Update the token expiration banner

Reviews in 16.0-17.0 backports have introduced a few changes and we
would like to bring those to master:

- hide banner depending on `GITLAB_DISABLE_TOKEN_EXPIRATION_BANNER` env
  variable
- hide banner on tests
- updated banner message and use a namespace
- correct GitLab version check

app/helpers/access_tokens_helper.rb

@@ -40,6 +40,10 @@ def expires_at_field_data
       min_date: 1.day.from_now.iso8601
     }
   end
+
+  def show_token_expiration_banner?
+    Gitlab::Auth::TokenExpirationBanner.show_token_expiration_banner?
+  end
 end
 AccessTokensHelper.prepend_mod

app/views/shared/_token_expiration_banner.html.haml

 - id = 'token_expiration_banner'
 - cookie_key = 'hide_broadcast_message_token_expiration_banner'
-- return if local_assigns.fetch(:hide, Rails.env.test?)
-- return unless Gitlab.version_info >= Gitlab::VersionInfo.new(16, 0) && Gitlab.version_info < Gitlab::VersionInfo.new(17, 1)
+- return unless show_token_expiration_banner?
 - return unless cookies[cookie_key].blank?
 -# rubocop:disable Gitlab/DocUrl -- This documentation section is only available in version 17.1 onward.
 - link = link_to('', 'https://docs.gitlab.com/ee/security/token_overview.html#troubleshooting', target: '_blank', rel: 'noopener noreferrer')
 -# rubocop:enable Gitlab/DocUrl
-- message = safe_format(_('GitLab now enforces expiry dates on tokens that originally had no set expiration date. Those tokens were given an expiration date of one year later. Please review your personal access tokens, project access tokens and group access tokens to ensure you are aware of upcoming expirations. Administrators of GitLab can find more information on how to identify and mitigate interruption, please take a look at our %{link_start}documentation%{link_end}.'), tag_pair(link, :link_start, :link_end))
+- message = safe_format(s_('AccessTokens|GitLab now enforces expiry dates on tokens that originally had no set expiration date. Those tokens were given an expiration date of one year later. Please review your personal access tokens, project access tokens, and group access tokens to ensure you are aware of upcoming expirations. Administrators of GitLab can find more information on how to identify and mitigate interruption in our %{link_start}documentation%{link_end}.'), tag_pair(link, :link_start, :link_end))
 = render Pajamas::BroadcastBannerComponent.new(message: message, id: id, theme: 'light-indigo', dismissable: true, expire_date: Time.now.next_year.iso8601, cookie_key: cookie_key)

doc/administration/environment_variables.md

@@ -39,6 +39,7 @@ You can use the following environment variables to override certain values:
 | `RAILS_ENV`                                | string  | The Rails environment; can be one of `production`, `development`, `staging`, or `test`.                 |
 | `GITLAB_RAILS_CACHE_DEFAULT_TTL_SECONDS` | integer | The default TTL used for entries stored in the Rails-cache. Default is `28800`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/95042) in 15.3. |
 | `GITLAB_CI_CONFIG_FETCH_TIMEOUT_SECONDS` | integer | Timeout for resolving remote includes in CI config in seconds. Must be between `0` and `60`. Default is `30`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/116383) in 15.11. |
+| `GITLAB_DISABLE_TOKEN_EXPIRATION_BANNER`   | string  | If set to `true`, `1`, or `yes`, the token expiration banner is not shown. Default is `false`. |
 ## Adding more variables

lib/gitlab/auth/token_expiration_banner.rb

+# frozen_string_literal: true
+
+module Gitlab
+  module Auth
+    module TokenExpirationBanner
+      module_function
+
+      # rubocop:disable Gitlab/ModuleWithInstanceVariables, CodeReuse/ActiveRecord -- simple query and should be memoized per app boot
+      def show_token_expiration_banner?
+        return @show_token_expiration_banner unless @show_token_expiration_banner.nil?
+
+        if %w[1 yes true].include?(ENV.fetch('GITLAB_DISABLE_TOKEN_EXPIRATION_BANNER', false))
+          @show_token_expiration_banner = false
+          return @show_token_expiration_banner
+        end
+
+        unless Gitlab.version_info >= Gitlab::VersionInfo.new(16, 0) &&
+            Gitlab.version_info < Gitlab::VersionInfo.new(17, 1)
+          @show_token_expiration_banner = false
+          return @show_token_expiration_banner
+        end
+
+        @show_token_expiration_banner = Gitlab::Database::BackgroundMigration::BatchedMigration.where(
+          job_class_name: 'CleanupPersonalAccessTokensWithNilExpiresAt'
+        ).exists?
+      end
+      # rubocop:enable Gitlab/ModuleWithInstanceVariables, CodeReuse/ActiveRecord
+    end
+  end
+end

locale/gitlab.pot

@@ -2558,6 +2558,9 @@ msgstr ""
 msgid "AccessTokens|For example, the application using the token or the purpose of the token. Do not give sensitive information for the name of the token, as it will be visible to all %{resource_type} members."
 msgstr ""
+msgid "AccessTokens|GitLab now enforces expiry dates on tokens that originally had no set expiration date. Those tokens were given an expiration date of one year later. Please review your personal access tokens, project access tokens, and group access tokens to ensure you are aware of upcoming expirations. Administrators of GitLab can find more information on how to identify and mitigate interruption in our %{link_start}documentation%{link_end}."
+msgstr ""
+
 msgid "AccessTokens|Incoming email token"
 msgstr ""
@@ -21973,9 +21976,6 @@ msgstr ""
 msgid "GitLab metadata URL"
 msgstr ""
-msgid "GitLab now enforces expiry dates on tokens that originally had no set expiration date. Those tokens were given an expiration date of one year later. Please review your personal access tokens, project access tokens and group access tokens to ensure you are aware of upcoming expirations. Administrators of GitLab can find more information on how to identify and mitigate interruption, please take a look at our %{link_start}documentation%{link_end}."
-msgstr ""
-
 msgid "GitLab project export"
 msgstr ""

spec/components/pajamas/broadcast_banner_component_spec.rb

@@ -3,8 +3,6 @@
 require 'spec_helper'
 RSpec.describe Pajamas::BroadcastBannerComponent, :aggregate_failures, type: :component, feature_category: :navigation do
-  include Features::DomHelpers
-
   before do
     render_inline described_class.new(message: message,
       id: id,

spec/helpers/access_tokens_helper_spec.rb

@@ -73,4 +73,12 @@
       })
     end
   end
+
+  describe '#show_token_expiration_banner?' do
+    it 'calls the singleton method from the module' do
+      expect(Gitlab::Auth::TokenExpirationBanner).to receive(:show_token_expiration_banner?)
+
+      helper.show_token_expiration_banner?
+    end
+  end
 end

spec/lib/gitlab/auth/token_expiration_banner_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Auth::TokenExpirationBanner, feature_category: :system_access do
+  describe '.show_token_expiration_banner?' do
+    subject(:show_token_expiration_banner) { described_class.show_token_expiration_banner? }
+
+    let(:gitlab_version) { Gitlab::VersionInfo.new(16, 0) }
+    let(:model_class) { Gitlab::Database::BackgroundMigration::BatchedMigration }
+
+    # this method is meant to be memoized on app boot and not changed
+    # for specs, we need to reset it each time
+    before do
+      described_class.instance_variable_set(:@show_token_expiration_banner, nil)
+      allow(Gitlab).to receive(:version_info).twice.and_return(gitlab_version)
+    end
+
+    it { is_expected.to be(false) }
+
+    it 'memoizes results' do
+      expect(described_class.show_token_expiration_banner?).to be(false)
+      expect(model_class).not_to receive(:where)
+
+      # Second call shouldn't trigger database query
+      expect(show_token_expiration_banner).to be(false)
+    end
+
+    context 'when the batched migration is present in the db' do
+      before do
+        create(
+          :batched_background_migration,
+          job_class_name: 'CleanupPersonalAccessTokensWithNilExpiresAt'
+        )
+      end
+
+      it { is_expected.to be(true) }
+
+      it 'memoizes results' do
+        expect(described_class.show_token_expiration_banner?).to be(true)
+        expect(model_class).not_to receive(:where)
+
+        # Second call shouldn't trigger database query
+        expect(show_token_expiration_banner).to be(true)
+      end
+
+      context 'when banner is disabled by env var' do
+        before do
+          stub_env('GITLAB_DISABLE_TOKEN_EXPIRATION_BANNER', '1')
+        end
+
+        it { is_expected.to be(false) }
+      end
+
+      context 'when not in affected version range' do
+        let(:gitlab_version) { Gitlab::VersionInfo.new(17, 2) }
+
+        it { is_expected.to be(false) }
+      end
+    end
+  end
+end

spec/views/shared/_token_expiration_banner.html.haml_spec.rb

@@ -3,27 +3,14 @@
 require 'spec_helper'
 RSpec.describe 'shared/_token_expiration_banner.html.haml', feature_category: :system_access do
-  context 'when GitLab version is >= 16.0' do
+  context 'when all conditions are true' do
     before do
-      allow(Gitlab).to receive(:version_info).and_return(Gitlab::VersionInfo.new(16, 0))
+      allow(view).to receive(:show_token_expiration_banner?).and_return(true)
       allow(view).to receive(:cookies).and_return({ 'hide_broadcast_message_token_expiration_banner' => nil })
     end
     it 'renders banner' do
-      render 'shared/token_expiration_banner', hide: false
-
-      expect(rendered).to have_content 'GitLab now enforces expiry dates on tokens'
-    end
-  end
-
-  context 'when GitLab version is <= 17.0' do
-    before do
-      allow(Gitlab).to receive(:version_info).and_return(Gitlab::VersionInfo.new(17, 0))
-      allow(view).to receive(:cookies).and_return({ 'hide_broadcast_message_token_expiration_banner' => nil })
-    end
-
-    it 'renders banner' do
-      render 'shared/token_expiration_banner', hide: false
+      render 'shared/token_expiration_banner'
       expect(rendered).to have_content 'GitLab now enforces expiry dates on tokens'
     end