Add Revoke buttons to the PAT tab of the credential inventory

Problem to solve

Currently, the credential inventory provides passive insight to administrators and group owners. With the introduction of credential management capabilities like optional SSH key expiration and PAT expiration (#118893 (closed) for gitlab.com), additional functionality is required to enable administrators and group owners to facilitate the rotation of credentials once they're expired.

GitLab would like to strike a balance between necessary policy definition and enforcement that compliance-minded organizations require and maintaining a great developer experience. Abrupt credential revocation is disruptive and frustrating, but an organization unable to rotate credentials for their users faces an increased risk of a credential's compromise.

There's no way to revoke SSH or PAT credentials on behalf of users for administrators and group owners, who need to enforce this action.

Intended users

• Sidney (Systems Administrator)
• Cameron (Compliance Manager)

Solution

In the "Personal Access Tokens" tab of the credentials inventory

• Add a Revoke button that appears for each PAT that is "active" (not already expired, where expiration is enforced or revoked).
• Show a modal to confirm the action after clicking revoke
  • Use default browser modal for MVC

  Are you sure you wish to revoke this personal access token? This action cannot be undone. [Cancel|Okay]

  • Implementing Pajamas modal → #228881 (closed)

Token state	Expiry Enforced?	Show Revoke button	Comments
Active	Enforced	Yes	When admin voluntarily wishes to revoke (e.g. compromised account)
Active	Not Enforced	Yes	When admin voluntarily wishes to revoke (e.g. compromised account)
Expired	Enforced	No	PAT expires automatically
Expired	Not Enforced	Yes	Admin revokes to prevent users from using the PAT indefinitely
Revoked	Enforced	No	Not applicable to revoke an already revoked token
Revoked	Not Enforced	No	Not applicable to revoke an already revoked token

Personal Access Tokens	Default Browser Modal

→ Figma

Stretch Goal (moved to #228721 (closed)): Add a Revoke All button to the top of the inventory that revokes all expired SSH and PAT credentials.

Implementation plan

frontend - 1

1. Add the revoke button to rows which are not expired or already revoked (see table above). The button should be placed within the Revoked column
2. On click, show a standard browser modal, on yes, redirect to endpoint
3. Update tests

backend - 1 | 2

1. Add new endpoint to ee/app/controllers/concerns/credentials_inventory_actions.rb to handle the revoke
2. Add new route to ee/config/routes/admin.rb:23
3. Trigger revoke service from !38501 (merged)
4. Re-render index with service message

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.