Optional enforcement of SSH key expiration

Release notes

Problem to solve

The SSH key expiration introduced in #36243 (closed) is never enforced, implying the key is always active even after the expiration.

Similar to Optional PAT enforcement, this issue aims to allow an administrator to configure whether key expiration should be enforced or not.

To be in line with current implementation, the default behavior can be to not enforce the expiry.

This might especially be useful for organizations that prefer a hard enforcement for token rotations.

Intended users

• Cameron (Compliance Manager)
• Sidney (Systems Administrator)

Proposal

Add a checkbox in the Admin Dashboard (Settings -> General -> Account and limit)

• Enforce SSH key expiration

When enabled, the keys will become un-usable after expiration.

Implementation details

backend - 2

• Add migration to create a new column enforce_ssh_key_expiration in application_settings
• Changes to ee/app/helpers/ee/application_settings_helper.rb to include the above column to the list of visible attributes
• When SSH key expiration is enforced:
  • Return forbidden error when key has expired

frontend - 1

• Add checkbox in Admin dashboard

Note: The optional PAT expiration MR can be handly for implementing most of the changes.

Documentation

Add documentation to Account and Limit Settings page.