Add a new gitlab:users:clear_all_authentication_tokens task

Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-10-07 18:35:36 +02:00 · 2016-10-07 18:35:36 +02:00 · ebba491493
commit ebba491493
parent 73adae0f62
4 changed files with 65 additions and 0 deletions
--- a/1
+++ b/1
@ -76,6 +76,7 @@ v 8.13.0 (unreleased)
  - API: expose pipeline data in builds API (!6502, Guilherme Salazar)
  - Notify the Merger about merge after successful build (Dimitris Karakasilis)
  - Reorder issue and merge request titles to show IDs first. !6503 (Greg Laubenstein)
+  - Add a new gitlab:users:clear_all_authentication_tokens task. !6745
  - Reduce queries needed to find users using their SSH keys when pushing commits
  - Prevent rendering the link to all when the author has no access (Katarzyna Kobierska Ula Budziszewska)
  - Fix broken repository 500 errors in project list
--- a/doc/raketasks/user_management.md
+++ b/doc/raketasks/user_management.md
@ -70,3 +70,18 @@ sudo gitlab-rake gitlab:two_factor:disable_for_all_users
 # installation from source
 bundle exec rake gitlab:two_factor:disable_for_all_users RAILS_ENV=production
 ```
+
+## Clear authentication tokens for all users. Important! Data loss!
+
+Clear authentication tokens for all users in the GitLab database. This
+task is useful if your users' authentication tokens might have been exposed in
+any way. All the existing tokens will become invalid, and new tokens are
+automatically generated upon sign-in or user modification.
+
+```
+# omnibus-gitlab
+sudo gitlab-rake gitlab:users:clear_all_authentication_tokens
+
+# installation from source
+bundle exec rake gitlab:users:clear_all_authentication_tokens RAILS_ENV=production
+```
--- a/lib/tasks/gitlab/users.rake
+++ b/lib/tasks/gitlab/users.rake
@ -0,0 +1,11 @@
+namespace :gitlab do
+  namespace :users do
+    desc "GitLab | Clear the authentication token for all users"
+    task clear_all_authentication_tokens: :environment  do |t, args|
+      # Do small batched updates because these updates will be slow and locking
+      User.select(:id).find_in_batches(batch_size: 100) do |batch|
+        User.where(id: batch.map(&:id)).update_all(authentication_token: nil)
+      end
+    end
+  end
+end
--- a/spec/tasks/gitlab/users_rake_spec.rb
+++ b/spec/tasks/gitlab/users_rake_spec.rb
@ -0,0 +1,38 @@
+require 'spec_helper'
+require 'rake'
+
+describe 'gitlab:users namespace rake task' do
+  let(:enable_registry) { true }
+
+  before :all do
+    Rake.application.rake_require 'tasks/gitlab/task_helpers'
+    Rake.application.rake_require 'tasks/gitlab/users'
+
+    # empty task as env is already loaded
+    Rake::Task.define_task :environment
+  end
+
+  def run_rake_task(task_name)
+    Rake::Task[task_name].reenable
+    Rake.application.invoke_task task_name
+  end
+
+  describe 'clear_all_authentication_tokens' do
+    before do
+      # avoid writing task output to spec progress
+      allow($stdout).to receive :write
+    end
+
+    context 'gitlab version' do
+      it 'clears the authentication token for all users' do
+        create_list(:user, 2)
+
+        expect(User.pluck(:authentication_token)).to all(be_present)
+
+        run_rake_task('gitlab:users:clear_all_authentication_tokens')
+
+        expect(User.pluck(:authentication_token)).to all(be_nil)
+      end
+    end
+  end
+end