PAT revoke for managed account FF rollout

Cleanup FF revoke_managed_users_token that is used to revoke managed user's token in managed group credential inventory.

PAT revoke for managed account FF rollout
Cleanup FF revoke_managed_users_token that is used to revoke managed user's token in managed group credential inventory.
9453c6bc · Aishwarya Subramanian · 430620cd · 9453c6bc · 9453c6bc · 9453c6bc
Commit 9453c6bc authored Mar 11, 2021 by Aishwarya Subramanian
7 changed files
--- a/changelogs/unreleased/rollout-pat-revoke-gma.yml
+++ b/changelogs/unreleased/rollout-pat-revoke-gma.yml
+---
+title: Personal access token revoke for managed accounts (feature flag removed)
+merge_request: 56427
+author:
+type: added
--- a/doc/user/group/saml_sso/group_managed_accounts.md
+++ b/doc/user/group/saml_sso/group_managed_accounts.md
@@ -84,6 +84,15 @@ To access the Credentials inventory of a group, navigate to **{shield}** **Secur

 This feature is similar to the [Credentials inventory for self-managed instances](../../admin_area/credentials_inventory.md).

+### Revoke a group-managed account's personal access token
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214811) in GitLab 13.5.
+> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/267184) in GitLab 13.10.
+
+Personal access token of group-managed accounts can be revoked by owners by clicking the Revoke button in the Personal Access Tokens tab.
+
+When a personal access token is revoked from the credentials inventory, the group-managed account user is notified by email.
+
 ## Limiting lifetime of personal access tokens of users in Group-managed accounts **(ULTIMATE)**

 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/118893) in GitLab 12.10.

--- a/ee/app/controllers/groups/security/credentials_controller.rb
+++ b/ee/app/controllers/groups/security/credentials_controller.rb
@@ -47,7 +47,7 @@ class Groups::Security::CredentialsController < Groups::ApplicationController

  override :revoke_button_available?
  def revoke_button_available?
-    ::Feature.enabled?(:revoke_managed_users_token, group)
+    true
  end

  override :users

--- a/ee/app/services/ee/personal_access_tokens/revoke_service.rb
+++ b/ee/app/services/ee/personal_access_tokens/revoke_service.rb
@@ -22,7 +22,6 @@ module EE

      def managed_user_revocation_allowed?
        return unless token.present?
-        return unless ::Feature.enabled?(:revoke_managed_users_token, group)

        token.user&.group_managed_account? &&
          token.user&.managing_group == group &&

--- a/ee/config/feature_flags/development/revoke_managed_users_token.yml
+++ b/ee/config/feature_flags/development/revoke_managed_users_token.yml
---
-name: revoke_managed_users_token
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/44783
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/267184
-milestone: '13.5'
-type: development
-group: group::compliance
-default_enabled: false
--- a/ee/spec/requests/groups/security/credentials_controller_spec.rb
+++ b/ee/spec/requests/groups/security/credentials_controller_spec.rb
@@ -173,118 +173,81 @@ RSpec.describe Groups::Security::CredentialsController do
    context 'when `credentials_inventory` feature is enabled' do
      before do
        stub_licensed_features(credentials_inventory: true, group_saml: true)
-        stub_feature_flags(revoke_managed_users_token: true)
      end

      context 'for a group that enforces group managed accounts' do
-        context 'when `revoke_managed_users_token` feature is enabled' do
-          before_all do
-            stub_feature_flags(revoke_managed_users_token: true)
+        context 'for a user with access to view credentials inventory' do
+          context 'non-existent personal access token specified' do
+            let(:token_id) { 999999999999999999999999999999999 }
+
+            it_behaves_like 'responds with 404'
          end

-          context 'for a user with access to view credentials inventory' do
-            context 'non-existent personal access token specified' do
-              let(:token_id) { 999999999999999999999999999999999 }
+          describe 'with an existing personal access token' do
+            context 'personal access token is already revoked' do
+              let_it_be(:token_id) { create(:personal_access_token, revoked: true, user: maintainer).id }

-              it_behaves_like 'responds with 404'
+              it_behaves_like 'displays the flash success message'
            end

-            describe 'with an existing personal access token' do
-              context 'personal access token is already revoked' do
-                let_it_be(:token_id) { create(:personal_access_token, revoked: true, user: maintainer).id }
-
-                it_behaves_like 'displays the flash success message'
-              end
+            context 'personal access token is already expired' do
+              let_it_be(:token_id) { create(:personal_access_token, expires_at: 5.days.ago, user: maintainer).id }

-              context 'personal access token is already expired' do
-                let_it_be(:token_id) { create(:personal_access_token, expires_at: 5.days.ago, user: maintainer).id }
+              it_behaves_like 'displays the flash success message'
+            end

-                it_behaves_like 'displays the flash success message'
-              end
+            context 'does not have permissions to revoke the credential' do
+              let_it_be(:token_id) { create(:personal_access_token, user: create(:user)).id }

-              context 'does not have permissions to revoke the credential' do
-                let_it_be(:token_id) { create(:personal_access_token, user: create(:user)).id }
+              it_behaves_like 'responds with 404'
+            end

-                it_behaves_like 'responds with 404'
-              end
+            context 'personal access token is already revoked' do
+              let_it_be(:token_id) { create(:personal_access_token, revoked: true, user: maintainer).id }

-              context 'personal access token is already revoked' do
-                let_it_be(:token_id) { create(:personal_access_token, revoked: true, user: maintainer).id }
+              it_behaves_like 'displays the flash success message'
+            end

-                it_behaves_like 'displays the flash success message'
-              end
+            context 'personal access token is already expired' do
+              let_it_be(:token_id) { create(:personal_access_token, expires_at: 5.days.ago, user: maintainer).id }

-              context 'personal access token is already expired' do
-                let_it_be(:token_id) { create(:personal_access_token, expires_at: 5.days.ago, user: maintainer).id }
+              it_behaves_like 'displays the flash success message'
+            end

-                it_behaves_like 'displays the flash success message'
-              end
+            context 'personal access token is not revoked or expired' do
+              let_it_be(:token_id) { personal_access_token.id }

-              context 'personal access token is not revoked or expired' do
-                let_it_be(:token_id) { personal_access_token.id }
+              it_behaves_like 'displays the flash success message'

-                it_behaves_like 'displays the flash success message'
+              it 'informs the token owner' do
+                expect(CredentialsInventoryMailer).to receive_message_chain(:personal_access_token_revoked_email, :deliver_later)

-                it 'informs the token owner' do
-                  expect(CredentialsInventoryMailer).to receive_message_chain(:personal_access_token_revoked_email, :deliver_later)
+                put revoke_group_security_credential_path(group_id: group_id.to_param, id: personal_access_token.id)
+              end

-                  put revoke_group_security_credential_path(group_id: group_id.to_param, id: personal_access_token.id)
+              context 'when credentials_inventory_revocation_emails flag is disabled' do
+                before do
+                  stub_feature_flags(credentials_inventory_revocation_emails: false)
                end

-                context 'when credentials_inventory_revocation_emails flag is disabled' do
-                  before do
-                    stub_feature_flags(credentials_inventory_revocation_emails: false)
-                  end
-
-                  it 'does not inform the token owner' do
-                    expect do
-                      put revoke_group_security_credential_path(group_id: group_id.to_param, id: personal_access_token.id)
-                    end.not_to change { ActionMailer::Base.deliveries.size }
-                  end
+                it 'does not inform the token owner' do
+                  expect do
+                    put revoke_group_security_credential_path(group_id: group_id.to_param, id: personal_access_token.id)
+                  end.not_to change { ActionMailer::Base.deliveries.size }
                end
              end
            end
          end
-
-          context 'for a user without access to view credentials inventory' do
-            let_it_be(:token_id) { create(:personal_access_token, user: owner).id }
-
-            before do
-              sign_in(maintainer)
-            end
-
-            it_behaves_like 'responds with 404'
-          end
        end

-        context 'when `revoke_managed_users_token` feature is disabled' do
-          before_all do
-            stub_feature_flags(revoke_managed_users_token: false)
-          end
-
-          context 'for a user with access to view credentials inventory' do
-            context 'non-existent personal access token specified' do
-              let(:token_id) { 999999999999999999999999999999999 }
-
-              it_behaves_like 'responds with 404'
-            end
-
-            context 'valid personal access token specified' do
-              let_it_be(:token_id) { create(:personal_access_token, user: create(:user)).id }
+        context 'for a user without access to view credentials inventory' do
+          let_it_be(:token_id) { create(:personal_access_token, user: owner).id }

-              it_behaves_like 'responds with 404'
-            end
+          before do
+            sign_in(maintainer)
          end

-          context 'for a user without access to view credentials inventory' do
-            let_it_be(:token_id) { create(:personal_access_token, user: owner).id }
-
-            before do
-              sign_in(maintainer)
-            end
-
-            it_behaves_like 'responds with 404'
-          end
+          it_behaves_like 'responds with 404'
        end
      end


--- a/ee/spec/services/ee/personal_access_tokens/revoke_service_spec.rb
+++ b/ee/spec/services/ee/personal_access_tokens/revoke_service_spec.rb
@@ -42,17 +42,6 @@ RSpec.describe EE::PersonalAccessTokens::RevokeService do
        end
      end

-      context 'when feature flag is disabled' do
-        let_it_be(:current_user) { group_owner }
-        let_it_be(:token) { create(:personal_access_token, user: managed_user) }
-
-        before do
-          stub_feature_flags(revoke_managed_users_token: false)
-        end
-
-        it_behaves_like 'an unsuccessfully revoked token'
-      end
-
      context 'when current user is a group owner of a different managed group' do
        let_it_be(:group) { create(:group_with_managed_accounts) }
        let_it_be(:group_owner2) { create(:user) }