Allow null expiresAt on group accessToken

[andreufontb]

What problem are you facing?

GitLab 17.7 introduced the ability to create group access tokens without an expiration date. However, this feature is not yet supported by the Crossplane GitLab provider.

How could Crossplane help solve your problem?

Update the groups.gitlab.crossplane.io/v1alpha1 CRD to allow the expiresAt field in AccessToken to accept a null value. While making an API call, expires_at is still a required field, so it should be explicitly set to null when no expiration date is desired.

Here is an example API call for creating an access token on a GitLab 17.7 instance:

curl --location 'https://gitlab.example.com/api/v4/groups/16/access_tokens' \
--header 'PRIVATE-TOKEN: <YOUR-PRIVATE-TOKEN>' \
--header 'Content-Type: application/json' \
--data '{ "name":"test_token", "scopes":["api", "read_repository"], "expires_at":null, "access_level": 30 }'

The response looks like this:

{
    "id": 74,
    "name": "test_token",
    "revoked": false,
    "created_at": "2024-10-10T10:24:47.132Z",
    "scopes": [
        "api",
        "read_repository"
    ],
    "user_id": 1632,
    "last_used_at": null,
    "active": true,
    "expires_at": "2025-10-07",
    "access_level": 30,
    "token": "<THE-GENERATED-TOKEN>"
}

[lacroi-m-insta]

Hey @andreufontb,

This feature seams deprecated https://docs.gitlab.com/ee/update/deprecations.html#non-expiring-access-tokens

https://docs.gitlab.com/ee/user/group/settings/group_access_tokens.html#create-a-group-access-token-using-ui

The ability to create group access tokens without an expiry date was deprecated in GitLab 15.4 and removed in GitLab 16.0. For more information on expiry dates added to existing tokens, see the documentation on access token expiration.

I've recently added new auth types that you can look into here: https://github.com/crossplane-contrib/provider-gitlab/pull/160

[andreufontb]

Hi @lacroi-m-insta,

You are correct that non-expiring access tokens were deprecated in version 16.0. However, in the current release (17.4) — I previously mentioned 17.7 by mistake, which hasn't been released yet — there is now an option to allow non-expiring access tokens at the group or instance level.

You can find more details in the release notes.

If you have version 17.4 installed, you can configure this setting at the instance level by navigating to Admin Area → Settings → General, and then under Account and limit, you'll find a new checkbox for Personal / project / group access token expiration → Require expiration date, which is enabled by default. By disabling this option, you can once again create group and personal access tokens without an expiration date, both through the UI and the API.

[lacroi-m-insta]

I see ! Thanks for the details. They probably had a lot of backlash from the community to re-introduce this insecure feature like that.

I would be against it but I guess you could just handle this case by removing the omitempty here: https://github.com/crossplane-contrib/provider-gitlab/blob/master/apis/groups/v1alpha1/accesstoken_types.go#L45

I am not sure what the side effect would be

[andreufontb]

I'm not a fan of using non-expiring tokens either. Do you think it's possible for Crossplane to detect expired tokens and automatically rotate them?

[lacroi-m-insta]

That would be great for sure !

Technically it could be possible. The used SDK here has an implementation for it on personal_acces_token https://github.com/xanzy/go-gitlab/blob/b5e0812497a6475cf9d5f55c068ee0c3a44dbe7a/personal_access_tokens.go#L149

But it seams that the other types of tokens dont have the refresh logic yet, we would need to add it there then add it here it would take a while.

For the personal_acces_token case we would need to add a field to give an expiresAt value that is required here and that would then trigger a reconsile to patch the token field.

[dariozachow]

Automatically rotating tokens would be awesome!