Make the 2 expiry enforcement settings independent

require_personal_access_token_expiry applies to non-service account users, while service_access_tokens_expiration_enforced applies to service accounts.

Make the 2 expiry enforcement settings independent
99706be5 · Imre Farkas · 9b4c0288 · 99706be5 · 99706be5 · 99706be5
Commit 99706be5 authored 7 months ago by Imre Farkas
--- a/ee/app/models/ee/personal_access_token.rb
+++ b/ee/app/models/ee/personal_access_token.rb
@@ -76,7 +76,7 @@ def max_expiry_date
    end

    def allow_expires_at_to_be_empty?
-      super && !EE::Gitlab::PersonalAccessTokens::ServiceAccountTokenValidator.new(user).expiry_enforced?
+      !EE::Gitlab::PersonalAccessTokens::ServiceAccountTokenValidator.new(user).expiry_enforced?
    end

    def expires_at_before_max_expiry_date

--- a/ee/app/services/ee/personal_access_tokens/create_service.rb
+++ b/ee/app/services/ee/personal_access_tokens/create_service.rb
@@ -35,11 +35,9 @@ def send_audit_event(response)
      def pat_expiration
        return params[:expires_at] if params[:expires_at].present?

-        if EE::Gitlab::PersonalAccessTokens::ServiceAccountTokenValidator.new(target_user).expiry_enforced?
-          return max_expiry_date
-        end
+        return unless EE::Gitlab::PersonalAccessTokens::ServiceAccountTokenValidator.new(target_user).expiry_enforced?

-        super
+        max_expiry_date
      end

      override :creation_permitted?

--- a/ee/spec/models/ee/personal_access_token_spec.rb
+++ b/ee/spec/models/ee/personal_access_token_spec.rb
@@ -147,7 +147,7 @@

          where(:require_token_expiry, :require_token_expiry_for_service_accounts, :is_valid) do
            true | true | false
-            true | false | false
+            true | false | true
            false | true | false
            false | false | true
          end
@@ -169,7 +169,7 @@

          where(:require_token_expiry, :require_token_expiry_for_service_accounts, :is_valid) do
            true | true | false
-            true | false | false
+            true | false | true
            false | true | false
            false | false | true
          end

--- a/ee/spec/services/ee/personal_access_tokens/create_service_spec.rb
+++ b/ee/spec/services/ee/personal_access_tokens/create_service_spec.rb
@@ -115,7 +115,7 @@

                where(:require_token_expiry, :require_token_expiry_for_service_accounts, :expires_at) do
                  true | true | PersonalAccessToken::MAX_PERSONAL_ACCESS_TOKEN_LIFETIME_IN_DAYS.days.from_now.to_date
-                  true | false | PersonalAccessToken::MAX_PERSONAL_ACCESS_TOKEN_LIFETIME_IN_DAYS.days.from_now.to_date
+                  true | false | nil
                  false | true | PersonalAccessToken::MAX_PERSONAL_ACCESS_TOKEN_LIFETIME_IN_DAYS.days.from_now.to_date
                  false | false | nil
                end
@@ -167,7 +167,7 @@
                context 'when saas', :saas, :enable_admin_mode do
                  where(:require_token_expiry, :require_token_expiry_for_service_accounts, :expires_at) do
                    true | true | PersonalAccessToken::MAX_PERSONAL_ACCESS_TOKEN_LIFETIME_IN_DAYS.days.from_now.to_date
-                    true | false | PersonalAccessToken::MAX_PERSONAL_ACCESS_TOKEN_LIFETIME_IN_DAYS.days.from_now.to_date
+                    true | false | nil
                    false | true | PersonalAccessToken::MAX_PERSONAL_ACCESS_TOKEN_LIFETIME_IN_DAYS.days.from_now.to_date
                    false | false | nil
                  end