Fix workspace PAT creation with short PAT lifetime

Fabian Zimmerrequested to merge
duo-edit-20260212-165614 into master

Summary

Fixes #579331 (closed)

When a self-managed instance has a max_personal_access_token_lifetime setting shorter than 365 days (e.g., 90 days for security compliance), workspace creation fails because the PAT expiry date is hardcoded to MAX_HOURS_BEFORE_TERMINATION (8760 hours = 365 days), which exceeds the allowed instance limit.

Problem

The PersonalAccessTokenCreator always sets the workspace PAT expiry to 365 days from now, regardless of instance or group-level PAT lifetime restrictions. When an admin configures a shorter max PAT lifetime (e.g., 90 days), the PAT validation rejects the token and workspace creation fails entirely.

Solution

Modified PersonalAccessTokenCreator.max_allowed_personal_access_token_expires_at to:

  1. Accept the user parameter so it can query the user's applicable PAT lifetime limits
  2. Use EE::Gitlab::PersonalAccessTokens::ExpiryDateCalculator to determine the instance/group-level max expiry date
  3. Take the minimum of the hardcoded 365-day max and the configured PAT lifetime limit

This ensures workspace PATs are always created within the allowed expiry window while still respecting the MAX_HOURS_BEFORE_TERMINATION upper bound.

Test changes

  • Added a new test case for when the instance has a shorter max_personal_access_token_lifetime
  • Updated the existing failure test to pass the user argument to the stubbed method

Changelog: fixed

Edited by Fabian Zimmer

Merge request reports