API: Expose token_expires_at when resetting runner token

When a runner's authentication token is reset, or when the runner
is created, the API also returns the token_expires_at field.

app/helpers/application_settings_helper.rb

@@ -425,7 +425,10 @@ module ApplicationSettingsHelper
       :suggest_pipeline_enabled,
       :user_email_lookup_limit,
       :users_get_by_id_limit,
-      :users_get_by_id_limit_allowlist_raw
+      :users_get_by_id_limit_allowlist_raw,
+      :runner_token_expiration_interval,
+      :group_runner_token_expiration_interval,
+      :project_runner_token_expiration_interval
     ].tap do |settings|
       settings << :deactivate_dormant_users unless Gitlab.com?
     end

doc/api/runners.md

@@ -679,7 +679,8 @@ Example response:
 ```json
 {
     "id": 12345,
-    "token": "6337ff461c94fd3fa32ba3b1ff4125"
+    "token": "6337ff461c94fd3fa32ba3b1ff4125",
+    "token_expires_at": "2021-09-27T21:05:03.203Z"
 }
 ```
 
@@ -819,6 +820,7 @@ Example response:
 
 ```json
 {
-    "token": "6337ff461c94fd3fa32ba3b1ff4125"
+    "token": "6337ff461c94fd3fa32ba3b1ff4125",
+    "token_expires_at": "2021-09-27T21:05:03.203Z"
 }
 ```

lib/api/ci/runners.rb

@@ -143,7 +143,7 @@ module API
           authenticate_update_runner!(runner)
 
           runner.reset_token!
-          present runner.token, with: Entities::Ci::ResetTokenResult
+          present runner.token_with_expiration, with: Entities::Ci::ResetTokenResult
         end
       end
 
@@ -249,7 +249,7 @@ module API
           authorize! :update_runners_registration_token
 
           ApplicationSetting.current.reset_runners_registration_token!
-          present ApplicationSetting.current_without_cache.runners_registration_token, with: Entities::Ci::ResetTokenResult
+          present ApplicationSetting.current_without_cache.runners_registration_token_with_expiration, with: Entities::Ci::ResetTokenResult
         end
       end
 
@@ -267,7 +267,7 @@ module API
           authorize! :update_runners_registration_token, project
 
           project.reset_runners_token!
-          present project.runners_token, with: Entities::Ci::ResetTokenResult
+          present project.runners_token_with_expiration, with: Entities::Ci::ResetTokenResult
         end
       end
 
@@ -285,7 +285,7 @@ module API
           authorize! :update_runners_registration_token, group
 
           group.reset_runners_token!
-          present group.runners_token, with: Entities::Ci::ResetTokenResult
+          present group.runners_token_with_expiration, with: Entities::Ci::ResetTokenResult
         end
       end
 

lib/api/entities/ci/reset_token_result.rb

@@ -4,7 +4,8 @@ module API
   module Entities
     module Ci
       class ResetTokenResult < Grape::Entity
-        expose(:token) {|object| object}
+        expose(:token)
+        expose(:token_expires_at, if: -> (object, options) { object.expirable? })
       end
     end
   end

lib/api/entities/ci/runner_registration_details.rb

@@ -4,7 +4,7 @@ module API
   module Entities
     module Ci
       class RunnerRegistrationDetails < Grape::Entity
-        expose :id, :token
+        expose :id, :token, :token_expires_at
       end
     end
   end

lib/api/settings.rb

@@ -178,6 +178,9 @@ module API
       optional :user_deactivation_emails_enabled, type: Boolean, desc: 'Send emails to users upon account deactivation'
       optional :suggest_pipeline_enabled, type: Boolean, desc: 'Enable pipeline suggestion banner'
       optional :users_get_by_id_limit, type: Integer, desc: "Maximum number of calls to the /users/:id API per 10 minutes per user. Set to 0 for unlimited requests."
+      optional :runner_token_expiration_interval, type: Integer, desc: 'Token expiration interval for shared runners, in seconds'
+      optional :group_runner_token_expiration_interval, type: Integer, desc: 'Token expiration interval for group runners, in seconds'
+      optional :project_runner_token_expiration_interval, type: Integer, desc: 'Token expiration interval for project runners, in seconds'
 
       ApplicationSetting::SUPPORTED_KEY_TYPES.each do |type|
         optional :"#{type}_key_restriction",

spec/requests/api/ci/runner/runners_post_spec.rb

@@ -62,12 +62,26 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do
           end
         end
 
-        it 'creates runner' do
-          request
+        context 'when token_expires_at is nil' do
+          it 'creates runner' do
+            request
 
-          expect(response).to have_gitlab_http_status(:created)
-          expect(json_response['id']).to eq(new_runner.id)
-          expect(json_response['token']).to eq(new_runner.token)
+            expect(response).to have_gitlab_http_status(:created)
+            expect(json_response).to eq({ 'id' => new_runner.id, 'token' => new_runner.token, 'token_expires_at' => nil })
+          end
+        end
+
+        context 'when token_expires_at is a valid date' do
+          before do
+            new_runner.token_expires_at = DateTime.new(2022, 1, 11, 14, 39, 24)
+          end
+
+          it 'creates runner' do
+            request
+
+            expect(response).to have_gitlab_http_status(:created)
+            expect(json_response).to eq({ 'id' => new_runner.id, 'token' => new_runner.token, 'token_expires_at' => '2022-01-11T14:39:24.000Z' })
+          end
         end
 
         it_behaves_like 'storing arguments in the application context for the API' do

spec/requests/api/ci/runners_spec.rb

@@ -664,7 +664,7 @@ RSpec.describe API::Ci::Runners do
           post api("/runners/#{shared_runner.id}/reset_authentication_token", admin)
 
           expect(response).to have_gitlab_http_status(:success)
-          expect(json_response).to eq({ 'token' => shared_runner.reload.token })
+          expect(json_response).to eq({ 'token' => shared_runner.reload.token, 'token_expires_at' => nil })
         end.to change { shared_runner.reload.token }
       end
 
@@ -688,7 +688,7 @@ RSpec.describe API::Ci::Runners do
           post api("/runners/#{project_runner.id}/reset_authentication_token", user)
 
           expect(response).to have_gitlab_http_status(:success)
-          expect(json_response).to eq({ 'token' => project_runner.reload.token })
+          expect(json_response).to eq({ 'token' => project_runner.reload.token, 'token_expires_at' => nil })
         end.to change { project_runner.reload.token }
       end
 
@@ -729,7 +729,22 @@ RSpec.describe API::Ci::Runners do
           post api("/runners/#{group_runner_a.id}/reset_authentication_token", user)
 
           expect(response).to have_gitlab_http_status(:success)
-          expect(json_response).to eq({ 'token' => group_runner_a.reload.token })
+          expect(json_response).to eq({ 'token' => group_runner_a.reload.token, 'token_expires_at' => nil })
+        end.to change { group_runner_a.reload.token }
+      end
+
+      it 'resets group runner authentication token with owner access with expiration time', :freeze_time do
+        expect(group_runner_a.reload.token_expires_at).to be_nil
+
+        group.update!(runner_token_expiration_interval: 5.days)
+
+        expect do
+          post api("/runners/#{group_runner_a.id}/reset_authentication_token", user)
+          group_runner_a.reload
+
+          expect(response).to have_gitlab_http_status(:success)
+          expect(json_response).to eq({ 'token' => group_runner_a.token, 'token_expires_at' => group_runner_a.token_expires_at.iso8601(3) })
+          expect(group_runner_a.token_expires_at).to eq(5.days.from_now)
         end.to change { group_runner_a.reload.token }
       end
     end

spec/requests/api/settings_spec.rb

@@ -51,6 +51,9 @@ RSpec.describe API::Settings, 'Settings', :do_not_mock_admin_mode_setting do
       expect(json_response['whats_new_variant']).to eq('all_tiers')
       expect(json_response['user_deactivation_emails_enabled']).to be(true)
       expect(json_response['suggest_pipeline_enabled']).to be(true)
+      expect(json_response['runner_token_expiration_interval']).to be_nil
+      expect(json_response['group_runner_token_expiration_interval']).to be_nil
+      expect(json_response['project_runner_token_expiration_interval']).to be_nil
     end
   end
 
@@ -652,5 +655,37 @@ RSpec.describe API::Settings, 'Settings', :do_not_mock_admin_mode_setting do
         end
       end
     end
+
+    context 'runner token expiration_intervals' do
+      it 'updates the settings' do
+        put api("/application/settings", admin), params: {
+          runner_token_expiration_interval: 3600,
+          group_runner_token_expiration_interval: 3600 * 2,
+          project_runner_token_expiration_interval: 3600 * 3
+        }
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(json_response).to include(
+          'runner_token_expiration_interval' => 3600,
+          'group_runner_token_expiration_interval' => 3600 * 2,
+          'project_runner_token_expiration_interval' => 3600 * 3
+        )
+      end
+
+      it 'updates the settings with empty values' do
+        put api("/application/settings", admin), params: {
+          runner_token_expiration_interval: nil,
+          group_runner_token_expiration_interval: nil,
+          project_runner_token_expiration_interval: nil
+        }
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(json_response).to include(
+          'runner_token_expiration_interval' => nil,
+          'group_runner_token_expiration_interval' => nil,
+          'project_runner_token_expiration_interval' => nil
+        )
+      end
+    end
   end
 end

spec/services/ci/register_runner_service_spec.rb

@@ -85,6 +85,17 @@ RSpec.describe ::Ci::RegisterRunnerService, '#execute' do
           expect(subject.ip_address).to eq args[:ip_address]
         end
       end
+
+      context 'with runner token expiration interval', :freeze_time do
+        before do
+          stub_application_setting(runner_token_expiration_interval: 5.days)
+        end
+
+        it 'creates runner with token expiration' do
+          is_expected.to be_an_instance_of(::Ci::Runner)
+          expect(subject.token_expires_at).to eq(5.days.from_now)
+        end
+      end
     end
 
     context 'when project token is used' do