<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=544759) </details> <!--IssueSummary end--> <!--- Please read this! Before opening a new issue, make sure to search for keywords in the issues filtered by the "regression" or "type::bug" label: - https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=regression - https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=type::bug and verify the issue you're about to submit isn't a duplicate. ---> ### Summary <!--Summarize the bug encountered concisely.--> Users are unable to rotate (using the web UI) Group/Project/Personal access tokens that have a validity duration longer than the current allowed lifetime limit for access tokens. Attempting to use the existing rotate button/functionality fails with an error. API to rotate the access token is unaffected, as clients can specify the expiry date as a parameter. This issue only affects the web UI. ### Steps to reproduce <!--Describe how one can reproduce the issue - this is very important. Please use an ordered list.--> This should equally apply to Group Access Token, Project Access Token, and Personal Access Token, but for illustration purposes, a Group Access Token is used. 1. As an Admin, ensure that the [maximum lifetime of access tokens](https://docs.gitlab.com/administration/settings/account_and_limit_settings/#limit-the-lifetime-of-access-tokens) is set to 365 days, or similarly high value 2. Create a Group Access Token with a long expiry date that is allowed by the lifetime, such as 365 days 3. As an Admin, [reduce the maximum lifetime of access tokens](https://docs.gitlab.com/administration/settings/account_and_limit_settings/#limit-the-lifetime-of-access-tokens) to lower than the validity period of the access token, such as 180 days 4. Go to the Group Settings, Access Tokens, and click the rotate icon for the group access token. ### Example Project <!--If possible, please create an example project here on GitLab.com that exhibits the problematic behavior, and link to it here in the bug report. If you are using an older version of GitLab, this will also determine whether the bug is fixed in a more recent version.--> I can't reproduce it on GitLab.com because it's not possible to reduce the lifetime limit. That's only supported on Self-Managed and Dedicated according to https://docs.gitlab.com/administration/settings/account_and_limit_settings/#limit-the-lifetime-of-access-tokens ### What is the current _bug_ behavior? <!--Describe what actually happens.--> The PUT request to `/groups/:path/-/settings/access_tokens/:token_id/rotate` returns a HTTP 422 with the response body `{"message":"Expiration date must be before yyyy-mm-dd"}`, where the date is the maximum expiry date permitted by the current lifetime limit. The UI shows the error message `Expiration date must be before yyyy-mm-dd`. The token rotation fails. ### What is the expected _correct_ behavior? <!--Describe what you should see instead.--> EITHER allow to specify the expiry date during rotation, OR automatically use the lesser of the currently maximum allowed lifetime, or the access token's current validity duration. The token rotation succeeds. ### Relevant logs and/or screenshots <!--Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise.--> ### Output of checks <!--If you are reporting a bug on GitLab.com, uncomment below--> <!--This bug happens on GitLab.com--> <!--and uncomment below if you have /label privileges--> <!--/label ~"reproduced on GitLab.com"--> <!--or follow up with an issue comment of `@gitlab-bot label ~"reproduced on GitLab.com"` if you do not--> #### Results of GitLab environment info <!--Input any relevant GitLab environment information if needed.--> Encountered on GitLab Dedicated on v17.10.6-ee <details> <summary>Expand for output related to GitLab environment info</summary> <pre> (For installations with omnibus-gitlab package run and paste the output of: \`sudo gitlab-rake gitlab:env:info\`) (For installations from source run and paste the output of: \`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production\`) </pre> </details> #### Results of GitLab application Check <!--Input any relevant GitLab application check information if needed.--> <details> <summary>Expand for output related to the GitLab application check</summary> <pre> (For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:check SANITIZE=true`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true`) (we will only investigate if the tests are passing) </pre> </details> ### Possible fixes <!--If you can, link to the line of code that might be responsible for the problem.--> https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/services/personal_access_tokens/rotate_service.rb#L83-88 The current implementation always uses exactly the validity period that the access token has now, in order to calculate the new expiry date. When the lifetime limit reduces, this may fail. ### Patch release information for backports If the bug fix needs to be backported in a [patch release](https://handbook.gitlab.com/handbook/engineering/releases/patch-releases) to a version under [the maintenance policy](https://docs.gitlab.com/policy/maintenance/), please follow the steps on the [patch release runbook for GitLab engineers](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/engineers.md). Refer to the [internal "Release Information" dashboard](https://dashboards.gitlab.net/d/delivery-release_info/delivery3a-release-information?orgId=1) for information about the next patch release, including the targeted versions, expected release date, and current status. #### High-severity bug remediation To remediate high-severity issues requiring an [internal release](https://handbook.gitlab.com/handbook/engineering/releases/internal-releases/) for single-tenant SaaS instances, refer to the [internal release process for engineers](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/internal-releases/engineers.md?ref_type=heads). <!--If you don't have /label privileges, follow up with an issue comment of `@gitlab-bot label ~"type::bug"`-->