Skip to content

Add require_personal_access_token_expiry application setting

Stan Hu requested to merge sh-add-require-pat-expiry-option into master

What does this MR do and why?

Adds a a new admin setting, ApplicationSettings#require_personal_access_token_expiry that removes the expiration enforcement of PAT, PrAT and GrATs A SM admins can optionally enable the setting Require access tokens to have an expiry to require expiration for their tokens. This will only be applicable to net new tokens.

For users that have not yet migrated to 16.0 (i.e the expires_at haven't been set via the migration) this setting should be default off to reflect the expiration status. For users on 16.0 and above the setting should default to on as expires_at values would already be set via the migration

Related to https://gitlab.com/gitlab-org/gitlab/-/issues/470192.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Migration output

up

$ bundle exec rake db:migrate                                                                                                                                                                                                                                           
main: == [advisory_lock_connection] object_id: 130760, pg_backend_pid: 90666
main: == 20240702181131 AddRequirePatExpiryToApplicationSettings: migrating =========
main: -- add_column(:application_settings, :require_personal_access_token_expiry, :boolean, {:default=>true, :null=>false})
main:    -> 0.0112s
main: == 20240702181131 AddRequirePatExpiryToApplicationSettings: migrated (0.0151s) 

main: == [advisory_lock_connection] object_id: 130760, pg_backend_pid: 90666
main: == [advisory_lock_connection] object_id: 131060, pg_backend_pid: 90668
main: == 20240702181141 UpdateRequirePatExpiryInApplicationSettings: migrating ======
main: -- execute("UPDATE application_settings SET require_personal_access_token_expiry = FALSE")
main:    -> 0.0019s
main: == 20240702181141 UpdateRequirePatExpiryInApplicationSettings: migrated (0.0420s) 

main: == [advisory_lock_connection] object_id: 131060, pg_backend_pid: 90668

down

$ bundle exec rake db:migrate:down:main VERSION=20240702181141
main: == [advisory_lock_connection] object_id: 130280, pg_backend_pid: 89415
main: == 20240702181141 UpdateRequirePatExpiryInApplicationSettings: reverting ======
main: == 20240702181141 UpdateRequirePatExpiryInApplicationSettings: reverted (0.0047s) 

main: == [advisory_lock_connection] object_id: 130280, pg_backend_pid: 89415

$ bundle exec rake db:migrate:down:main VERSION=20240702181131                                                                                                                                                                                                           
main: == [advisory_lock_connection] object_id: 130280, pg_backend_pid: 89988
main: == 20240702181131 AddRequirePatExpiryToApplicationSettings: reverting =========
main: -- remove_column(:application_settings, :require_personal_access_token_expiry, :boolean, {:default=>true, :null=>false})
main:    -> 0.0036s
main: == 20240702181131 AddRequirePatExpiryToApplicationSettings: reverted (0.0088s) 

main: == [advisory_lock_connection] object_id: 130280, pg_backend_pid: 89988

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Edited by Imre Farkas

Merge request reports