | Determine if developers can push to the default branch. Can take: `0` _(not protected, both developers and maintainers can push new commits, force push, or delete the branch)_, `1` _(partially protected, developers and maintainers can push new commits, but cannot force push, or delete, the branch)_ or `2` _(fully protected, developers cannot push new commits, but maintainers can; no-one can force push or delete the branch)_ as a parameter. Default is `2`. |
 | `default_ci_config_path`                  | string           | no                                   | Default CI configuration path for new projects (`.gitlab-ci.yml` if not set). |

doc/user/admin_area/moderate_users.md

@@ -95,6 +95,20 @@ Users can also be deactivated using the [GitLab API](../../api/users.md#deactiva
 NOTE:
 A deactivated user does not consume a [seat](../../subscriptions/self_managed/index.md#billable-users).
 
+### Automatically deactivate dormant users
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/320875) in GitLab 14.0.
+
+Administrators can enable automatic deactivation of users who have not signed in, or have no activity in the last 90 days. To do this:
+
+1. Navigate to  **Admin Area > Settings > General > Account and Limit**.
+1. Under the **Dormant users** tab, check **Deactivate dormant users after 90 days of inactivity**.
+1. Click **Save changes**.
+
+When this feature is enabled, GitLab runs a job once a day to deactivate the dormant users.
+
+A maximum of 100,000 users can be deactivated per day.
+
 ### Activating a user
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/22257) in GitLab 12.4.

locale/gitlab.pot

@@ -10464,6 +10464,9 @@ msgstr ""
 msgid "Days to merge"
 msgstr ""
 
+msgid "Deactivate dormant users after 90 days of inactivity. Users can return to active status by signing in to their account. While inactive, a user is not counted as an active user in the instance."
+msgstr ""
+
 msgid "Deactivate this user"
 msgstr ""
 
@@ -11707,6 +11710,9 @@ msgstr ""
 msgid "Done"
 msgstr ""
 
+msgid "Dormant users"
+msgstr ""
+
 msgid "Download"
 msgstr ""
 

spec/features/admin/admin_settings_spec.rb

@@ -8,9 +8,11 @@ RSpec.describe 'Admin updates settings' do
   include UsageDataHelpers
 
   let(:admin) { create(:admin) }
+  let(:dot_com?) { false }
 
   context 'application setting :admin_mode is enabled', :request_store do
     before do
+      allow(Gitlab).to receive(:com?).and_return(dot_com?)
       stub_env('IN_MEMORY_APPLICATION_SETTINGS', 'false')
       sign_in(admin)
       gitlab_enable_admin_mode_sign_in(admin)
@@ -127,6 +129,37 @@ RSpec.describe 'Admin updates settings' do
         expect(user_internal_regex['placeholder']).to eq 'Regex pattern'
       end
 
+      context 'Dormant users' do
+        context 'when Gitlab.com' do
+          let(:dot_com?) { true }
+
+          it 'does not expose the setting' do
+            expect(page).to have_no_selector('#application_setting_deactivate_dormant_users')
+          end
+        end
+
+        context 'when not Gitlab.com' do
+          let(:dot_com?) { false }
+
+          it 'change Dormant users' do
+            expect(page).to have_unchecked_field('Deactivate dormant users after 90 days of inactivity')
+            expect(current_settings.deactivate_dormant_users).to be_falsey
+
+            page.within('.as-account-limit') do
+              check 'application_setting_deactivate_dormant_users'
+              click_button 'Save changes'
+            end
+
+            expect(page).to have_content "Application settings saved successfully"
+
+            page.refresh
+
+            expect(current_settings.deactivate_dormant_users).to be_truthy
+            expect(page).to have_checked_field('Deactivate dormant users after 90 days of inactivity')
+          end
+        end
+      end
+
       context 'Change Sign-up restrictions' do
         context 'Require Admin approval for new signup setting' do
           it 'changes the setting', :js do

spec/helpers/application_settings_helper_spec.rb

@@ -37,8 +37,24 @@ RSpec.describe ApplicationSettingsHelper do
   it_behaves_like 'when HTTP protocol is in use', 'https'
   it_behaves_like 'when HTTP protocol is in use', 'http'
 
-  context 'with tracking parameters' do
-    it { expect(visible_attributes).to include(*%i(snowplow_collector_hostname snowplow_cookie_domain snowplow_enabled snowplow_app_id)) }
+  describe '.visible_attributes' do
+    it 'contains tracking parameters' do
+      expect(helper.visible_attributes).to include(*%i(snowplow_collector_hostname snowplow_cookie_domain snowplow_enabled snowplow_app_id))
+    end
+
+    it 'contains :deactivate_dormant_users' do
+      expect(helper.visible_attributes).to include(:deactivate_dormant_users)
+    end
+
+    context 'when GitLab.com' do
+      before do
+        allow(Gitlab).to receive(:com?).and_return(true)
+      end
+
+      it 'does not contain :deactivate_dormant_users' do
+        expect(helper.visible_attributes).not_to include(:deactivate_dormant_users)
+      end
+    end
   end
 
   describe '.integration_expanded?' do