From 51b79bdb4ae60b1850989cca8eb4190d785408b0 Mon Sep 17 00:00:00 2001
From: Joe Woodward <jwoodward@gitlab.com>
Date: Thu, 11 May 2023 21:38:36 +0100
Subject: Configure a default ttl for personal access tokens

Prior to this change personal access tokens without a ttl would never
expire. In Gitlab 15.4 we deprecated non-expiring tokens and are
scheduled for removal in 16.0.

https://gitlab.com/gitlab-org/gitlab/-/issues/369122

This change alters the gitlab-shell command for creating tokens to
ensure add a default limit of 30 days.

Closes https://gitlab.com/gitlab-org/gitlab-shell/-/issues/640
---
 cmd/gitlab-sshd/acceptance_test.go                            |  4 ++--
 internal/command/personalaccesstoken/personalaccesstoken.go   |  7 ++-----
 .../command/personalaccesstoken/personalaccesstoken_test.go   |  2 +-
 spec/gitlab_shell_personal_access_token_spec.rb               | 11 ++++++-----
 4 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/cmd/gitlab-sshd/acceptance_test.go b/cmd/gitlab-sshd/acceptance_test.go
index acd6991..1d366ff 100644
--- a/cmd/gitlab-sshd/acceptance_test.go
+++ b/cmd/gitlab-sshd/acceptance_test.go
@@ -357,7 +357,7 @@ func TestPersonalAccessTokenSuccess(t *testing.T) {
 	handler := customHandler{
 		url: "/api/v4/internal/personal_access_token",
 		caller: func(w http.ResponseWriter, _ *http.Request) {
-			fmt.Fprint(w, `{"success": true, "token": "testtoken", "scopes": ["api"], "expires_at": ""}`)
+			fmt.Fprint(w, `{"success": true, "token": "testtoken", "scopes": ["api"], "expires_at": "9001-01-01"}`)
 		},
 	}
 	client := runSSHD(t, successAPI(t, handler))
@@ -368,7 +368,7 @@ func TestPersonalAccessTokenSuccess(t *testing.T) {
 
 	output, err := session.Output("personal_access_token test api")
 	require.NoError(t, err)
-	require.Equal(t, "Token:   testtoken\nScopes:  api\nExpires: never\n", string(output))
+	require.Equal(t, "Token:   testtoken\nScopes:  api\nExpires: 9001-01-01\n", string(output))
 }
 
 func TestTwoFactorAuthRecoveryCodesSuccess(t *testing.T) {
diff --git a/internal/command/personalaccesstoken/personalaccesstoken.go b/internal/command/personalaccesstoken/personalaccesstoken.go
index 2d38774..fcf7dda 100644
--- a/internal/command/personalaccesstoken/personalaccesstoken.go
+++ b/internal/command/personalaccesstoken/personalaccesstoken.go
@@ -51,11 +51,7 @@ func (c *Command) Execute(ctx context.Context) error {
 
 	fmt.Fprint(c.ReadWriter.Out, "Token:   "+response.Token+"\n")
 	fmt.Fprint(c.ReadWriter.Out, "Scopes:  "+strings.Join(response.Scopes, ",")+"\n")
-	if response.ExpiresAt == "" {
-		fmt.Fprint(c.ReadWriter.Out, "Expires: never\n")
-	} else {
-		fmt.Fprint(c.ReadWriter.Out, "Expires: "+response.ExpiresAt+"\n")
-	}
+	fmt.Fprint(c.ReadWriter.Out, "Expires: "+response.ExpiresAt+"\n")
 	return nil
 }
 
@@ -69,6 +65,7 @@ func (c *Command) parseTokenArgs() error {
 	}
 
 	if len(c.Args.SshArgs) < 4 {
+		c.TokenArgs.ExpiresDate = time.Now().AddDate(0, 0, 30).Format(expiresDateFormat)
 		return nil
 	}
 	rawTTL := c.Args.SshArgs[3]
diff --git a/internal/command/personalaccesstoken/personalaccesstoken_test.go b/internal/command/personalaccesstoken/personalaccesstoken_test.go
index 492f745..c3434ce 100644
--- a/internal/command/personalaccesstoken/personalaccesstoken_test.go
+++ b/internal/command/personalaccesstoken/personalaccesstoken_test.go
@@ -111,7 +111,7 @@ func TestExecute(t *testing.T) {
 			},
 			expectedOutput: "Token:   YXuxvUgCEmeePY3G1YAa\n" +
 				"Scopes:  read_api,read_repository\n" +
-				"Expires: never\n",
+				"Expires: 9001-11-17\n",
 		},
 		{
 			desc: "With a ttl argument",
diff --git a/spec/gitlab_shell_personal_access_token_spec.rb b/spec/gitlab_shell_personal_access_token_spec.rb
index 64bc34b..ba528a1 100644
--- a/spec/gitlab_shell_personal_access_token_spec.rb
+++ b/spec/gitlab_shell_personal_access_token_spec.rb
@@ -2,6 +2,7 @@ require_relative 'spec_helper'
 
 require 'json'
 require 'open3'
+require 'date'
 
 describe 'bin/gitlab-shell personal_access_token' do
   include_context 'gitlab shell'
@@ -24,7 +25,7 @@ describe 'bin/gitlab-shell personal_access_token' do
           success: true,
           token: 'aAY1G3YPeemECgUvxuXY',
           scopes: params['scopes'],
-          expires_at: (params['expires_at'] && '9001-12-01')
+          expires_at: params['expires_at']
         }.to_json
       end
     end
@@ -78,23 +79,23 @@ describe 'bin/gitlab-shell personal_access_token' do
     context 'without a ttl argument' do
       let(:args) { 'newtoken api' }
 
-      it 'prints a token without an expiration date' do
+      it 'prints a token with a 30 day expiration date' do
         expect(output).to eq(<<~OUTPUT)
           Token:   aAY1G3YPeemECgUvxuXY
           Scopes:  api
-          Expires: never
+          Expires: #{(Date.today + 30).iso8601}
         OUTPUT
       end
     end
 
     context 'with a ttl argument' do
-      let(:args) { 'newtoken read_api,read_user 30' }
+      let(:args) { 'newtoken read_api,read_user 60' }
 
       it 'prints a token with an expiration date' do
         expect(output).to eq(<<~OUTPUT)
           Token:   aAY1G3YPeemECgUvxuXY
           Scopes:  read_api,read_user
-          Expires: 9001-12-01
+          Expires: #{(Date.today + 61).iso8601}
         OUTPUT
       end
     end
-- 
cgit v1.2.1