Skip to content
Snippets Groups Projects

Extend maximum token and SSH key expiration to 400 days

Merged Ben Boeckel requested to merge ben.boeckel/gitlab:token-expiration-limit-bump into master
3 unresolved threads
  • Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA

What does this MR do and why?

apps/settings: Extend maximum token and SSH key expiration to 400 days

An expiration of 365 days means that rotation ends up "creeping" back the calendar every year unless tokens are rotated on the exact day they expire. A forced "lose a day" occurs when the validity period spans over February 29th. In practice, the expiration falling on a weekend would also force losing a day or two. Instead, bump the maximum allowed to 400 days for all editions so that a little over one month of leeway is allowed to perform rotations of tokens and SSH keys.

While 395 would be "sufficient", 400 being so close makes it worth choosing instead.

Changelog: changed

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

N/A

How to set up and validate locally

Test suite should handle this.

Edited by 🤖 GitLab Bot 🤖

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Imre Farkas
  • Imre Farkas
  • Imre Farkas
  • Imre Farkas removed review request for @ifarkas

    removed review request for @ifarkas

  • Joe Snyder added 421 commits

    added 421 commits

    • 8ebc2774...768a6d5f - 418 commits from branch gitlab-org:master
    • 00905707 - apps/settings: Extend maximum token and SSH key expiration to 400 days
    • 0e593faf - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
    • de64f732 - Additional updates to fix tests

    Compare with previous version

  • Joe Snyder added 1070 commits

    added 1070 commits

    • de64f732...c4670bcb - 1067 commits from branch gitlab-org:master
    • 6686a214 - apps/settings: Extend maximum token and SSH key expiration to 400 days
    • 3a0b3c35 - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
    • edf8f501 - Additional updates to fix tests

    Compare with previous version

  • Joe Snyder added 306 commits

    added 306 commits

    • edf8f501...ae1f0962 - 303 commits from branch gitlab-org:master
    • 8f7a1654 - apps/settings: Extend maximum token and SSH key expiration to 400 days
    • 31a26bcd - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
    • 89eec4db - Additional updates to fix tests

    Compare with previous version

  • Joe Snyder added 646 commits

    added 646 commits

    • 89eec4db...27ba6105 - 643 commits from branch gitlab-org:master
    • a31b206c - apps/settings: Extend maximum token and SSH key expiration to 400 days
    • 1ceda713 - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
    • 2d3384bd - Additional updates to fix tests

    Compare with previous version

  • Imre Farkas
  • Imre Farkas
  • Imre Farkas
  • Imre Farkas
  • Imre Farkas
  • Joe Snyder added 473 commits

    added 473 commits

    • 2d3384bd...08c33bad - 470 commits from branch gitlab-org:master
    • e31c1f22 - apps/settings: Extend maximum token and SSH key expiration to 400 days
    • c64c63dc - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
    • a1b4028d - Additional updates to fix tests

    Compare with previous version

  • Joe Snyder added 765 commits

    added 765 commits

    • a1b4028d...29d31608 - 762 commits from branch gitlab-org:master
    • 3a0a815e - apps/settings: Extend maximum token and SSH key expiration to 400 days
    • b6d76248 - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
    • 71ad2b9a - Additional updates to fix tests

    Compare with previous version

  • Hannah Sutor changed milestone to %17.5

    changed milestone to %17.5

  • assigned to @joe-snyder and unassigned @ben.boeckel

  • Jon Glassman requested review from @jglassman1

    requested review from @jglassman1

    • Resolved by Imre Farkas

      @ben.boeckel @joe-snyder I'm reviewing the release post for this feature, and saw that we needed to update the docs changes for this MR. I know it looks like a lot, but these are all format and structure changes rather than issues with the content itself. Happy to discuss anytime if needed.

  • Joe Snyder added 1 commit

    added 1 commit

    • 9cebd6e0 - Apply 14 suggestion(s) to 6 file(s)

    Compare with previous version

  • Joe Snyder added 918 commits

    added 918 commits

    • 9cebd6e0...812b6c16 - 913 commits from branch gitlab-org:master
    • 7f0a2ad3 - apps/settings: Extend maximum token and SSH key expiration to 400 days
    • 405fea6e - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
    • 0deb68d6 - Additional updates to fix tests
    • 2599afde - Apply 14 suggestion(s) to 6 file(s)
    • 58a811d5 - Change linked issue in documentation

    Compare with previous version

  • Joe Snyder added 1 commit

    added 1 commit

    • 74f2e7c0 - Additional updates in documentation

    Compare with previous version

  • Joe Snyder added 1 commit

    added 1 commit

    • 236d057f - Apply 1 suggestion(s) to 1 file(s)

    Compare with previous version

  • Jon Glassman approved this merge request

    approved this merge request

  • added pipelinetier-2 label and removed pipelinetier-1 label

  • Before you set this MR to auto-merge

    This merge request will progress on pipeline tiers until it reaches the last tier: pipelinetier-3.

    Before you set this MR to auto-merge, please check the following:

    • You are the last maintainer of this merge request
    • The latest pipeline for this merge request is pipelinetier-3 (You can find which tier it is in the pipeline name)
    • This pipeline is recent enough (created in the last 8 hours)

    If all the criteria above apply, please set auto-merge for this merge request.

    See pipeline tiers and merging a merge request for more details.

  • Hi @jglassman1 :wave:,

    GitLab Bot has added the Technical Writing label because a Technical Writer has approved or merged this MR.

    This message was generated automatically. You're welcome to improve it.

  • Thank you @joe-snyder happy to approve the docs changes.

  • Jon Glassman removed review request for @jglassman1

    removed review request for @jglassman1

  • requested review from @ifarkas

  • @ifarkas, this Community contribution is ready for review.

    • Do you have capacity and domain expertise to review this? If not, find one or more reviewers and assign to them.
    • If you've reviewed it, add the workflowin dev label if these changes need more work before the next review.

    This message was generated automatically. You're welcome to improve it.

  • Joe Snyder added 1073 commits

    added 1073 commits

    • 236d057f...082795f6 - 1067 commits from branch gitlab-org:master
    • 88a8a7e2 - apps/settings: Extend maximum token and SSH key expiration to 400 days
    • 03d69123 - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
    • 4d4e449e - Additional updates to fix tests
    • db1b2b95 - Apply 14 suggestion(s) to 6 file(s)
    • 2b5944dc - Additional updates in documentation
    • 7c9fc130 - Apply 1 suggestion(s) to 1 file(s)

    Compare with previous version

  • Joe Snyder added 47 commits

    added 47 commits

    • 7c9fc130...4fc5cbfb - 40 commits from branch gitlab-org:master
    • 75f9e28b - apps/settings: Extend maximum token and SSH key expiration to 400 days
    • 4866c7a6 - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
    • 115289f9 - Additional updates to fix tests
    • bcebd07e - Apply 14 suggestion(s) to 6 file(s)
    • 49b694bc - Additional updates in documentation
    • 2908ede8 - Apply 1 suggestion(s) to 1 file(s)
    • 39c965f7 - Add test for Personal Access Token helper

    Compare with previous version

  • Joe Snyder reset approvals from @jglassman1 by pushing to the branch

    reset approvals from @jglassman1 by pushing to the branch

    • Resolved by Imre Farkas

      @adil.farrukh Is the plan to keep this behind a FF? From the docs:

      • 400 days, if you enable the buffered_token_expiration_limit feature flag.

      I'm just wondering if we should either mention the feature flag in the RP or wait until we remove it (if we intend to). I would lean towards keeping it behind a FF, but then that's another one to maintain. WDYT?

  • Jon Glassman requested review from @jglassman1

    requested review from @jglassman1

  • Jon Glassman approved this merge request

    approved this merge request

  • Jon Glassman removed review request for @jglassman1

    removed review request for @jglassman1

  • Imre Farkas approved this merge request

    approved this merge request

  • Imre Farkas resolved all threads

    resolved all threads

  • Imre Farkas enabled automatic add to merge train when checks pass

    enabled automatic add to merge train when checks pass

  • A deleted user added backend feature flag frontend labels
  • Ghost User
  • 1 Warning
    :warning: This MR changes code in ee/, but its Changelog commit is missing the EE: true trailer. Consider adding it to your Changelog commits.
    1 Message
    :book: This merge request adds or changes documentation files. A review from the Technical Writing team before you merge is recommended. Reviews can happen after you merge.

    Documentation review

    The following files require a review from a technical writer:

    The review does not need to block merging this merge request. See the:

    Reviewer roulette

    Category Reviewer Maintainer
    backend @evakadlecova profile link current availability (UTC+2) @splattael profile link current availability (UTC+2)
    frontend @fernando-c profile link current availability (UTC-5) @peterhegman profile link current availability (UTC-7)
    UX @ipelaez1 profile link current availability (UTC-4) Maintainer review is optional for UX
    groupauthentication Reviewer review is optional for groupauthentication @ifarkas profile link current availability (UTC+2)

    Please refer to documentation page for guidance on how you can benefit from the Reviewer Roulette, or use the GitLab Review Workload Dashboard to find other available reviewers.

    If needed, you can retry the :repeat: danger-review job that generated this comment.

    Generated by :no_entry_sign: Danger

  • E2E Test Result Summary

    allure-report-publisher generated test report!

    e2e-test-on-gdk: :white_check_mark: test report for a9096357

    expand test summary
    +------------------------------------------------------------------+
    |                          suites summary                          |
    +-------------+--------+--------+---------+-------+-------+--------+
    |             | passed | failed | skipped | flaky | total | result |
    +-------------+--------+--------+---------+-------+-------+--------+
    | Govern      | 48     | 0      | 4       | 0     | 52    | ✅     |
    | Plan        | 106    | 0      | 0       | 0     | 106   | ✅     |
    | Create      | 96     | 0      | 2       | 0     | 98    | ✅     |
    | Verify      | 76     | 0      | 2       | 0     | 78    | ✅     |
    | Release     | 8      | 0      | 0       | 0     | 8     | ✅     |
    | Analytics   | 2      | 0      | 0       | 0     | 2     | ✅     |
    | Data Stores | 32     | 0      | 0       | 0     | 32    | ✅     |
    | Secure      | 8      | 0      | 0       | 0     | 8     | ✅     |
    | Manage      | 2      | 0      | 0       | 0     | 2     | ✅     |
    | Package     | 34     | 0      | 0       | 0     | 34    | ✅     |
    | Monitor     | 6      | 0      | 0       | 0     | 6     | ✅     |
    +-------------+--------+--------+---------+-------+-------+--------+
    | Total       | 418    | 0      | 8       | 0     | 426   | ✅     |
    +-------------+--------+--------+---------+-------+-------+--------+

    e2e-test-on-omnibus: :white_check_mark: test report for 39c965f7

    expand test summary
    +-------------------------------------------------------------+
    |                       suites summary                        |
    +--------+--------+--------+---------+-------+-------+--------+
    |        | passed | failed | skipped | flaky | total | result |
    +--------+--------+--------+---------+-------+-------+--------+
    | Govern | 164    | 0      | 10      | 0     | 174   | ✅     |
    +--------+--------+--------+---------+-------+-------+--------+
    | Total  | 164    | 0      | 10      | 0     | 174   | ✅     |
    +--------+--------+--------+---------+-------+-------+--------+

    e2e-test-on-cng: :white_check_mark: test report for a9096357

    expand test summary
    +------------------------------------------------------------------+
    |                          suites summary                          |
    +-------------+--------+--------+---------+-------+-------+--------+
    |             | passed | failed | skipped | flaky | total | result |
    +-------------+--------+--------+---------+-------+-------+--------+
    | Create      | 139    | 0      | 21      | 16    | 160   | ✅     |
    | Plan        | 86     | 0      | 8       | 12    | 94    | ✅     |
    | Package     | 24     | 0      | 14      | 0     | 38    | ✅     |
    | Verify      | 50     | 0      | 15      | 10    | 65    | ✅     |
    | Monitor     | 8      | 0      | 12      | 0     | 20    | ✅     |
    | Govern      | 79     | 0      | 11      | 8     | 90    | ✅     |
    | Analytics   | 2      | 0      | 0       | 0     | 2     | ✅     |
    | Manage      | 1      | 0      | 9       | 0     | 10    | ✅     |
    | Secure      | 3      | 0      | 3       | 1     | 6     | ✅     |
    | Data Stores | 33     | 0      | 10      | 0     | 43    | ✅     |
    | Fulfillment | 2      | 0      | 7       | 0     | 9     | ✅     |
    | Release     | 5      | 0      | 1       | 0     | 6     | ✅     |
    | Growth      | 0      | 0      | 2       | 0     | 2     | ➖     |
    | Ai-powered  | 0      | 0      | 2       | 0     | 2     | ➖     |
    | Configure   | 0      | 0      | 3       | 0     | 3     | ➖     |
    | ModelOps    | 0      | 0      | 1       | 0     | 1     | ➖     |
    +-------------+--------+--------+---------+-------+-------+--------+
    | Total       | 432    | 0      | 119     | 47    | 551   | ✅     |
    +-------------+--------+--------+---------+-------+-------+--------+
  • Joe Snyder added 419 commits

    added 419 commits

    • 39c965f7...d82977a2 - 411 commits from branch gitlab-org:master
    • bd4a7459 - apps/settings: Extend maximum token and SSH key expiration to 400 days
    • ccb521e0 - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
    • 68f3aac2 - Additional updates to fix tests
    • f7aace7f - Apply 14 suggestion(s) to 6 file(s)
    • b92f1cab - Additional updates in documentation
    • 330f70d1 - Apply 1 suggestion(s) to 1 file(s)
    • 80da7355 - Add test for Personal Access Token helper
    • 429b6827 - Switch to "long" rubocop disabling

    Compare with previous version

  • Joe Snyder reset approvals from @ifarkas and @jglassman1 by pushing to the branch

    reset approvals from @ifarkas and @jglassman1 by pushing to the branch

  • added UX label

  • Thanks for helping us improve the UX of GitLab. Your contribution is appreciated! We have pinged our UX team, so stay tuned for their feedback.

    This message was generated automatically. You're welcome to improve it.

  • removed UX label

  • Removing UX here

  • added UX label

  • Joe Snyder added 1088 commits

    added 1088 commits

    • 429b6827...e882b7e9 - 1080 commits from branch gitlab-org:master
    • e39b4aa9 - apps/settings: Extend maximum token and SSH key expiration to 400 days
    • a41d10c9 - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
    • 3baed0a5 - Additional updates to fix tests
    • 94b22b23 - Apply 14 suggestion(s) to 6 file(s)
    • 9b9ea888 - Additional updates in documentation
    • 05b0bf8f - Apply 1 suggestion(s) to 1 file(s)
    • fb0d63e0 - Add test for Personal Access Token helper
    • cbc07f3e - Switch to "long" rubocop disabling

    Compare with previous version

  • Joe Snyder added 1785 commits

    added 1785 commits

    • cbc07f3e...ec05fe6b - 1777 commits from branch gitlab-org:master
    • a5f197d4 - apps/settings: Extend maximum token and SSH key expiration to 400 days
    • daa61355 - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
    • 2b29f140 - Additional updates to fix tests
    • 07c9b016 - Apply 14 suggestion(s) to 6 file(s)
    • 50240183 - Additional updates in documentation
    • 8ff3c92f - Apply 1 suggestion(s) to 1 file(s)
    • 2b981581 - Add test for Personal Access Token helper
    • 5367e6d8 - Switch to "long" rubocop disabling

    Compare with previous version

  • Joe Snyder added 558 commits

    added 558 commits

    • 5367e6d8...d96ecadb - 549 commits from branch gitlab-org:master
    • 2cd6171e - apps/settings: Extend maximum token and SSH key expiration to 400 days
    • ee5bd860 - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
    • 001a8ca0 - Additional updates to fix tests
    • 62db2ca8 - Apply 14 suggestion(s) to 6 file(s)
    • c0f20778 - Additional updates in documentation
    • 8e944e4a - Apply 1 suggestion(s) to 1 file(s)
    • ee1602a4 - Add test for Personal Access Token helper
    • bb804082 - Switch to "long" rubocop disabling
    • a9096357 - Fix whitespace issues raised by Rubocop

    Compare with previous version

  • requested review from @jglassman1

  • Jon Glassman approved this merge request

    approved this merge request

  • Imre Farkas approved this merge request

    approved this merge request

  • Imre Farkas changed milestone to %17.6

    changed milestone to %17.6

  • Imre Farkas resolved all threads

    resolved all threads

  • Imre Farkas enabled automatic add to merge train when checks pass

    enabled automatic add to merge train when checks pass

  • merged

  • @ben.boeckel, how was your code review experience with this merge request? Please tell us how we can continue to iterate and improve:

    1. React with a :thumbsup: or a :thumbsdown: on this comment to describe your experience.
    2. Create a new comment starting with @gitlab-bot feedback below, and leave any additional feedback you have for us in the comment.

    As a benefit of being a GitLab Community Contributor, you can request access to GitLab Duo. With Code Suggestions, Chat and more AI-powered features, GitLab Duo helps to boost your efficiency and effectiveness by reducing the time required to write and understand code. Visit the Duo access project to request a GitLab Duo license and learn more about the benefits of GitLab Duo.

    Subscribe to the GitLab Community Newsletter for contributor-focused content and opportunities to level up.

    Thanks for your help! :heart:

    This message was generated automatically. You're welcome to improve it.

  • Imre Farkas mentioned in commit d04fd469

    mentioned in commit d04fd469

  • Joe Snyder mentioned in merge request !170451 (merged)

    mentioned in merge request !170451 (merged)

  • added workflowstaging label and removed workflowcanary label

  • Joe Snyder mentioned in merge request !170939 (merged)

    mentioned in merge request !170939 (merged)

  • 117 118 !Gitlab::CurrentSettings.require_personal_access_token_expiry?
    118 119 end
    119 120
    121 def max_expiration_lifetime_in_days
    122 if ::Feature.enabled?(:buffered_token_expiration_limit) # rubocop:disable Gitlab/FeatureFlagWithoutActor -- Group setting but checked at user
    123 MAX_PERSONAL_ACCESS_TOKEN_LIFETIME_IN_DAYS_BUFFERED
    124 else
    125 MAX_PERSONAL_ACCESS_TOKEN_LIFETIME_IN_DAYS
    126 end
    127 end
    128
    120 129 def expires_at_before_instance_max_expiry_date
    121 130 return unless expires_at
  • mentioned in issue #490989

  • mentioned in issue #508144

  • 4 4 .form-group
    5 5 = form.label :max_personal_access_token_lifetime, _('Maximum allowable lifetime for access token (days)'), class: 'label-light'
    6 6 = form.number_field :max_personal_access_token_lifetime, class: 'form-control gl-form-input input-xs'
    7 %span.form-text.text-muted#max_personal_access_token_lifetime= _('When left blank, default value of 365 is applied. When set, value must be 365 or less. When changed, existing access tokens with an expiration date beyond the maximum allowable lifetime are revoked.')
    7 %span.form-text.text-muted#max_personal_access_token_lifetime= _('When left blank, default value of {max_personal_access_token_lifetime_in_days} is applied. When set, value must be {max_personal_access_token_lifetime_in_days} or less. When changed, existing access tokens with an expiration date beyond the maximum allowable lifetime are revoked.')
  • mentioned in issue #508151 (closed)

  • @eduardosanz, I've tried to answer a few more of your points. I'll see if any quick updates to a test can be made to prove some of these things.

  • Joe Snyder mentioned in merge request !175124 (merged)

    mentioned in merge request !175124 (merged)

  • Suzanne Selhorn mentioned in merge request !175754 (merged)

    mentioned in merge request !175754 (merged)

  • Please register or sign in to reply
    Loading