Merge branch '351759-remove-project-access-tokens-from-credentials-inventory' into 'master'

Remove non-human created tokens from PAT list

See merge request gitlab-org/gitlab!80716

app/finders/personal_access_tokens_finder.rb

@@ -17,6 +17,7 @@ class PersonalAccessTokensFinder
     tokens = by_users(tokens)
     tokens = by_impersonation(tokens)
     tokens = by_state(tokens)
+    tokens = by_owner_type(tokens)
 
     sort(tokens)
   end
@@ -32,6 +33,15 @@ class PersonalAccessTokensFinder
     tokens
   end
 
+  def by_owner_type(tokens)
+    case @params[:owner_type]
+    when 'human'
+      tokens.owner_is_human
+    else
+      tokens
+    end
+  end
+
   def by_user(tokens)
     return tokens unless @params[:user]
 

app/models/personal_access_token.rb

@@ -34,6 +34,7 @@ class PersonalAccessToken < ApplicationRecord
   scope :order_expires_at_asc, -> { reorder(expires_at: :asc) }
   scope :order_expires_at_desc, -> { reorder(expires_at: :desc) }
   scope :project_access_token, -> { includes(:user).where(user: { user_type: :project_bot }) }
+  scope :owner_is_human, -> { includes(:user).where(user: { user_type: :human }) }
 
   validates :scopes, presence: true
   validate :validate_scopes

doc/user/admin_area/credentials_inventory.md

@@ -7,7 +7,8 @@ type: howto
 
 # Credentials inventory **(ULTIMATE SELF)**
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20912) in GitLab 12.6.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20912) in GitLab 12.6.
+> - [Bot-created access tokens not displayed in personal access token list](https://gitlab.com/gitlab-org/gitlab/-/issues/351759) in GitLab 14.9.
 
 GitLab administrators are responsible for the overall security of their instance. To assist, GitLab
 provides a Credentials inventory to keep track of all the credentials that can be used to access

ee/app/controllers/concerns/credentials_inventory_actions.rb

@@ -49,7 +49,7 @@ module CredentialsInventoryActions
 
   def filter_credentials
     if show_personal_access_tokens?
-      ::PersonalAccessTokensFinder.new({ users: users, impersonation: false, sort: 'id_desc' }).execute
+      ::PersonalAccessTokensFinder.new({ users: users, impersonation: false, sort: 'id_desc', owner_type: 'human' }).execute
     elsif show_ssh_keys?
       ::KeysFinder.new({ users: users, key_type: 'ssh' }).execute
     elsif show_project_access_tokens?

ee/spec/requests/admin/credentials_controller_spec.rb

@@ -37,7 +37,7 @@ RSpec.describe Admin::CredentialsController, type: :request do
             specify do
               get admin_credentials_path(filter: filter)
 
-              expect(assigns(:credentials)).to match_array([user.personal_access_tokens, project_access_token].flatten)
+              expect(assigns(:credentials)).to match_array([user.personal_access_tokens].flatten)
             end
           end
 

spec/finders/personal_access_tokens_finder_spec.rb

@@ -17,6 +17,9 @@ RSpec.describe PersonalAccessTokensFinder do
     let!(:active_impersonation_token) { create(:personal_access_token, :impersonation, user: user) }
     let!(:expired_impersonation_token) { create(:personal_access_token, :expired, :impersonation, user: user) }
     let!(:revoked_impersonation_token) { create(:personal_access_token, :revoked, :impersonation, user: user) }
+    let!(:project_bot) { create(:user, :project_bot) }
+    let!(:project_member) { create(:project_member, user: project_bot) }
+    let!(:project_access_token) { create(:personal_access_token, user: project_bot) }
 
     subject { finder(params, current_user).execute }
 
@@ -44,7 +47,7 @@ RSpec.describe PersonalAccessTokensFinder do
         it do
           is_expected.to contain_exactly(active_personal_access_token, active_impersonation_token,
                                          revoked_personal_access_token, expired_personal_access_token,
-                                         revoked_impersonation_token, expired_impersonation_token)
+                                         revoked_impersonation_token, expired_impersonation_token, project_access_token)
         end
 
         context 'when current_user is not an administrator' do
@@ -59,7 +62,7 @@ RSpec.describe PersonalAccessTokensFinder do
       it do
         is_expected.to contain_exactly(active_personal_access_token, active_impersonation_token,
           revoked_personal_access_token, expired_personal_access_token,
-          revoked_impersonation_token, expired_impersonation_token)
+          revoked_impersonation_token, expired_impersonation_token, project_access_token)
       end
 
       describe 'with users' do
@@ -98,14 +101,14 @@ RSpec.describe PersonalAccessTokensFinder do
           params[:impersonation] = false
         end
 
-        it { is_expected.to contain_exactly(active_personal_access_token, revoked_personal_access_token, expired_personal_access_token) }
+        it { is_expected.to contain_exactly(active_personal_access_token, revoked_personal_access_token, expired_personal_access_token, project_access_token) }
 
         describe 'with active state' do
           before do
             params[:state] = 'active'
           end
 
-          it { is_expected.to contain_exactly(active_personal_access_token) }
+          it { is_expected.to contain_exactly(active_personal_access_token, project_access_token) }
         end
 
         describe 'with inactive state' do
@@ -146,7 +149,7 @@ RSpec.describe PersonalAccessTokensFinder do
           params[:state] = 'active'
         end
 
-        it { is_expected.to contain_exactly(active_personal_access_token, active_impersonation_token) }
+        it { is_expected.to contain_exactly(active_personal_access_token, active_impersonation_token, project_access_token) }
       end
 
       describe 'with inactive state' do
@@ -208,6 +211,14 @@ RSpec.describe PersonalAccessTokensFinder do
           revoked_impersonation_token, expired_impersonation_token)
       end
 
+      describe 'filtering human tokens' do
+        before do
+          params[:owner_type] = 'human'
+        end
+
+        it { is_expected.not_to include(project_access_token) }
+      end
+
       describe 'without impersonation' do
         before do
           params[:impersonation] = false

spec/models/personal_access_token_spec.rb

@@ -32,6 +32,17 @@ RSpec.describe PersonalAccessToken do
       it { is_expected.to contain_exactly(project_access_token) }
     end
 
+    describe '.owner_is_human' do
+      let_it_be(:user) { create(:user, :project_bot) }
+      let_it_be(:project_member) { create(:project_member, user: user) }
+      let_it_be(:personal_access_token) { create(:personal_access_token) }
+      let_it_be(:project_access_token) { create(:personal_access_token, user: user) }
+
+      subject { described_class.owner_is_human }
+
+      it { is_expected.to contain_exactly(personal_access_token) }
+    end
+
     describe '.for_user' do
       it 'returns personal access tokens of specified user only' do
         user_1 = create(:user)