Programming exercises: Automatically renew personal access token for GitLab

[R3dError]

Checklist

General

• I tested all changes and their related features with all corresponding user types on a test server.
• This is a small issue that I tested locally and was confirmed by another developer on a test server.
• Language: I followed the guidelines for inclusive, diversity-sensitive, and appreciative language.
• I chose a title conforming to the naming conventions for pull requests.

Server

• Important: I implemented the changes with a very good performance and prevented too many (unnecessary) database calls.
• I strictly followed the server coding and design guidelines.
• I added multiple integration tests (Spring) related to the features (with a high test coverage).
• I documented the Java code using JavaDoc style.

Changes affecting Programming Exercises

• High priority: I tested all changes and their related features with all corresponding user types on a test server configured with the integrated lifecycle setup (LocalVC and LocalCI).
• I tested all changes and their related features with all corresponding user types on a test server configured with Gitlab and Jenkins.

Motivation and Context

GitLab recently introduced a lifetime limit for personal access tokens, see https://about.gitlab.com/blog/2023/10/25/access-token-lifetime-limits/. All previously created personal access tokens will expire on May 14, 2024. Therefore, personal access tokens now have to be periodically renewed, as described by #7954.

Description

As it has been decided in #7954, we now store the expiration date of VCS access tokens in the user table. The class VcsTokenRenewalService implements the periodic renewal of expiring or already expired access tokens. Using the abstract class VcsTokenManagementService as suggested to me by @b-fein, an interface for creating and renewing access tokens is provided independent of the used VCS, enabling extensibility for other VCSs in the future if necessary (see #8103).

While reworking the code for managing personal access tokens, I also fixed a todo stating that the programmatic GitLab API should be used instead of manual HTTP requests for creating personal access tokens. Unfortunately, listing and revoking personal access tokens is not (yet?) supported by this programmatic GitLab API, so I had to perform those requests manually.

Furthermore, note that although there exists a request type Rotate for effectively revoking and creating a personal access token in one single request instead of two (revoke+create), this was not used due to GitLab's use of so called Automatic reuse detection (see also https://docs.gitlab.com/ee/api/personal_access_tokens.html#automatic-reuse-detection): When rotating a personal access token, GitLab stores all previous access tokens and revokes the currently active one if there occurs a usage attempt of a prior access token. This feature is said to strengthen security against access token leaks, but it is unsuitable for our use case, where an accidental reuse of a prior access token is quite likely, e.g. when they are used to push/pull over HTTPS.

Steps for Testing

Prerequisites:

• GitLab is correctly set up as VCS (also set version-control-access-token to true in the Artemis configuration)
• To make the manual testing practical, temporarily change the following timing constant in the code before running the server: In VcsTokenRenewalService.java, change line 58 from

  @Scheduled(cron = "0  0  4 * * SUN") // Every sunday at 4 am

  to

  @Scheduled(cron = "0 * * * * *") // Every minute

  such that the scheduled access token renewal job is run every minute.
• A connection to the Artemis database via a database client, for example using psql for a Postgres database. This is necessary to simulate an expiring access token.
• 1 Student with a personal access token. Let <username> be the login name of that student.

1. Start Artemis with the code changes from above.
2. Connect to the database.
3. Run

   SELECT login, vcs_access_token, vcs_access_token_expiry_date FROM jhi_user WHERE login = '<username>';

   to see the personal access token of the student and the expiry date.
4. Run

   UPDATE jhi_user SET vcs_access_token_expiry_date = '2024-03-20 00:00:00' WHERE login = '<username>';

   This simulates that the access token has expired or is about to expire (depending on the day of this test).
5. Wait two minutes.
6. Run

   SELECT login, vcs_access_token, vcs_access_token_expiry_date FROM jhi_user WHERE login = '<username>';

   and check that the personal access token has been updated and that the expiry date as been set to 365 days from running this test.

Testserver States

Note

These badges show the state of the test servers.
Green = Currently available, Red = Currently locked

Review Progress

Performance Review

• I (as a reviewer) confirm that the server changes (in particular related to database calls) are implemented with a very good performance

Code Review

• Code Review 1
• Code Review 2

Manual Tests

• Test 1
• Test 2

Test Coverage

Class/File	Line Coverage	Confirmation (assert/expect)
GitLabPersonalAccessTokenManagementService	93%	✅
GitlabUserManagementService	94%	✅
VcsTokenRenewalService	87% (only two catch+log blocks not covered)	✅

Summary by CodeRabbit

Summary by CodeRabbit

• New Features
  • Added two new methods for user repository to manage access token expiration and null access tokens.
  • Introduced VcsTokenRenewalService for renewing and creating VCS access tokens on a scheduled task.
• Enhancements
  • Improved GitLab user management by integrating token management services.
• Tests
  • Added tests for new GitLab personal access token management and VCS token renewal services.

[coderabbitai]

Walkthrough

The update introduces a comprehensive system for managing Version Control System (VCS) access tokens, specifically targeting GitLab personal access tokens. It includes mechanisms for token creation, renewal, and expiry management. This enhancement integrates services and repositories to handle user access tokens efficiently, ensuring secure and up-to-date access to GitLab repositories. The changes streamline GitLab integration within the platform, improving security and user management through automated token lifecycle processes.

Changes

File Path	Change Summary
.../domain/User.java	Added vcsAccessTokenExpiryDate field with getter and setter.
.../repository/UserRepository.java	Added methods for fetching users by token expiration date or null tokens.
.../service/connectors/gitlab/GitLabPersonalAccessTokenManagementService.java	Provides VCS access token services for GitLab.
.../service/connectors/gitlab/GitLabUserManagementService.java	Updated for token management delegation and constructor injection of GitLabPersonalAccessTokenManagementService. Removed direct token creation logic.
.../service/connectors/gitlab/dto/GitLabPersonalAccessTokenListResponseDTO.java	Defines DTO for GitLab personal access token listing.
.../service/connectors/vcs/VcsTokenManagementService.java	Abstract class for VCS access token management with default implementations.
.../service/connectors/vcs/VcsTokenRenewalService.java	Service for renewing and creating VCS access tokens on a scheduled basis.
.../authentication/UserJenkinsGitlabIntegrationTest.java	Integrates GitLabPersonalAccessTokenManagementService in tests.
.../connector/GitlabRequestMockProvider.java	Adds methods for mocking GitLab user API interactions and token operations.
.../service/connectors/gitlab/GitLabPersonalAccessTokenManagementServiceTest.java	Test cases for GitLab personal access token management.
.../service/connectors/vcs/VcsTokenRenewalServiceTest.java	Test cases for renewing VCS access tokens.

Related issues

• Integrated Code Lifecycle, GitLab: Repository Access Token Management #8103: The changes in this PR directly address the objectives outlined in this issue by implementing a token management lifecycle for LocalVCS similar to GitLab, including generating access tokens, setting token lifetimes, allowing manual token recreation, updating user documentation, and considering notifications for token actions.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

---

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit-tests for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit tests for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit tests.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

CodeRabbit Discord Community

Join our Discord Community to get help, request features, and share feedback.

[b-fein]

Thanks for implementing the suggested changes. Code looks good now. 👍

I noticed another small but important thing on the re-review though.

[b-fein]

Code looks good now. 👍

[dfuchss]

Code looks good to me.

[chrisknedl]

Tested on TS6. Works as expected, great work!

[b-fein]

We also tested this PR on a Artemis+GitLab test server at Uni Passau since testing this on a GitHub-deployed testserver is not really possible.

[krusche]

Code looks good to me 👍