Add a banner informing about token expiration

Display a banner to all users, similar to broadcast banners, for GitLab version between 16.0 and 17.0, both included. The banner informs about upcoming expiration of tokens and how to troubleshoot the expiration. The banner is dismissable. The data is persisted in the browser cookie and expires in one year from the date it has been dismissed. Like other broadcast banners, if the user opens an incognito window the banner reappears. Changelog: changed

Add a banner informing about token expiration
c42702ce · Eduardo Sanz-Garcia · GitLab · 9022a67e · c42702ce · c42702ce
Unverified Commit c42702ce authored 7 months ago by Eduardo Sanz-Garcia Committed by GitLab 7 months ago
--- a/app/components/pajamas/broadcast_banner_component.html.haml
+++ b/app/components/pajamas/broadcast_banner_component.html.haml
+.gl-broadcast-message.broadcast-banner-message.banner{ role: 'alert',
+  class: "js-broadcast-notification-#{@id} #{@theme}", data: { testid: 'banner-broadcast-message' } }
+  .gl-broadcast-message-content
+    .gl-broadcast-message-icon
+      = sprite_icon('bullhorn')
+    .gl-broadcast-message-text
+      %h2.gl-sr-only= _('Admin message')
+      = @message
+  - if @dismissable
+    = render Pajamas::ButtonComponent.new(category: :tertiary,
+      icon: 'close',
+      size: :small,
+      button_options: { class: 'gl-close-btn-color-inherit gl-broadcast-message-dismiss js-dismiss-current-broadcast-notification',
+        'aria-label': _('Close'),
+        data: { id: @id,
+                expire_date: @expire_date,
+                dismissal_path: @dismissal_path,
+                cookie_key: @cookie_key } },
+      icon_classes: 'gl-text-white')
--- a/app/components/pajamas/broadcast_banner_component.rb
+++ b/app/components/pajamas/broadcast_banner_component.rb
+# frozen_string_literal: true
+
+module Pajamas
+  class BroadcastBannerComponent < Pajamas::Component
+    # @param [String] message
+    # @param [String] id
+    # @param [String] theme
+    # @param [Boolean] dismissable
+    # @param [String] expire_date
+    # @param [String] cookie_key
+    # @param [String] dismissal_path
+    def initialize(message:, id:, theme:, dismissable:, expire_date:, cookie_key:, dismissal_path: nil)
+      @message = message
+      @id = id
+      @theme = theme
+      @dismissable = dismissable
+      @expire_date = expire_date
+      @cookie_key = cookie_key
+      @dismissal_path = dismissal_path
+    end
+
+    delegate :sprite_icon, to: :helpers
+  end
+end
--- a/app/helpers/access_tokens_helper.rb
+++ b/app/helpers/access_tokens_helper.rb
@@ -33,6 +33,10 @@ def expires_at_field_data
      min_date: 1.day.from_now.iso8601
    }
  end
+
+  def show_token_expiration_banner?
+    Gitlab::Auth::TokenExpirationBanner.show_token_expiration_banner?
+  end
 end
  
 AccessTokensHelper.prepend_mod
--- a/app/views/layouts/_page.html.haml
+++ b/app/views/layouts/_page.html.haml
@@ -26,6 +26,7 @@
      = dispensable_render_if_exists "layouts/header/licensed_user_count_threshold"
      = dispensable_render_if_exists "layouts/header/token_expiry_notification"
      = dispensable_render "shared/projects/inactive_project_deletion_alert"
+      = dispensable_render_if_exists "shared/token_expiration_banner"
      = dispensable_render "layouts/broadcast"
      = dispensable_render "layouts/header/read_only_banner"
      = dispensable_render "layouts/header/registration_enabled_callout"

--- a/app/views/shared/_token_expiration_banner.html.haml
+++ b/app/views/shared/_token_expiration_banner.html.haml
+- id = 'token_expiration_banner'
+- cookie_key = 'hide_broadcast_message_token_expiration_banner'
+
+- return unless show_token_expiration_banner?
+- return unless cookies[cookie_key].blank?
+
+-# rubocop:disable Gitlab/DocUrl -- This documentation section is only available in version 17.1 onward.
+- link = link_to('', 'https://docs.gitlab.com/ee/security/token_overview.html#troubleshooting', target: '_blank', rel: 'noopener noreferrer')
+-# rubocop:enable Gitlab/DocUrl
+- message = safe_format(s_('AccessTokens|GitLab now enforces expiry dates on tokens that originally had no set expiration date. Those tokens were given an expiration date of one year later. Please review your personal access tokens, project access tokens, and group access tokens to ensure you are aware of upcoming expirations. Administrators of GitLab can find more information on how to identify and mitigate interruption in our %{link_start}documentation%{link_end}.'), tag_pair(link, :link_start, :link_end))
+= render Pajamas::BroadcastBannerComponent.new(message: message, id: id, theme: 'light-indigo', dismissable: true, expire_date: Time.now.next_year.iso8601, cookie_key: cookie_key)
--- a/doc/administration/environment_variables.md
+++ b/doc/administration/environment_variables.md
@@ -39,6 +39,7 @@ You can use the following environment variables to override certain values:
 | `RAILS_ENV`                                | string  | The Rails environment; can be one of `production`, `development`, `staging`, or `test`.                 |
 | `GITLAB_RAILS_CACHE_DEFAULT_TTL_SECONDS` | integer | The default TTL used for entries stored in the Rails-cache. Default is `28800`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/95042) in 15.3. |
 | `GITLAB_CI_CONFIG_FETCH_TIMEOUT_SECONDS` | integer | Timeout for resolving remote includes in CI config in seconds. Must be between `0` and `60`. Default is `30`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/116383) in 15.11. |
+| `GITLAB_DISABLE_TOKEN_EXPIRATION_BANNER` | string | If set to `true`, `1`, or `yes`, the token expiration banner is not shown. Default is `false`. |
  
 ## Adding more variables
  

--- a/lib/gitlab/auth/token_expiration_banner.rb
+++ b/lib/gitlab/auth/token_expiration_banner.rb
+# frozen_string_literal: true
+
+module Gitlab
+  module Auth
+    module TokenExpirationBanner
+      module_function
+
+      # rubocop:disable Gitlab/ModuleWithInstanceVariables, CodeReuse/ActiveRecord -- simple query and should be memoized per app boot
+      def show_token_expiration_banner?
+        return @show_token_expiration_banner unless @show_token_expiration_banner.nil?
+
+        if %w[1 yes true].include?(ENV.fetch('GITLAB_DISABLE_TOKEN_EXPIRATION_BANNER', false))
+          @show_token_expiration_banner = false
+          return @show_token_expiration_banner
+        end
+
+        unless Gitlab.version_info >= Gitlab::VersionInfo.new(16, 0) &&
+            Gitlab.version_info < Gitlab::VersionInfo.new(17, 1)
+          @show_token_expiration_banner = false
+          return @show_token_expiration_banner
+        end
+
+        @show_token_expiration_banner = Gitlab::Database::BackgroundMigration::BatchedMigration.where(
+          job_class_name: 'CleanupPersonalAccessTokensWithNilExpiresAt'
+        ).exists?
+      end
+      # rubocop:enable Gitlab/ModuleWithInstanceVariables, CodeReuse/ActiveRecord
+    end
+  end
+end
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -2442,6 +2442,9 @@ msgstr ""
 msgid "AccessTokens|For example, the application using the token or the purpose of the token. Do not give sensitive information for the name of the token, as it will be visible to all %{resource_type} members."
 msgstr ""
  
+msgid "AccessTokens|GitLab now enforces expiry dates on tokens that originally had no set expiration date. Those tokens were given an expiration date of one year later. Please review your personal access tokens, project access tokens, and group access tokens to ensure you are aware of upcoming expirations. Administrators of GitLab can find more information on how to identify and mitigate interruption in our %{link_start}documentation%{link_end}."
+msgstr ""
+
 msgid "AccessTokens|Incoming email token"
 msgstr ""
  
--- a/spec/components/pajamas/broadcast_banner_component_spec.rb
+++ b/spec/components/pajamas/broadcast_banner_component_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Pajamas::BroadcastBannerComponent, :aggregate_failures, type: :component, feature_category: :navigation do
+  before do
+    render_inline described_class.new(message: message,
+      id: id,
+      theme: theme,
+      dismissable: dismissable,
+      expire_date: expire_date,
+      cookie_key: cookie_key,
+      dismissal_path: dismissal_path
+    )
+  end
+
+  let(:message) { '_message_' }
+  let(:id) { '_99_' }
+  let(:theme) { '_theme_' }
+  let(:dismissable) { true }
+  let(:expire_date) { Time.now.iso8601 }
+  let(:cookie_key) { '_cookie_key_' }
+  let(:dismissal_path) { '/-/my-path' }
+
+  it 'sets the correct classes' do
+    expect(page).to have_selector(".js-broadcast-notification-#{id}")
+    expect(page).to have_selector(".#{theme}")
+  end
+
+  it 'contains a screen reader message' do
+    expect(page).to have_selector('.gl-sr-only', text: _('Admin message'))
+  end
+
+  it 'sets the message' do
+    expect(page).to have_content(message)
+  end
+
+  context 'when dismissable is true' do
+    it 'display close button' do
+      expect(page).to have_selector('button.js-dismiss-current-broadcast-notification')
+      expect(page).to have_selector("button[data-id='#{id}']")
+      expect(page).to have_selector("button[data-expire-date='#{expire_date}']")
+      expect(page).to have_selector("button[data-dismissal-path='#{dismissal_path}']")
+      expect(page).to have_selector("button[data-cookie-key='#{cookie_key}']")
+    end
+
+    context 'when dismissal_path is no set' do
+      let(:dismissal_path) { nil }
+
+      it 'display close button' do
+        expect(page).not_to have_selector("button[data-dismissal-path='#{dismissal_path}']")
+      end
+    end
+  end
+
+  context 'when dismissable is false' do
+    let(:dismissable) { false }
+
+    it 'does not display close button' do
+      expect(page).not_to have_selector('button.js-dismiss-current-broadcast-notification')
+    end
+  end
+end
--- a/spec/components/previews/pajamas/broadcast_banner_component_preview.rb
+++ b/spec/components/previews/pajamas/broadcast_banner_component_preview.rb
+# frozen_string_literal: true
+
+module Pajamas
+  class BroadcastBannerComponentPreview < ViewComponent::Preview
+    # @param message text
+    # @param id text
+    # @param theme text
+    # @param dismissable toggle
+    # @param expire_date text
+    # @param cookie_key text
+    # @param dismissal_path text
+    def default(
+      message: 'Message for the broadcast banner',
+      id: '99',
+      theme: 'light-indigo',
+      dismissable: true,
+      expire_date: Time.now.next_year.iso8601,
+      cookie_key: 'my_cookie',
+      dismissal_path: '/my-path'
+    )
+      render(Pajamas::BroadcastBannerComponent.new(
+        message: message,
+        id: id,
+        theme: theme,
+        dismissable: dismissable,
+        expire_date: expire_date,
+        cookie_key: cookie_key,
+        dismissal_path: dismissal_path
+      ))
+    end
+  end
+end
--- a/spec/helpers/access_tokens_helper_spec.rb
+++ b/spec/helpers/access_tokens_helper_spec.rb
@@ -72,4 +72,12 @@
      })
    end
  end
+
+  describe '#show_token_expiration_banner?' do
+    it 'calls the singleton method from the module' do
+      expect(Gitlab::Auth::TokenExpirationBanner).to receive(:show_token_expiration_banner?)
+
+      helper.show_token_expiration_banner?
+    end
+  end
 end
--- a/spec/lib/gitlab/auth/token_expiration_banner_spec.rb
+++ b/spec/lib/gitlab/auth/token_expiration_banner_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Auth::TokenExpirationBanner, feature_category: :system_access do
+  describe '.show_token_expiration_banner?' do
+    subject(:show_token_expiration_banner) { described_class.show_token_expiration_banner? }
+
+    let(:gitlab_version) { Gitlab::VersionInfo.new(16, 0) }
+    let(:model_class) { Gitlab::Database::BackgroundMigration::BatchedMigration }
+
+    # this method is meant to be memoized on app boot and not changed
+    # for specs, we need to reset it each time
+    before do
+      described_class.instance_variable_set(:@show_token_expiration_banner, nil)
+      allow(Gitlab).to receive(:version_info).twice.and_return(gitlab_version)
+    end
+
+    it { is_expected.to be(false) }
+
+    it 'memoizes results' do
+      expect(described_class.show_token_expiration_banner?).to be(false)
+      expect(model_class).not_to receive(:where)
+
+      # Second call shouldn't trigger database query
+      expect(show_token_expiration_banner).to be(false)
+    end
+
+    context 'when the batched migration is present in the db' do
+      before do
+        create(
+          :batched_background_migration,
+          job_class_name: 'CleanupPersonalAccessTokensWithNilExpiresAt'
+        )
+      end
+
+      it { is_expected.to be(true) }
+
+      it 'memoizes results' do
+        expect(described_class.show_token_expiration_banner?).to be(true)
+        expect(model_class).not_to receive(:where)
+
+        # Second call shouldn't trigger database query
+        expect(show_token_expiration_banner).to be(true)
+      end
+
+      context 'when banner is disabled by env var' do
+        before do
+          stub_env('GITLAB_DISABLE_TOKEN_EXPIRATION_BANNER', '1')
+        end
+
+        it { is_expected.to be(false) }
+      end
+
+      context 'when not in affected version range' do
+        let(:gitlab_version) { Gitlab::VersionInfo.new(17, 2) }
+
+        it { is_expected.to be(false) }
+      end
+    end
+  end
+end
--- a/spec/views/shared/_token_expiration_banner.html.haml_spec.rb
+++ b/spec/views/shared/_token_expiration_banner.html.haml_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'shared/_token_expiration_banner.html.haml', feature_category: :system_access do
+  context 'when all conditions are true' do
+    before do
+      allow(view).to receive(:show_token_expiration_banner?).and_return(true)
+      allow(view).to receive(:cookies).and_return({ 'hide_broadcast_message_token_expiration_banner' => nil })
+    end
+
+    it 'renders banner' do
+      render 'shared/token_expiration_banner'
+
+      expect(rendered).to have_content 'GitLab now enforces expiry dates on tokens'
+    end
+  end
+end