Extend maximum token and SSH key expiration to 400 days
-
Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA
What does this MR do and why?
apps/settings: Extend maximum token and SSH key expiration to 400 days
An expiration of 365 days means that rotation ends up "creeping" back the calendar every year unless tokens are rotated on the exact day they expire. A forced "lose a day" occurs when the validity period spans over February 29th. In practice, the expiration falling on a weekend would also force losing a day or two. Instead, bump the maximum allowed to 400 days for all editions so that a little over one month of leeway is allowed to perform rotations of tokens and SSH keys.
While 395 would be "sufficient", 400 being so close makes it worth choosing instead.
Changelog: changed
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
N/A
How to set up and validate locally
Test suite should handle this.
Merge request reports
Activity
Thanks for your contribution to GitLab @ben.boeckel!
Did you know about our community forks? Working from there will make your contribution process easier. Please check it out!
- If you need help, comment @gitlab-bot help or come say hi on Discord.
- When you're ready for a review, comment on this merge request with @gitlab-bot ready.
- We welcome AI-generated contributions! Read more/check the box at the top of the merge request description.
- To add labels to your merge request, comment @gitlab-bot label ~"label1" ~"label2".
This message was generated automatically. You're welcome to improve it.
added Community contribution workflowin dev labels
assigned to @ben.boeckel
- Resolved by Ben Boeckel
tooling/bin/gettext_extractor locale/gitlab.pot
I tried running this in a container where I set up the require bits, but I can't seem to get
gettext-generator
for Node working.
- Resolved by Imre Farkas
@gitlab-bot ready
added workflowready for review label and removed workflowin dev label
Hi
@msedlakjakubowski
! Please review this documentation merge request. This message was generated automatically. You're welcome to improve it.added documentation twtriaged labels
requested review from @msedlakjakubowski
@msedlakjakubowski
, this Community contribution is ready for review.- Do you have capacity and domain expertise to review this? If not, find one or more reviewers and assign to them.
- If you've reviewed it, add the workflowin dev label if these changes need more work before the next review.
This message was generated automatically. You're welcome to improve it.
changed milestone to %17.1
added pipelinetier-1 label
added devopsgovern groupauthentication labels and removed pipelinetier-1 label
added pipelinetier-1 label
added sectionsec label
requested review from @hsutor and @adil.farrukh and removed review request for @msedlakjakubowski
added 1 commit
- 8b712e54 - apps/settings: Extend maximum token and SSH key expiration to 400 days
mentioned in issue #461782
mentioned in issue #461901 (closed)
mentioned in issue #462025
requested review from @ifarkas
mentioned in issue gitlab-org/quality/triage-reports#17832 (closed)
requested review from @rshambhuni
mentioned in issue gitlab-org/quality/triage-reports#17833 (closed)
added typemaintenance label
removed review request for @rshambhuni
removed review request for @hsutor
- Resolved by Adil Farrukh
@ifarkas, @adil.farrukh, this Community contribution was recently assigned to you for review.
- Do you still have capacity to review this? We are mindful of your time, so if you are not able to take this on, please re-assign to one or more other reviewers.
- Add the workflowin dev label if the merge request needs action from the author.
This message was generated automatically. You're welcome to improve it.
added automation:reviewers-reminded label
added workflowin dev label and removed workflowready for review label
removed automation:reviewers-reminded label
changed milestone to %17.2
removed review request for @adil.farrukh
changed milestone to %17.3
added idle label
removed idle label
added 10874 commits
-
8b712e54...c1853b3c - 10872 commits from branch
gitlab-org:master
- 95c896ca - apps/settings: Extend maximum token and SSH key expiration to 400 days
- 98d49c82 - WIP: feature_flags/buffered_token_expiration_limit: add feature flag
-
8b712e54...c1853b3c - 10872 commits from branch
changed milestone to %17.4
Security policy violations have been resolved.
Edited by GitLab Security Botadded 5546 commits
-
98d49c82...12e98f8e - 5544 commits from branch
gitlab-org:master
- 8c7e9b50 - apps/settings: Extend maximum token and SSH key expiration to 400 days
- 3507bb9f - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
-
98d49c82...12e98f8e - 5544 commits from branch
added 670 commits
-
3507bb9f...95fb969f - 667 commits from branch
gitlab-org:master
- 416e9f51 - apps/settings: Extend maximum token and SSH key expiration to 400 days
- da8ebe9d - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
- d9525fad - Additional updates to fix tests
Toggle commit list-
3507bb9f...95fb969f - 667 commits from branch
added 726 commits
-
d9525fad...e3d5de77 - 723 commits from branch
gitlab-org:master
- d6477627 - apps/settings: Extend maximum token and SSH key expiration to 400 days
- fecee2fc - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
- 85147f40 - Additional updates to fix tests
Toggle commit list-
d9525fad...e3d5de77 - 723 commits from branch
added 274 commits
-
85147f40...fed24f7e - 271 commits from branch
gitlab-org:master
- f11b2715 - apps/settings: Extend maximum token and SSH key expiration to 400 days
- 5c02c716 - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
- e70189c0 - Additional updates to fix tests
Toggle commit list-
85147f40...fed24f7e - 271 commits from branch
added 264 commits
-
e70189c0...4965e626 - 261 commits from branch
gitlab-org:master
- 60c100bd - apps/settings: Extend maximum token and SSH key expiration to 400 days
- 94c5c58b - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
- 8ebc2774 - Additional updates to fix tests
Toggle commit list-
e70189c0...4965e626 - 261 commits from branch
- Resolved by Imre Farkas
@gitlab-bot ready @ifarkas
I've taken over the work for this MR. I think things are looking good in terms of testing and updates. Please take a look when you can!
- Resolved by Imre Farkas
- Resolved by Imre Farkas
- Resolved by Imre Farkas
- Resolved by Imre Farkas
removed review request for @ifarkas
added 421 commits
-
8ebc2774...768a6d5f - 418 commits from branch
gitlab-org:master
- 00905707 - apps/settings: Extend maximum token and SSH key expiration to 400 days
- 0e593faf - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
- de64f732 - Additional updates to fix tests
Toggle commit list-
8ebc2774...768a6d5f - 418 commits from branch
added 1070 commits
-
de64f732...c4670bcb - 1067 commits from branch
gitlab-org:master
- 6686a214 - apps/settings: Extend maximum token and SSH key expiration to 400 days
- 3a0b3c35 - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
- edf8f501 - Additional updates to fix tests
Toggle commit list-
de64f732...c4670bcb - 1067 commits from branch
added 306 commits
-
edf8f501...ae1f0962 - 303 commits from branch
gitlab-org:master
- 8f7a1654 - apps/settings: Extend maximum token and SSH key expiration to 400 days
- 31a26bcd - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
- 89eec4db - Additional updates to fix tests
Toggle commit list-
edf8f501...ae1f0962 - 303 commits from branch
- Resolved by Imre Farkas
@gitlab-bot ready @ifarkas
added 646 commits
-
89eec4db...27ba6105 - 643 commits from branch
gitlab-org:master
- a31b206c - apps/settings: Extend maximum token and SSH key expiration to 400 days
- 1ceda713 - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
- 2d3384bd - Additional updates to fix tests
Toggle commit list-
89eec4db...27ba6105 - 643 commits from branch
- Resolved by Imre Farkas
- Resolved by Imre Farkas
- Resolved by Imre Farkas
- Resolved by Imre Farkas
- Resolved by Imre Farkas
added 473 commits
-
2d3384bd...08c33bad - 470 commits from branch
gitlab-org:master
- e31c1f22 - apps/settings: Extend maximum token and SSH key expiration to 400 days
- c64c63dc - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
- a1b4028d - Additional updates to fix tests
Toggle commit list-
2d3384bd...08c33bad - 470 commits from branch
added 765 commits
-
a1b4028d...29d31608 - 762 commits from branch
gitlab-org:master
- 3a0a815e - apps/settings: Extend maximum token and SSH key expiration to 400 days
- b6d76248 - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
- 71ad2b9a - Additional updates to fix tests
Toggle commit list-
a1b4028d...29d31608 - 762 commits from branch
changed milestone to %17.5
assigned to @joe-snyder and unassigned @ben.boeckel
- Resolved by Jon Glassman
requested review from @jglassman1
- Resolved by Jon Glassman
- Resolved by Jon Glassman
- Resolved by Jon Glassman
- Resolved by Jon Glassman
- Resolved by Jon Glassman
- Resolved by Jon Glassman
- Resolved by Jon Glassman
mentioned in merge request gitlab-com/www-gitlab-com!135899
- Resolved by Imre Farkas
@ben.boeckel @joe-snyder I'm reviewing the release post for this feature, and saw that we needed to update the docs changes for this MR. I know it looks like a lot, but these are all format and structure changes rather than issues with the content itself. Happy to discuss anytime if needed.
added 918 commits
-
9cebd6e0...812b6c16 - 913 commits from branch
gitlab-org:master
- 7f0a2ad3 - apps/settings: Extend maximum token and SSH key expiration to 400 days
- 405fea6e - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
- 0deb68d6 - Additional updates to fix tests
- 2599afde - Apply 14 suggestion(s) to 6 file(s)
- 58a811d5 - Change linked issue in documentation
Toggle commit list-
9cebd6e0...812b6c16 - 913 commits from branch
- Resolved by Jon Glassman
added pipeline:mr-approved label
added pipelinetier-2 label and removed pipelinetier-1 label
Before you set this MR to auto-merge
This merge request will progress on pipeline tiers until it reaches the last tier: pipelinetier-3.
Before you set this MR to auto-merge, please check the following:
- You are the last maintainer of this merge request
- The latest pipeline for this merge request is pipelinetier-3 (You can find which tier it is in the pipeline name)
- This pipeline is recent enough (created in the last 8 hours)
If all the criteria above apply, please set auto-merge for this merge request.
See pipeline tiers and merging a merge request for more details.
Hi
@jglassman1
,GitLab Bot has added the Technical Writing label because a Technical Writer has approved or merged this MR.
This message was generated automatically. You're welcome to improve it.
added Technical Writing label
Thank you @joe-snyder happy to approve the docs changes.
removed review request for @jglassman1
added workflowready for review label and removed workflowin dev label
requested review from @ifarkas
@ifarkas, this Community contribution is ready for review.
- Do you have capacity and domain expertise to review this? If not, find one or more reviewers and assign to them.
- If you've reviewed it, add the workflowin dev label if these changes need more work before the next review.
This message was generated automatically. You're welcome to improve it.
added 1073 commits
-
236d057f...082795f6 - 1067 commits from branch
gitlab-org:master
- 88a8a7e2 - apps/settings: Extend maximum token and SSH key expiration to 400 days
- 03d69123 - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
- 4d4e449e - Additional updates to fix tests
- db1b2b95 - Apply 14 suggestion(s) to 6 file(s)
- 2b5944dc - Additional updates in documentation
- 7c9fc130 - Apply 1 suggestion(s) to 1 file(s)
Toggle commit list-
236d057f...082795f6 - 1067 commits from branch
added 47 commits
-
7c9fc130...4fc5cbfb - 40 commits from branch
gitlab-org:master
- 75f9e28b - apps/settings: Extend maximum token and SSH key expiration to 400 days
- 4866c7a6 - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
- 115289f9 - Additional updates to fix tests
- bcebd07e - Apply 14 suggestion(s) to 6 file(s)
- 49b694bc - Additional updates in documentation
- 2908ede8 - Apply 1 suggestion(s) to 1 file(s)
- 39c965f7 - Add test for Personal Access Token helper
Toggle commit list-
7c9fc130...4fc5cbfb - 40 commits from branch
reset approvals from @jglassman1 by pushing to the branch
- Resolved by Imre Farkas
@adil.farrukh Is the plan to keep this behind a FF? From the docs:
- 400 days, if you enable the
buffered_token_expiration_limit
feature flag.
I'm just wondering if we should either mention the feature flag in the RP or wait until we remove it (if we intend to). I would lean towards keeping it behind a FF, but then that's another one to maintain. WDYT?
- 400 days, if you enable the
requested review from @jglassman1
removed review request for @jglassman1
added pipelinetier-3 pipeline:run-e2e-omnibus-once labels and removed pipelinetier-2 label
- A deleted user
added backend feature flag frontend labels
- Resolved by Imre Farkas
1 Warning This MR changes code in ee/
, but its Changelog commit is missing theEE: true
trailer. Consider adding it to your Changelog commits.1 Message This merge request adds or changes documentation files. A review from the Technical Writing team before you merge is recommended. Reviews can happen after you merge. Documentation review
The following files require a review from a technical writer:
-
doc/administration/settings/account_and_limit_settings.md
(Link to current live version) -
doc/api/settings.md
(Link to current live version) -
doc/tutorials/automate_runner_creation/index.md
(Link to current live version) -
doc/user/group/settings/group_access_tokens.md
(Link to current live version) -
doc/user/profile/personal_access_tokens.md
(Link to current live version) -
doc/user/project/settings/project_access_tokens.md
(Link to current live version)
The review does not need to block merging this merge request. See the:
-
Metadata for the
*.md
files that you've changed. The first few lines of each*.md
file identify the stage and group most closely associated with your docs change. - The Technical Writer assigned for that stage and group.
- Documentation workflows for information on when to assign a merge request for review.
Reviewer roulette
Category Reviewer Maintainer backend @evakadlecova
(UTC+2)
@splattael
(UTC+2)
frontend @fernando-c
(UTC-5)
@peterhegman
(UTC-7)
UX @ipelaez1
(UTC-4)
Maintainer review is optional for UX groupauthentication Reviewer review is optional for groupauthentication @ifarkas
(UTC+2)
Please refer to documentation page for guidance on how you can benefit from the Reviewer Roulette, or use the GitLab Review Workload Dashboard to find other available reviewers.
If needed, you can retry the
danger-review
job that generated this comment.Generated by
Danger-
E2E Test Result Summary
allure-report-publisher
generated test report!e2e-test-on-gdk:
test report for a9096357expand test summary
+------------------------------------------------------------------+ | suites summary | +-------------+--------+--------+---------+-------+-------+--------+ | | passed | failed | skipped | flaky | total | result | +-------------+--------+--------+---------+-------+-------+--------+ | Govern | 48 | 0 | 4 | 0 | 52 | ✅ | | Plan | 106 | 0 | 0 | 0 | 106 | ✅ | | Create | 96 | 0 | 2 | 0 | 98 | ✅ | | Verify | 76 | 0 | 2 | 0 | 78 | ✅ | | Release | 8 | 0 | 0 | 0 | 8 | ✅ | | Analytics | 2 | 0 | 0 | 0 | 2 | ✅ | | Data Stores | 32 | 0 | 0 | 0 | 32 | ✅ | | Secure | 8 | 0 | 0 | 0 | 8 | ✅ | | Manage | 2 | 0 | 0 | 0 | 2 | ✅ | | Package | 34 | 0 | 0 | 0 | 34 | ✅ | | Monitor | 6 | 0 | 0 | 0 | 6 | ✅ | +-------------+--------+--------+---------+-------+-------+--------+ | Total | 418 | 0 | 8 | 0 | 426 | ✅ | +-------------+--------+--------+---------+-------+-------+--------+
e2e-test-on-omnibus:
test report for 39c965f7expand test summary
+-------------------------------------------------------------+ | suites summary | +--------+--------+--------+---------+-------+-------+--------+ | | passed | failed | skipped | flaky | total | result | +--------+--------+--------+---------+-------+-------+--------+ | Govern | 164 | 0 | 10 | 0 | 174 | ✅ | +--------+--------+--------+---------+-------+-------+--------+ | Total | 164 | 0 | 10 | 0 | 174 | ✅ | +--------+--------+--------+---------+-------+-------+--------+
e2e-test-on-cng:
test report for a9096357expand test summary
+------------------------------------------------------------------+ | suites summary | +-------------+--------+--------+---------+-------+-------+--------+ | | passed | failed | skipped | flaky | total | result | +-------------+--------+--------+---------+-------+-------+--------+ | Create | 139 | 0 | 21 | 16 | 160 | ✅ | | Plan | 86 | 0 | 8 | 12 | 94 | ✅ | | Package | 24 | 0 | 14 | 0 | 38 | ✅ | | Verify | 50 | 0 | 15 | 10 | 65 | ✅ | | Monitor | 8 | 0 | 12 | 0 | 20 | ✅ | | Govern | 79 | 0 | 11 | 8 | 90 | ✅ | | Analytics | 2 | 0 | 0 | 0 | 2 | ✅ | | Manage | 1 | 0 | 9 | 0 | 10 | ✅ | | Secure | 3 | 0 | 3 | 1 | 6 | ✅ | | Data Stores | 33 | 0 | 10 | 0 | 43 | ✅ | | Fulfillment | 2 | 0 | 7 | 0 | 9 | ✅ | | Release | 5 | 0 | 1 | 0 | 6 | ✅ | | Growth | 0 | 0 | 2 | 0 | 2 | ➖ | | Ai-powered | 0 | 0 | 2 | 0 | 2 | ➖ | | Configure | 0 | 0 | 3 | 0 | 3 | ➖ | | ModelOps | 0 | 0 | 1 | 0 | 1 | ➖ | +-------------+--------+--------+---------+-------+-------+--------+ | Total | 432 | 0 | 119 | 47 | 551 | ✅ | +-------------+--------+--------+---------+-------+-------+--------+
added 419 commits
-
39c965f7...d82977a2 - 411 commits from branch
gitlab-org:master
- bd4a7459 - apps/settings: Extend maximum token and SSH key expiration to 400 days
- ccb521e0 - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
- 68f3aac2 - Additional updates to fix tests
- f7aace7f - Apply 14 suggestion(s) to 6 file(s)
- b92f1cab - Additional updates in documentation
- 330f70d1 - Apply 1 suggestion(s) to 1 file(s)
- 80da7355 - Add test for Personal Access Token helper
- 429b6827 - Switch to "long" rubocop disabling
Toggle commit list-
39c965f7...d82977a2 - 411 commits from branch
reset approvals from @ifarkas and @jglassman1 by pushing to the branch
removed pipeline:run-e2e-omnibus-once label
added UX label
Thanks for helping us improve the UX of GitLab. Your contribution is appreciated! We have pinged our UX team, so stay tuned for their feedback.
This message was generated automatically. You're welcome to improve it.
removed UX label
Removing UX here
added UX label
added 1088 commits
-
429b6827...e882b7e9 - 1080 commits from branch
gitlab-org:master
- e39b4aa9 - apps/settings: Extend maximum token and SSH key expiration to 400 days
- a41d10c9 - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
- 3baed0a5 - Additional updates to fix tests
- 94b22b23 - Apply 14 suggestion(s) to 6 file(s)
- 9b9ea888 - Additional updates in documentation
- 05b0bf8f - Apply 1 suggestion(s) to 1 file(s)
- fb0d63e0 - Add test for Personal Access Token helper
- cbc07f3e - Switch to "long" rubocop disabling
Toggle commit list-
429b6827...e882b7e9 - 1080 commits from branch
added 1785 commits
-
cbc07f3e...ec05fe6b - 1777 commits from branch
gitlab-org:master
- a5f197d4 - apps/settings: Extend maximum token and SSH key expiration to 400 days
- daa61355 - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
- 2b29f140 - Additional updates to fix tests
- 07c9b016 - Apply 14 suggestion(s) to 6 file(s)
- 50240183 - Additional updates in documentation
- 8ff3c92f - Apply 1 suggestion(s) to 1 file(s)
- 2b981581 - Add test for Personal Access Token helper
- 5367e6d8 - Switch to "long" rubocop disabling
Toggle commit list-
cbc07f3e...ec05fe6b - 1777 commits from branch
added 558 commits
-
5367e6d8...d96ecadb - 549 commits from branch
gitlab-org:master
- 2cd6171e - apps/settings: Extend maximum token and SSH key expiration to 400 days
- ee5bd860 - WIP: feature_flags/buffered_token_expiration_limit: Add feature flag
- 001a8ca0 - Additional updates to fix tests
- 62db2ca8 - Apply 14 suggestion(s) to 6 file(s)
- c0f20778 - Additional updates in documentation
- 8e944e4a - Apply 1 suggestion(s) to 1 file(s)
- ee1602a4 - Add test for Personal Access Token helper
- bb804082 - Switch to "long" rubocop disabling
- a9096357 - Fix whitespace issues raised by Rubocop
Toggle commit list-
5367e6d8...d96ecadb - 549 commits from branch
- Resolved by Imre Farkas
@gitlab-bot ready @ifarkas @jglassman1
Rebasing the work reset the approvals before that really long-running MWPS finally passed. Thank you both again!
requested review from @jglassman1
changed milestone to %17.6
started a merge train
@ben.boeckel, how was your code review experience with this merge request? Please tell us how we can continue to iterate and improve:
- React with a
or a on this comment to describe your experience. - Create a new comment starting with
@gitlab-bot feedback
below, and leave any additional feedback you have for us in the comment.
As a benefit of being a GitLab Community Contributor, you can request access to GitLab Duo. With Code Suggestions, Chat and more AI-powered features, GitLab Duo helps to boost your efficiency and effectiveness by reducing the time required to write and understand code. Visit the Duo access project to request a GitLab Duo license and learn more about the benefits of GitLab Duo.
Subscribe to the GitLab Community Newsletter for contributor-focused content and opportunities to level up.
Thanks for your help!
This message was generated automatically. You're welcome to improve it.
- React with a
mentioned in commit d04fd469
- Resolved by Eduardo Sanz García
@joe-snyder @ben.boeckel @ifarkas I think I made a mistake here - this MR does only has docs changes for extending the access token lifetime to 400 days, but no documentation changes for SSH keys. I should have caught this, apologies. Am I right in thinking that we need to a follow-up documentation MR for Limit the lifetime of SSH keys and List of settings that can be accessed via API calls?
mentioned in merge request !170451 (merged)
added workflowstaging-canary label and removed workflowready for review label
added workflowcanary label and removed workflowstaging-canary label
added workflowstaging label and removed workflowcanary label
added workflowproduction label and removed workflowstaging label
added workflowpost-deploy-db-production label and removed workflowproduction label
mentioned in merge request !170939 (merged)
added releasedcandidate label
@ifarkas, I believe the implementation in this MR is incomplete for the UI.
expires_at_field_data
methods are used for the date picker in the expiration date in the token form creation:- CE: https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/helpers/access_tokens_helper.rb#L38
- EE: https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/helpers/ee/access_tokens_helper.rb#L8
In addition, Ultimate customers can set a custom expiration date for the tokens. Why not to use that instead of the solution implemented here? It seems a more flexible alternative.
/cc @adil.farrukh
Edited by Eduardo Sanz García@eduardosanz I think the MR correctly provided an option for the max token lifetime setting to be increased to 400 days. The problem is the bug where this setting shouldn't actually have an effect until a user selects
Require token expirations
. The 365 limit you see currently is an artifact of us adding a 1 year max expiration but now that there is the backported option ofRequire token expirations
, themax token lifetime
should not have the 365 default value. See #470192 (closed) for how I believe it should work.Based on that, we can add a bug to resolve this (though I am surprised it hasn't been raised till now).
117 118 !Gitlab::CurrentSettings.require_personal_access_token_expiry? 118 119 end 119 120 121 def max_expiration_lifetime_in_days 122 if ::Feature.enabled?(:buffered_token_expiration_limit) # rubocop:disable Gitlab/FeatureFlagWithoutActor -- Group setting but checked at user 123 MAX_PERSONAL_ACCESS_TOKEN_LIFETIME_IN_DAYS_BUFFERED 124 else 125 MAX_PERSONAL_ACCESS_TOKEN_LIFETIME_IN_DAYS 126 end 127 end 128 120 129 def expires_at_before_instance_max_expiry_date 121 130 return unless expires_at I don't see an error being raised if no
expires_at
entry is being sent as part of the data. I also, though, don't see the buffered length being used is the feature flag is enabled.[5] pry(main)> p Feature.enabled?(:buffered_token_expiration_limit) true => true [6] pry(main)> q softhat@irune-gitlab:~/Work/TriLab/gitlab-development-kit/gitlab$ curl --request POST --header "PRIVATE-TOKEN: <token>" --data "name=mytoken" --data "scopes[]=api" "http://gdk.test:3000/api/v4/users/1/personal_access_tokens" {"id":8,"name":"mytoken","revoked":false,"created_at":"2024-12-05T20:43:36.081Z","description":null,"scopes":["api"],"user_id":1,"last_used_at":null,"active":true,"expires_at":"2025-12-05","token":"glpat-w3ppnRTX_QyEHt17NSbp"}
In this curl call, I would have expected
expires_at
to return Jan 1, 2026 but it returns as if 365 days were selected.@eduardosanz, I found a missed update in the CreateService for PATs where we didn't respect the feature flag. I've pushed the update here: gitlab-community/gitlab@db73efa2
For the
expires_at_field_data
, I suppose that you want to see amax_date
that isn'tEE
only and hidden behind the:personal_access_token_expiration_policy
flag? Or should we update theEE
to set a different amount of time?created #508496 (closed) to continue this discussion
@joe-snyder, thanks for Fix CreateService for buffered_token_expiration... (!175124 - merged)!
Let's focus for now in reusing the same constants everywhere and in not duplicating logic.
I am currently working independently in
expires_at_field_data
in Prevent choosing invalid pat expiration date pi... (!170094 - merged).I envision a future consolidation between
expires_at_field_data
andexpires_at_before_instance_max_expiry_date
methods.I created an epic to trackdown all these inconsistencies: Fix date issues for access token expiration (&16194)
- Resolved by Eduardo Sanz García
- Resolved by Eduardo Sanz García
mentioned in issue #490989
- Resolved by Eduardo Sanz García
mentioned in issue #508144
4 4 .form-group 5 5 = form.label :max_personal_access_token_lifetime, _('Maximum allowable lifetime for access token (days)'), class: 'label-light' 6 6 = form.number_field :max_personal_access_token_lifetime, class: 'form-control gl-form-input input-xs' 7 %span.form-text.text-muted#max_personal_access_token_lifetime= _('When left blank, default value of 365 is applied. When set, value must be 365 or less. When changed, existing access tokens with an expiration date beyond the maximum allowable lifetime are revoked.') 7 %span.form-text.text-muted#max_personal_access_token_lifetime= _('When left blank, default value of {max_personal_access_token_lifetime_in_days} is applied. When set, value must be {max_personal_access_token_lifetime_in_days} or less. When changed, existing access tokens with an expiration date beyond the maximum allowable lifetime are revoked.') This has created this issue: #508151 (closed)
mentioned in issue #508151 (closed)
@eduardosanz, I've tried to answer a few more of your points. I'll see if any quick updates to a test can be made to prove some of these things.
mentioned in issue #508496 (closed)
mentioned in merge request !175124 (merged)
mentioned in merge request !175754 (merged)
added releasedpublished label and removed releasedcandidate label
added Category:System Access label
mentioned in issue gitlab-org/quality/triage-reports#22024 (closed)