Commit 38f6d4f8 authored by Max Woolf's avatar Max Woolf

Enables notifications when administrators revoke credentials

When an administrator or managed group administrator
revokes or deletes a credential, send the credential
owner an email to inform them of it and the next steps
that they can take.
parent 8188bc2d
...@@ -40,39 +40,12 @@ If you see a **Revoke** button, you can revoke that user's PAT. Whether you see ...@@ -40,39 +40,12 @@ If you see a **Revoke** button, you can revoke that user's PAT. Whether you see
| Revoked | Yes | No | Not applicable; token is already revoked | | Revoked | Yes | No | Not applicable; token is already revoked |
| Revoked | No | No | Not applicable; token is already revoked | | Revoked | No | No | Not applicable; token is already revoked |
Revoking a PAT from the credentials inventory will notify the user.
## Delete a user's SSH key ## Delete a user's SSH key
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/225248) in GitLab 13.5. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/225248) in GitLab 13.5.
You can **Delete** a user's SSH key by navigating to the credentials inventory's SSH Keys tab. You can **Delete** a user's SSH key by navigating to the credentials inventory's SSH Keys tab. Deleting a user's SSH key from the credentials inventory will notify the user.
![Credentials inventory page - SSH keys](img/credentials_inventory_ssh_keys_v13_5.png) ![Credentials inventory page - SSH keys](img/credentials_inventory_ssh_keys_v13_5.png)
## Revocation or deletion notification
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/250354) in GitLab 13.6.
> - It's [deployed behind a feature flag](../../user/feature_flags.md), disabled by default.
> - It's disabled on GitLab.com.
> - It's not recommended for production use.
> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-revocation-or-deletion-notification).
CAUTION: **Warning:**
This feature might not be available to you. Check the **version history** note above for details.
### Enable or disable revocation or deletion notification **(ULTIMATE ONLY)**
Revocation or deletion notification is under development and not ready for production use. It is deployed behind a feature flag that is **disabled by default**.
[GitLab administrators with access to the GitLab Rails console](../../administration/feature_flags.md)
can enable it.
To enable it:
```ruby
Feature.enable(:credentials_inventory_revocation_emails)
```
To disable it:
```ruby
Feature.disable(:credentials_inventory_revocation_emails)
```
...@@ -55,8 +55,6 @@ module CredentialsInventoryActions ...@@ -55,8 +55,6 @@ module CredentialsInventoryActions
end end
def notify_deleted_or_revoked_credential(credential) def notify_deleted_or_revoked_credential(credential)
return unless Feature.enabled?(:credentials_inventory_revocation_emails, credential.user)
if credential.is_a?(Key) if credential.is_a?(Key)
CredentialsInventoryMailer.ssh_key_deleted_email( CredentialsInventoryMailer.ssh_key_deleted_email(
params: { params: {
......
---
title: Enable credentials inventory revocation emails
merge_request:
author:
type: added
---
name: credentials_inventory_revocation_emails
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/46033
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/271577
type: development
group: group::compliance
default_enabled: false
...@@ -170,18 +170,6 @@ RSpec.describe Admin::CredentialsController do ...@@ -170,18 +170,6 @@ RSpec.describe Admin::CredentialsController do
put :revoke, params: { id: personal_access_token.id } put :revoke, params: { id: personal_access_token.id }
end end
context 'when credentials_inventory_revocation_emails flag is disabled' do
before do
stub_feature_flags(credentials_inventory_revocation_emails: false)
end
it 'does not inform the token owner' do
expect do
put :revoke, params: { id: personal_access_token.id }
end.not_to change { ActionMailer::Base.deliveries.size }
end
end
end end
end end
end end
......
...@@ -39,18 +39,6 @@ RSpec.shared_examples_for 'credentials inventory controller delete SSH key' do | ...@@ -39,18 +39,6 @@ RSpec.shared_examples_for 'credentials inventory controller delete SSH key' do |
expect { subject }.to change { ActionMailer::Base.deliveries.size }.by(1) expect { subject }.to change { ActionMailer::Base.deliveries.size }.by(1)
end end
end end
context 'when credentials_inventory_revocation_emails is disabled' do
before do
stub_feature_flags(credentials_inventory_revocation_emails: false)
end
it 'does not notify the key owner' do
expect(CredentialsInventoryMailer).not_to receive(:ssh_key_deleted_email)
subject
end
end
end end
context 'and it fails to remove the key' do context 'and it fails to remove the key' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment