Merge branch...

Merge branch '214809-highlight-expired-ssh-or-pat-credentials-in-the-credential-inventory' into 'master'

Highlight expired SSH or PAT credentials in the credential inventory

See merge request gitlab-org/gitlab!35229

ee/app/views/shared/credentials_inventory/_expiry_date.html.haml

+- if credential.expires?
+  - expiry_date = credential.expires_at.to_date
+  - date_classes = 'gl-display-flex gl-align-items-center has-tooltip gl-w-full gl-justify-content-end gl-justify-content-md-start'
+
+  - if credential.expired?
+    %span{ class: date_classes + ' gl-text-red-500', title: _('This credential has expired'), data: { testid: 'expiry-date-icon' } }
+      = sprite_icon('error', size: 16, css_class: "gl-icon gl-mr-2")
+      = expiry_date
+  - elsif credential.expires_soon?
+    %span{ class: date_classes + ' gl-text-orange-500', data: { testid: 'expiry-date-icon' } }
+      = sprite_icon('warning', size: 16, css_class: "gl-icon gl-mr-2")
+      = expiry_date
+  - else
+    = expiry_date
+- else
+  = _('Never')

ee/app/views/shared/credentials_inventory/_personal_access_tokens.html.haml

 .table-holder
-  .thead-white.text-nowrap.gl-responsive-table-row.table-row-header{ role: 'row' }
+  .thead-white.gl-white-space-nowrap.gl-responsive-table-row.table-row-header{ role: 'row' }
     .table-section.section-40{ role: 'rowheader' }= _('Owner')
-    .table-section.section-30{ role: 'rowheader' }= _('Scope')
-    .table-section.section-10{ role: 'rowheader' }= _('Created On')
-    .table-section.section-10{ role: 'rowheader' }= _('Expiration')
+    .table-section.section-20{ role: 'rowheader' }= _('Scope')
+    .table-section.section-15{ role: 'rowheader' }= _('Created On')
+    .table-section.section-15{ role: 'rowheader' }= _('Expiration')
     .table-section.section-10{ role: 'rowheader' }= _('Revoked')
 
   = render partial: 'shared/credentials_inventory/personal_access_tokens/personal_access_token', collection: credentials

ee/app/views/shared/credentials_inventory/_ssh_keys.html.haml

 .table-holder
-  .thead-white.text-nowrap.gl-responsive-table-row.table-row-header{ role: 'row' }
+  .thead-white.gl-white-space-nowrap.gl-responsive-table-row.table-row-header{ role: 'row' }
     .table-section.section-40{ role: 'rowheader' }= _('Owner')
     .table-section.section-15{ role: 'rowheader' }= _('Created On')
     .table-section.section-15{ role: 'rowheader' }= _('Last Accessed On')
+    .table-section.section-15{ role: 'rowheader' }= _('Expiration')
 
   = render partial: 'shared/credentials_inventory/ssh_keys/ssh_key', collection: credentials

ee/app/views/shared/credentials_inventory/personal_access_tokens/_personal_access_token.html.haml

@@ -4,25 +4,22 @@
       = _('Owner')
     .table-mobile-content
       = render 'shared/credentials_inventory/users/user_detail', user: personal_access_token.user
-  .table-section.section-30
+  .table-section.section-20
     .table-mobile-header{ role: 'rowheader' }
       = _('Scope')
-    .table-mobile-content.ws-normal
+    .table-mobile-content.gl-white-space-normal
       - scopes = personal_access_token.scopes
       = scopes.present? ? scopes.join(", ") : _('No Scopes')
-  .table-section.section-10
+  .table-section.section-15
     .table-mobile-header{ role: 'rowheader' }
       = _('Created On')
     .table-mobile-content
       = personal_access_token.created_at.to_date
-  .table-section.section-10
+  .table-section.section-15
     .table-mobile-header{ role: 'rowheader' }
       = _('Expiration')
-    .table-mobile-content
-      - if personal_access_token.expires?
-        = personal_access_token.expires_at
-      - else
-        = _('Never')
+    .table-mobile-content.gl-w-full
+      = render 'shared/credentials_inventory/expiry_date', credential: personal_access_token
   .table-section.section-10
     .table-mobile-header{ role: 'rowheader' }
       = _('Revoked')

ee/app/views/shared/credentials_inventory/ssh_keys/_ssh_key.html.haml

@@ -14,3 +14,8 @@
       = _('Last Accessed On')
     .table-mobile-content
       = (last_used_at = ssh_key.last_used_at).present? ? last_used_at.to_date : _('Never')
+  .table-section.section-15
+    .table-mobile-header{ role: 'rowheader' }
+      = _('Expiration')
+    .table-mobile-content.gl-w-full
+      = render 'shared/credentials_inventory/expiry_date', credential: ssh_key

ee/changelogs/unreleased/214809-highlight-expired-ssh-or-pat-credentials-in-the-credential-inve.yml

+---
+title: Highlight expired SSH or PAT credentials in the credential inventory
+merge_request: 35229
+author:
+type: changed

ee/spec/features/admin/admin_credentials_inventory_spec.rb

@@ -51,20 +51,9 @@ RSpec.describe 'Admin::CredentialsInventory' do
       end
 
       context 'by SSH Keys' do
-        before do
-          create(:personal_key,
-            user: create(:user, name: 'Tom'),
-            created_at: '2019-12-09',
-            last_used_at: '2019-12-10')
+        let(:credentials_path) { admin_credentials_path(filter: 'ssh_keys') }
 
-          visit admin_credentials_path(filter: 'ssh_keys')
-        end
-
-        it 'shows details of ssh keys' do
-          expect(first_row.text).to include('Tom')
-          expect(first_row.text).to include('2019-12-09')
-          expect(first_row.text).to include('2019-12-10')
-        end
+        it_behaves_like 'credentials inventory SSH keys'
       end
     end
   end

ee/spec/features/groups/groups_security_credentials_spec.rb

@@ -48,20 +48,9 @@ RSpec.describe 'Groups::Security::Credentials' do
       end
 
       context 'by SSH Keys' do
-        before do
-          create(:personal_key,
-            user: managed_user,
-            created_at: '2019-12-09',
-            last_used_at: '2019-12-10')
+        let(:credentials_path) { group_security_credentials_path(group_id: group_id, filter: 'ssh_keys') }
 
-          visit group_security_credentials_path(group_id: group_id, filter: 'ssh_keys')
-        end
-
-        it 'shows details of ssh keys' do
-          expect(first_row.text).to include('David')
-          expect(first_row.text).to include('2019-12-09')
-          expect(first_row.text).to include('2019-12-10')
-        end
+        it_behaves_like 'credentials inventory SSH keys', group_managed_account: true
       end
     end
   end

ee/spec/support/shared_examples/features/credentials_inventory_shared_examples.rb

 # frozen_string_literal: true
 
+require 'spec_helper'
+
+RSpec.shared_examples 'credentials inventory expiry date' do
+  it 'shows the expiry date' do
+    visit credentials_path
+
+    expect(first_row.text).to include(expiry_date)
+  end
+end
+
+RSpec.shared_examples 'credentials inventory expiry date before' do
+  before do
+    travel_to(view_at_date)
+  end
+
+  after do
+    travel_back
+  end
+
+  it 'shows the expiry without any warnings' do
+    visit credentials_path
+
+    expect(first_row).not_to have_selector('[data-testid="expiry-date-icon"]')
+  end
+end
+
+RSpec.shared_examples 'credentials inventory expiry date close or past' do
+  before do
+    travel_to(view_at_date)
+  end
+
+  after do
+    travel_back
+  end
+
+  it 'adds a warning to the expiry date' do
+    visit credentials_path
+
+    expect(first_row.find('[data-testid="expiry-date-icon"]').find('svg').native.inner_html).to match(/<use xlink:href=".+?icons-.+?##{expected_icon}">/)
+  end
+end
+
 RSpec.shared_examples_for 'credentials inventory personal access tokens' do |group_managed_account: false|
   let_it_be(:user) { group_managed_account ? managed_user : create(:user, name: 'David') }
 
   context 'when a personal access token is active' do
-    before do
+    before_all do
       create(:personal_access_token,
         user: user,
         created_at: '2019-12-10',
         updated_at: '2020-06-22',
         expires_at: nil)
+    end
 
+    before do
       visit credentials_path
     end
 
-    it 'shows the details with no revoked date' do
+    it 'shows the details with no revoked date', :aggregate_failures do
       expect(first_row.text).to include('David')
       expect(first_row.text).to include('api')
       expect(first_row.text).to include('2019-12-10')
@@ -23,19 +67,56 @@ RSpec.shared_examples_for 'credentials inventory personal access tokens' do |gro
     end
   end
 
+  context 'when a personal access token has an expiry' do
+    let_it_be(:expiry_date) { 1.day.since.to_date.to_s }
+
+    before_all do
+      create(:personal_access_token,
+             user: user,
+             created_at: '2019-12-10',
+             updated_at: '2020-06-22',
+             expires_at: expiry_date)
+    end
+
+    context 'and is not expired' do
+      let(:view_at_date) { 20.days.ago }
+
+      it_behaves_like 'credentials inventory expiry date'
+      it_behaves_like 'credentials inventory expiry date before'
+    end
+
+    context 'and is near expiry' do
+      let(:expected_icon) { 'warning' }
+      let(:view_at_date) { 1.day.ago }
+
+      it_behaves_like 'credentials inventory expiry date'
+      it_behaves_like 'credentials inventory expiry date close or past'
+    end
+
+    context 'and is expired' do
+      let(:expected_icon) { 'error' }
+      let(:view_at_date) { 2.days.since }
+
+      it_behaves_like 'credentials inventory expiry date'
+      it_behaves_like 'credentials inventory expiry date close or past'
+    end
+  end
+
   context 'when a personal access token is revoked' do
-    before do
+    before_all do
       create(:personal_access_token,
         :revoked,
         user: user,
         created_at: '2019-12-10',
         updated_at: '2020-06-22',
         expires_at: nil)
+    end
 
+    before do
       visit credentials_path
     end
 
-    it 'shows the details with a revoked date' do
+    it 'shows the details with a revoked date', :aggregate_failures do
       expect(first_row.text).to include('David')
       expect(first_row.text).to include('api')
       expect(first_row.text).to include('2019-12-10')
@@ -43,3 +124,63 @@ RSpec.shared_examples_for 'credentials inventory personal access tokens' do |gro
     end
   end
 end
+
+RSpec.shared_examples_for 'credentials inventory SSH keys' do |group_managed_account: false|
+  let_it_be(:user) { group_managed_account ? managed_user : create(:user, name: 'David') }
+
+  context 'when a SSH key is active' do
+    before_all do
+      create(:personal_key,
+             user: user,
+             created_at: '2019-12-09',
+             last_used_at: '2019-12-10',
+             expires_at: nil)
+    end
+
+    before do
+      visit credentials_path
+    end
+
+    it 'shows the details with no expiry', :aggregate_failures do
+      expect(first_row.text).to include('David')
+      expect(first_row.text).to include('2019-12-09')
+      expect(first_row.text).to include('2019-12-10')
+      expect(first_row.text).to include('Never')
+    end
+  end
+
+  context 'when a SSH key has an expiry' do
+    let_it_be(:expiry_date) { 1.day.since.to_date.to_s }
+
+    before_all do
+      create(:personal_key,
+             user: user,
+             created_at: '2019-12-10',
+             last_used_at: '2020-06-22',
+             expires_at: expiry_date)
+    end
+
+    context 'and is not expired' do
+      let(:view_at_date) { 20.days.ago }
+
+      it_behaves_like 'credentials inventory expiry date'
+      it_behaves_like 'credentials inventory expiry date before'
+    end
+
+    context 'and is near expiry' do
+      let(:expected_icon) { 'warning' }
+      let(:view_at_date) { 1.day.ago }
+
+      it_behaves_like 'credentials inventory expiry date'
+      it_behaves_like 'credentials inventory expiry date close or past'
+    end
+
+    context 'and is expired' do
+      let(:expected_icon) { 'error' }
+      let(:view_at_date) { 2.days.since }
+
+      it_behaves_like 'credentials inventory expiry date'
+      it_behaves_like 'credentials inventory expiry date close or past'
+    end
+  end
+end

locale/gitlab.pot

@@ -23533,6 +23533,9 @@ msgstr ""
 msgid "This content could not be displayed because %{reason}. You can %{options} instead."
 msgstr ""
 
+msgid "This credential has expired"
+msgstr ""
+
 msgid "This date is after the due date, so this epic won't appear in the roadmap."
 msgstr ""