-
Notifications
You must be signed in to change notification settings - Fork 276
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Programming exercises
: Automatically renew personal access token for GitLab
#8175
Conversation
WalkthroughThe update introduces a comprehensive system for managing Version Control System (VCS) access tokens, specifically targeting GitLab personal access tokens. It includes mechanisms for token creation, renewal, and expiry management. This enhancement integrates services and repositories to handle user access tokens efficiently, ensuring secure and up-to-date access to GitLab repositories. The changes streamline GitLab integration within the platform, improving security and user management through automated token lifecycle processes. Changes
Related issues
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (invoked as PR comments)
Additionally, you can add CodeRabbit Configration File (
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for implementing the suggested changes. Code looks good now. 👍
I noticed another small but important thing on the re-review though.
src/main/java/de/tum/in/www1/artemis/service/connectors/vcs/VcsTokenRenewalService.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code looks good now. 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code looks good to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested on TS6. Works as expected, great work!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We also tested this PR on a Artemis+GitLab test server at Uni Passau since testing this on a GitHub-deployed testserver is not really possible.
Development
: GitLab personal access token automatic renewalProgramming exercises
: Automatically renew personal access token for GitLab
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code looks good to me 👍
Checklist
General
Server
Changes affecting Programming Exercises
Motivation and Context
GitLab recently introduced a lifetime limit for personal access tokens, see https://about.gitlab.com/blog/2023/10/25/access-token-lifetime-limits/. All previously created personal access tokens will expire on May 14, 2024. Therefore, personal access tokens now have to be periodically renewed, as described by #7954.
Description
As it has been decided in #7954, we now store the expiration date of VCS access tokens in the user table. The class
VcsTokenRenewalService
implements the periodic renewal of expiring or already expired access tokens. Using the abstract classVcsTokenManagementService
as suggested to me by @b-fein, an interface for creating and renewing access tokens is provided independent of the used VCS, enabling extensibility for other VCSs in the future if necessary (see #8103).While reworking the code for managing personal access tokens, I also fixed a todo stating that the programmatic GitLab API should be used instead of manual HTTP requests for creating personal access tokens. Unfortunately, listing and revoking personal access tokens is not (yet?) supported by this programmatic GitLab API, so I had to perform those requests manually.
Furthermore, note that although there exists a request type
Rotate
for effectively revoking and creating a personal access token in one single request instead of two (revoke+create), this was not used due to GitLab's use of so calledAutomatic reuse detection
(see also https://docs.gitlab.com/ee/api/personal_access_tokens.html#automatic-reuse-detection): When rotating a personal access token, GitLab stores all previous access tokens and revokes the currently active one if there occurs a usage attempt of a prior access token. This feature is said to strengthen security against access token leaks, but it is unsuitable for our use case, where an accidental reuse of a prior access token is quite likely, e.g. when they are used to push/pull over HTTPS.Steps for Testing
Prerequisites:
version-control-access-token
totrue
in the Artemis configuration)VcsTokenRenewalService.java
, change line 58 frompsql
for a Postgres database. This is necessary to simulate an expiring access token.<username>
be the login name of that student.Testserver States
Note
These badges show the state of the test servers.
Green = Currently available, Red = Currently locked
Review Progress
Performance Review
Code Review
Manual Tests
Test Coverage
GitLabPersonalAccessTokenManagementService
GitlabUserManagementService
VcsTokenRenewalService
Summary by CodeRabbit
Summary by CodeRabbit
VcsTokenRenewalService
for renewing and creating VCS access tokens on a scheduled task.