1 files changed, 65 insertions, 33 deletions

diff --git a/spec/requests/api/internal/base_spec.rb b/spec/requests/api/internal/base_spec.rb
index ca32271f573..6414b1efe6a 100644
--- a/spec/requests/api/internal/base_spec.rb
+++ b/spec/requests/api/internal/base_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe API::Internal::Base, feature_category: :authentication_and_authorization do
+RSpec.describe API::Internal::Base, feature_category: :system_access do
   include GitlabShellHelpers
   include APIInternalBaseHelpers
 
@@ -10,6 +10,9 @@ RSpec.describe API::Internal::Base, feature_category: :authentication_and_author
   let_it_be(:project, reload: true) { create(:project, :repository, :wiki_repo) }
   let_it_be(:personal_snippet) { create(:personal_snippet, :repository, author: user) }
   let_it_be(:project_snippet) { create(:project_snippet, :repository, author: user, project: project) }
+  let_it_be(:max_pat_access_token_lifetime) do
+    PersonalAccessToken::MAX_PERSONAL_ACCESS_TOKEN_LIFETIME_IN_DAYS.days.from_now.to_date.freeze
+  end
 
   let(:key) { create(:key, user: user) }
   let(:secret_token) { Gitlab::Shell.secret_token }
@@ -194,39 +197,68 @@ RSpec.describe API::Internal::Base, feature_category: :authentication_and_author
       expect(json_response['message']).to match(/\AInvalid scope: 'badscope'. Valid scopes are: /)
     end
 
-    it 'returns a token without expiry when the expires_at parameter is missing' do
-      token_size = (PersonalAccessToken.token_prefix || '').size + 20
+    it 'returns a token with expiry when it receives a valid expires_at parameter' do
+      freeze_time do
+        token_size = (PersonalAccessToken.token_prefix || '').size + 20
+
+        post api('/internal/personal_access_token'),
+          params: {
+            key_id: key.id,
+            name: 'newtoken',
+            scopes: %w(read_api read_repository),
+            expires_at: max_pat_access_token_lifetime
+          },
+          headers: gitlab_shell_internal_api_request_header
 
-      post api('/internal/personal_access_token'),
-           params: {
-             key_id: key.id,
-             name: 'newtoken',
-             scopes: %w(read_api read_repository)
-           },
-           headers: gitlab_shell_internal_api_request_header
+        expect(json_response['success']).to be_truthy
+        expect(json_response['token']).to match(/\A\S{#{token_size}}\z/)
+        expect(json_response['scopes']).to match_array(%w(read_api read_repository))
+        expect(json_response['expires_at']).to eq(max_pat_access_token_lifetime.iso8601)
+      end
+    end
 
-      expect(json_response['success']).to be_truthy
-      expect(json_response['token']).to match(/\A\S{#{token_size}}\z/)
-      expect(json_response['scopes']).to match_array(%w(read_api read_repository))
-      expect(json_response['expires_at']).to be_nil
+    context 'when default_pat_expiration feature flag is true' do
+      it 'returns token with expiry as PersonalAccessToken::MAX_PERSONAL_ACCESS_TOKEN_LIFETIME_IN_DAYS' do
+        freeze_time do
+          token_size = (PersonalAccessToken.token_prefix || '').size + 20
+
+          post api('/internal/personal_access_token'),
+            params: {
+              key_id: key.id,
+              name: 'newtoken',
+              scopes: %w(read_api read_repository)
+            },
+            headers: gitlab_shell_internal_api_request_header
+
+          expect(json_response['success']).to be_truthy
+          expect(json_response['token']).to match(/\A\S{#{token_size}}\z/)
+          expect(json_response['scopes']).to match_array(%w(read_api read_repository))
+          expect(json_response['expires_at']).to eq(max_pat_access_token_lifetime.iso8601)
+        end
+      end
     end
 
-    it 'returns a token with expiry when it receives a valid expires_at parameter' do
-      token_size = (PersonalAccessToken.token_prefix || '').size + 20
+    context 'when default_pat_expiration feature flag is false' do
+      before do
+        stub_feature_flags(default_pat_expiration: false)
+      end
 
-      post api('/internal/personal_access_token'),
-           params: {
-             key_id: key.id,
-             name: 'newtoken',
-             scopes: %w(read_api read_repository),
-             expires_at: '9001-11-17'
-           },
-           headers: gitlab_shell_internal_api_request_header
+      it 'uses nil expiration value' do
+        token_size = (PersonalAccessToken.token_prefix || '').size + 20
+
+        post api('/internal/personal_access_token'),
+            params: {
+              key_id: key.id,
+              name: 'newtoken',
+              scopes: %w(read_api read_repository)
+            },
+            headers: gitlab_shell_internal_api_request_header
 
-      expect(json_response['success']).to be_truthy
-      expect(json_response['token']).to match(/\A\S{#{token_size}}\z/)
-      expect(json_response['scopes']).to match_array(%w(read_api read_repository))
-      expect(json_response['expires_at']).to eq('9001-11-17')
+        expect(json_response['success']).to be_truthy
+        expect(json_response['token']).to match(/\A\S{#{token_size}}\z/)
+        expect(json_response['scopes']).to match_array(%w(read_api read_repository))
+        expect(json_response['expires_at']).to be_nil
+      end
     end
   end
 
@@ -514,7 +546,7 @@ RSpec.describe API::Internal::Base, feature_category: :authentication_and_author
           expect(json_response["gl_repository"]).to eq("wiki-#{project.id}")
           expect(json_response["gl_key_type"]).to eq("key")
           expect(json_response["gl_key_id"]).to eq(key.id)
-          expect(user.reload.last_activity_on).to be_nil
+          expect(user.reload.last_activity_on).to eql(Date.today)
         end
 
         it_behaves_like 'sets hook env' do
@@ -553,7 +585,7 @@ RSpec.describe API::Internal::Base, feature_category: :authentication_and_author
           expect(json_response["status"]).to be_truthy
           expect(json_response["gl_project_path"]).to eq(personal_snippet.repository.full_path)
           expect(json_response["gl_repository"]).to eq("snippet-#{personal_snippet.id}")
-          expect(user.reload.last_activity_on).to be_nil
+          expect(user.reload.last_activity_on).to eql(Date.today)
         end
 
         it_behaves_like 'sets hook env' do
@@ -585,7 +617,7 @@ RSpec.describe API::Internal::Base, feature_category: :authentication_and_author
           expect(json_response["status"]).to be_truthy
           expect(json_response["gl_project_path"]).to eq(project_snippet.repository.full_path)
           expect(json_response["gl_repository"]).to eq("snippet-#{project_snippet.id}")
-          expect(user.reload.last_activity_on).to be_nil
+          expect(user.reload.last_activity_on).to eql(Date.today)
         end
 
         it_behaves_like 'sets hook env' do
@@ -703,7 +735,7 @@ RSpec.describe API::Internal::Base, feature_category: :authentication_and_author
             expect(json_response["gitaly"]["repository"]["relative_path"]).to eq(project.repository.gitaly_repository.relative_path)
             expect(json_response["gitaly"]["address"]).to eq(Gitlab::GitalyClient.address(project.repository_storage))
             expect(json_response["gitaly"]["token"]).to eq(Gitlab::GitalyClient.token(project.repository_storage))
-            expect(user.reload.last_activity_on).to be_nil
+            expect(user.reload.last_activity_on).to eql(Date.today)
           end
 
           it_behaves_like 'rate limited request' do
@@ -862,7 +894,7 @@ RSpec.describe API::Internal::Base, feature_category: :authentication_and_author
           expect(json_response['status']).to be_truthy
           expect(json_response['payload']).to eql(payload)
           expect(json_response['gl_console_messages']).to eql(console_messages)
-          expect(user.reload.last_activity_on).to be_nil
+          expect(user.reload.last_activity_on).to eql(Date.today)
         end
       end
     end