Remove non-human created tokens from PAT list

Removes personal access tokens created by non-human
users from the list of personal access tokens
in the credentials inventory.

Project access tokens can be removed but must
be removed from the Project access tokens tab
instead as this also enqueues a job to remove
the bot user as well as the token.

EE: true
Changelog: changed

app/models/personal_access_token.rb

@@ -34,6 +34,7 @@ class PersonalAccessToken < ApplicationRecord
   scope :order_expires_at_asc, -> { reorder(expires_at: :asc) }
   scope :order_expires_at_desc, -> { reorder(expires_at: :desc) }
   scope :project_access_token, -> { includes(:user).where(user: { user_type: :project_bot }) }
+  scope :owner_is_human, -> { includes(:user).where(user: { user_type: :human }) }
 
   validates :scopes, presence: true
   validate :validate_scopes

doc/user/admin_area/credentials_inventory.md

@@ -7,7 +7,8 @@ type: howto
 
 # Credentials inventory **(ULTIMATE SELF)**
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20912) in GitLab 12.6.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20912) in GitLab 12.6.
+> - [Bot-created tokens removed from PAT list](https://gitlab.com/gitlab-org/gitlab/-/issues/351759) in GitLab 14.9.
 
 GitLab administrators are responsible for the overall security of their instance. To assist, GitLab
 provides a Credentials inventory to keep track of all the credentials that can be used to access

ee/app/controllers/concerns/credentials_inventory_actions.rb

@@ -49,7 +49,7 @@ module CredentialsInventoryActions
 
   def filter_credentials
     if show_personal_access_tokens?
-      ::PersonalAccessTokensFinder.new({ users: users, impersonation: false, sort: 'id_desc' }).execute
+      ::PersonalAccessTokensFinder.new({ users: users, impersonation: false, sort: 'id_desc' }).execute.owner_is_human
     elsif show_ssh_keys?
       ::KeysFinder.new({ users: users, key_type: 'ssh' }).execute
     elsif show_project_access_tokens?

spec/models/personal_access_token_spec.rb

@@ -32,6 +32,16 @@ RSpec.describe PersonalAccessToken do
       it { is_expected.to contain_exactly(project_access_token) }
     end
 
+    describe '.owner_is_human' do
+      let_it_be(:user) { create(:user, :project_bot) }
+      let_it_be(:project_member) { create(:project_member, user: user) }
+      let_it_be(:project_access_token) { create(:personal_access_token, user: user) }
+
+      subject { described_class.not_project_access_token }
+
+      it { is_expected.not_to include(project_access_token) }
+    end
+
     describe '.for_user' do
       it 'returns personal access tokens of specified user only' do
         user_1 = create(:user)