Delete PATs when transfering project to a free group

Project's Personal Access Tokens are only available for premium hosted plans hence we should make them invalid when the project is transferred to a group with a free plan. Changelog: fixed MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/65803 EE: true

Delete PATs when transfering project to a free group
Project's Personal Access Tokens are only available for premium hosted plans hence we should make them invalid when the project is transferred to a group with a free plan. Changelog: fixed MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/65803 EE: true
6e311075 · Rubén Dávila · 8439b05d · 6e311075 · 6e311075 · 6e311075
Commit 6e311075 authored Jul 21, 2021 by Rubén Dávila
3 changed files
--- a/app/services/projects/transfer_service.rb
+++ b/app/services/projects/transfer_service.rb
@@ -89,6 +89,8 @@ module Projects
        update_integrations
+        remove_paid_features
        project.old_path_with_namespace = @old_path
        update_repository_configuration(@new_path)
@@ -109,6 +111,10 @@ module Projects
      move_pages(project)
    end
+    # Overridden in EE
+    def remove_paid_features
+    end
    def transfer_missing_group_resources(group)
      Labels::TransferService.new(current_user, group, project).execute

--- a/ee/app/services/ee/projects/transfer_service.rb
+++ b/ee/app/services/ee/projects/transfer_service.rb
@@ -45,6 +45,20 @@ module EE
          ::Elastic::ProcessInitialBookkeepingService.backfill_projects!(project) if project.maintaining_elasticsearch?
        end
      end
+      override :remove_paid_features
+      def remove_paid_features
+        revoke_project_access_tokens
+      end
+      def revoke_project_access_tokens
+        return if new_namespace.feature_available_non_trial?(:resource_access_token)
+        PersonalAccessTokensFinder
+          .new(user: project.bots, impersonation: false)
+          .execute
+          .update_all(revoked: true)
+      end
    end
  end
 end
--- a/ee/spec/services/projects/transfer_service_spec.rb
+++ b/ee/spec/services/projects/transfer_service_spec.rb
@@ -126,4 +126,52 @@ RSpec.describe Projects::TransferService do
      end
    end
  end
+  describe 'project access tokens' do
+    let_it_be(:premium_group) { create(:group_with_plan, plan: :premium_plan) }
+    let_it_be(:free_group) { create(:group) }
+    before do
+      premium_group.add_owner(user)
+      free_group.add_owner(user)
+      ResourceAccessTokens::CreateService.new(user, project).execute
+    end
+    def revoked_tokens
+      PersonalAccessToken.without_impersonation.for_users(project.bots).revoked
+    end
+    context 'with a self managed instance' do
+      before do
+        stub_ee_application_setting(should_check_namespace_plan: false)
+      end
+      it 'does not revoke PATs' do
+        subject.execute(group)
+        expect { subject.execute(group) }.not_to change { revoked_tokens.count }
+      end
+    end
+    context 'with GL.com' do
+      before do
+        stub_ee_application_setting(should_check_namespace_plan: true)
+      end
+      context 'when target namespace has a premium plan' do
+        it 'does not revoke PATs' do
+          subject.execute(premium_group)
+          expect { subject.execute(group) }.not_to change { revoked_tokens.count }
+        end
+      end
+      context 'when target namespace has a free plan' do
+        it 'revoke PATs' do
+          expect { subject.execute(free_group) }.to change { revoked_tokens.count }.from(0).to(1)
+        end
+      end
+    end
+  end
 end