Commit 043225fe authored by Max Woolf's avatar Max Woolf

Enable SSH key expiration enforcement

Removes all references to feature flag
to make this feature available by default to all
self-managed installs.

Note: The feature is still _disabled_ by default,
even once the flag has been removed to avoid
breaking changes.
parent bb19877a
......@@ -163,13 +163,7 @@ Once a lifetime for personal access tokens is set, GitLab will:
allowed lifetime. Three hours is given to allow administrators to change the allowed lifetime,
or remove it, before revocation takes place.
## Enforcement of SSH key expiration **(ULTIMATE ONLY)**
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/276221) in GitLab Ultimate 13.9.
> - It is deployed behind a feature flag, disabled by default.
> - It is disabled on GitLab.com.
> - It is not recommended for production use.
> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-enforcement-of-ssh-key-expiration-feature). **(CORE ONLY)**
## Enforcement of SSH key expiration **(ULTIMATE SELF)**
GitLab administrators can choose to enforce the expiration of SSH keys after their expiration dates.
If you enable this feature, this disables all _expired_ SSH keys.
......@@ -180,23 +174,6 @@ To do this:
1. Expand the **Account and limit** section.
1. Select the **Enforce SSH key expiration** checkbox.
### Enable or disable enforcement of SSH key expiration Feature **(CORE ONLY)**
Enforcement of SSH key expiry is deployed behind a feature flag and is **disabled by default**.
[GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md) can enable it for your instance from the [rails console](../../../administration/feature_flags.md#start-the-gitlab-rails-console).
To enable it:
```ruby
Feature.enable(:ff_enforce_ssh_key_expiration)
```
To disable it:
```ruby
Feature.disable(:ff_enforce_ssh_key_expiration)
```
## Optional enforcement of Personal Access Token expiry **(ULTIMATE SELF)**
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214723) in GitLab Ultimate 13.1.
......
......@@ -28,7 +28,7 @@ module EE
end
def enforce_ssh_key_expiration_feature_available?
License.feature_available?(:enforce_ssh_key_expiration) && ::Feature.enabled?(:ff_enforce_ssh_key_expiration)
License.feature_available?(:enforce_ssh_key_expiration)
end
end
end
......
---
title: Add ability to enforce SSH key expiration
merge_request: 53035
author:
type: added
---
name: ff_enforce_ssh_key_expiration
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/51921
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/299092
milestone: '13.9'
type: development
group: group::compliance
default_enabled: false
......@@ -785,7 +785,6 @@ RSpec.describe Gitlab::GitAccess do
before do
stub_licensed_features(enforce_ssh_key_expiration: true)
stub_feature_flags(ff_enforce_ssh_key_expiration: true)
stub_ee_application_setting(enforce_ssh_key_expiration: true)
end
......
......@@ -27,20 +27,15 @@ RSpec.describe Key do
describe '.expiration_enforced?' do
using RSpec::Parameterized::TableSyntax
where(:feature_enabled, :licensed, :application_setting, :available) do
true | true | true | true
true | true | false | false
true | false | true | false
true | false | false | false
false | true | true | false
false | true | false | false
false | false | true | false
false | false | false | false
where(:licensed, :application_setting, :available) do
true | true | true
true | false | false
false | true | false
false | false | false
end
with_them do
before do
stub_feature_flags(ff_enforce_ssh_key_expiration: feature_enabled)
stub_licensed_features(enforce_ssh_key_expiration: licensed)
stub_ee_application_setting(enforce_ssh_key_expiration: application_setting)
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment