Do not apply instance level PAT expiry policy to group managed accounts

This change makes sure that the instance level PAT expiry policy
settings do not apply to users in group managed accounts.
This is the first step towards implementing
https://gitlab.com/gitlab-org/gitlab/issues/118893

app/views/groups/settings/_permissions.html.haml

@@ -37,6 +37,7 @@
     = render 'groups/settings/project_creation_level', f: f, group: @group
     = render 'groups/settings/subgroup_creation_level', f: f, group: @group
     = render 'groups/settings/two_factor_auth', f: f
+    = render_if_exists 'groups/personal_access_token_expiration_policy', f: f, group: @group
     = render_if_exists 'groups/member_lock_setting', f: f, group: @group
 
   = f.submit _('Save changes'), class: 'btn btn-success prepend-top-default js-dirty-submit', data: { qa_selector: 'save_permissions_changes_button' }

doc/user/group/saml_sso/index.md

@@ -112,6 +112,32 @@ To access the Credentials inventory of a group, navigate to **{shield}** **Secur
 
 This feature is similar to the [Credentials inventory for self-managed instances](../../admin_area/credentials_inventory.md).
 
+##### Limiting lifetime of personal access tokens of users in Group-managed accounts **(ULTIMATE)**
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/118893) in GitLab 12.10.
+
+Users in a group managed account can optionally specify an expiration date for
+[personal access tokens](../../profile/personal_access_tokens.md).
+This expiration date is not a requirement, and can be set to any arbitrary date.
+
+Since personal access tokens are the only token needed for programmatic access to GitLab, organizations with security requirements may want to enforce more protection to require regular rotation of these tokens.
+
+###### Setting a limit
+
+Only a GitLab administrator or an owner of a Group-managed account can set a limit. Leaving it empty means that the [instance level restrictions](../../admin_area/settings/account_and_limit_settings.md#limiting-lifetime-of-personal-access-tokens-ultimate-only) on the lifetime of personal access tokens will apply.
+
+To set a limit on how long personal access tokens are valid for users in a group managed account:
+
+1. Navigate to the **{settings}** **Settings > General** page in your group's sidebar.
+1. Expand the **Permissions, LFS, 2FA** section.
+1. Fill in the **Maximum allowable lifetime for personal access tokens (days)** field.
+1. Click **Save changes**.
+
+Once a lifetime for personal access tokens is set, GitLab will:
+
+- Apply the lifetime for new personal access tokens, and require users managed by the group to set an expiration date that is no later than the allowed lifetime.
+- After three hours, revoke old tokens with no expiration date or with a lifetime longer than the allowed lifetime. Three hours is given to allow administrators/group owner to change the allowed lifetime, or remove it, before revocation takes place.
+
 ##### Outer forks restriction for Group-managed accounts
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/34648) in GitLab 12.9.

ee/app/controllers/ee/groups_controller.rb

@@ -66,6 +66,7 @@ module EE
         params_ee << :ip_restriction_ranges if current_group&.feature_available?(:group_ip_restriction)
         params_ee << { allowed_email_domain_attributes: [:id, :domain] } if current_group&.feature_available?(:group_allowed_email_domains)
         params_ee << :max_pages_size if can?(current_user, :update_max_pages_size)
+        params_ee << :max_personal_access_token_lifetime if current_group&.personal_access_token_expiration_policy_available?
       end
     end
 

ee/app/helpers/personal_access_tokens_helper.rb

 # frozen_string_literal: true
 
 module PersonalAccessTokensHelper
+  include Gitlab::Utils::StrongMemoize
+
+  def personal_access_token_expiration_policy_enabled?
+    return group_level_personal_access_token_expiration_policy_enabled? if current_user.group_managed_account?
+
+    instance_level_personal_access_token_expiration_policy_enabled?
+  end
+
+  def personal_access_token_max_expiry_date
+    return group_level_personal_access_token_max_expiry_date if current_user.group_managed_account?
+
+    instance_level_personal_access_token_max_expiry_date
+  end
+
   def personal_access_token_expiration_policy_licensed?
     License.feature_available?(:personal_access_token_expiration_policy)
   end
 
-  def personal_access_token_expiration_policy_enabled?
-    Gitlab::CurrentSettings.max_personal_access_token_lifetime && personal_access_token_expiration_policy_licensed?
+  private
+
+  def instance_level_personal_access_token_expiration_policy_enabled?
+    instance_level_personal_access_token_max_expiry_date && personal_access_token_expiration_policy_licensed?
+  end
+
+  def instance_level_personal_access_token_max_expiry_date
+    ::Gitlab::CurrentSettings.max_personal_access_token_lifetime_from_now
+  end
+
+  def group_level_personal_access_token_expiration_policy_enabled?
+    group_level_personal_access_token_max_expiry_date && personal_access_token_expiration_policy_licensed?
+  end
+
+  def group_level_personal_access_token_max_expiry_date
+    current_user.managing_group.max_personal_access_token_lifetime_from_now
   end
 end

ee/app/models/ee/application_setting.rb

@@ -274,7 +274,7 @@ module EE
     def update_personal_access_tokens_lifetime
       return unless max_personal_access_token_lifetime.present? && License.feature_available?(:personal_access_token_expiration_policy)
 
-      ::PersonalAccessTokens::UpdateLifetimeService.new.execute
+      ::PersonalAccessTokens::Instance::UpdateLifetimeService.new.execute
     end
 
     def mirror_max_delay_in_minutes

ee/app/models/ee/group.rb

@@ -56,6 +56,10 @@ module EE
       validates :repository_size_limit,
                 numericality: { only_integer: true, greater_than_or_equal_to: 0, allow_nil: true }
 
+      validates :max_personal_access_token_lifetime,
+                allow_blank: true,
+                numericality: { only_integer: true, greater_than: 0, less_than_or_equal_to: 365 }
+
       validate :custom_project_templates_group_allowed, if: :custom_project_templates_group_id_changed?
 
       scope :aimed_for_deletion, -> (date) { joins(:deletion_schedule).where('group_deletion_schedules.marked_for_deletion_on <= ?', date) }
@@ -65,6 +69,17 @@ module EE
         joins(:ldap_group_links).where(ldap_group_links: { provider: provider })
       end
 
+      scope :with_managed_accounts_enabled, -> {
+        joins(:saml_provider).where(saml_providers:
+          {
+            enabled: true,
+            enforced_sso: true,
+            enforced_group_managed_accounts: true
+          })
+      }
+
+      scope :with_no_pat_expiry_policy, -> { where(max_personal_access_token_lifetime: nil) }
+
       scope :with_project_templates, -> { where.not(custom_project_templates_group_id: nil) }
 
       scope :with_custom_file_templates, -> do
@@ -311,6 +326,24 @@ module EE
       )
     end
 
+    def max_personal_access_token_lifetime_from_now
+      if max_personal_access_token_lifetime.present?
+        max_personal_access_token_lifetime.days.from_now
+      else
+        ::Gitlab::CurrentSettings.max_personal_access_token_lifetime_from_now
+      end
+    end
+
+    def personal_access_token_expiration_policy_available?
+      enforced_group_managed_accounts? && License.feature_available?(:personal_access_token_expiration_policy)
+    end
+
+    def update_personal_access_tokens_lifetime
+      return unless max_personal_access_token_lifetime.present? && personal_access_token_expiration_policy_available?
+
+      ::PersonalAccessTokens::Groups::UpdateLifetimeService.new(self).execute
+    end
+
     private
 
     def custom_project_templates_group_allowed

ee/app/models/ee/personal_access_token.rb

@@ -15,9 +15,9 @@ module EE
       scope :with_no_expires_at, -> { where(revoked: false, expires_at: nil) }
       scope :with_expires_at_after, ->(max_lifetime) { where(revoked: false).where('expires_at > ?', max_lifetime) }
 
-      with_options if: :max_personal_access_token_lifetime_enabled? do
+      with_options if: :expiration_policy_enabled? do
         validates :expires_at, presence: true
-        validate :expires_at_before_max_lifetime
+        validate :expires_at_before_max_expiry_date
       end
     end
 
@@ -38,20 +38,42 @@ module EE
 
     private
 
-    def max_expiration_date
-      strong_memoize(:max_expiration_date) do
-        ::Gitlab::CurrentSettings.max_personal_access_token_lifetime_from_now
-      end
+    def expiration_policy_enabled?
+      return group_level_expiration_policy_enabled? if user.group_managed_account?
+
+      instance_level_expiration_policy_enabled?
+    end
+
+    def instance_level_expiration_policy_enabled?
+      expiration_policy_licensed? && instance_level_max_expiry_date
+    end
+
+    def max_expiry_date
+      return group_level_max_expiry_date if user.group_managed_account?
+
+      instance_level_max_expiry_date
     end
 
-    def max_personal_access_token_lifetime_enabled?
-      max_expiration_date && License.feature_available?(:personal_access_token_expiration_policy)
+    def instance_level_max_expiry_date
+      ::Gitlab::CurrentSettings.max_personal_access_token_lifetime_from_now
     end
 
-    def expires_at_before_max_lifetime
+    def expires_at_before_max_expiry_date
       return if expires_at.blank?
 
-      errors.add(:expires_at, :invalid) if expires_at > max_expiration_date
+      errors.add(:expires_at, :invalid) if expires_at > max_expiry_date
+    end
+
+    def expiration_policy_licensed?
+      License.feature_available?(:personal_access_token_expiration_policy)
+    end
+
+    def group_level_expiration_policy_enabled?
+      expiration_policy_licensed? && group_level_max_expiry_date
+    end
+
+    def group_level_max_expiry_date
+      user.managing_group.max_personal_access_token_lifetime_from_now
     end
   end
 end

ee/app/models/ee/user.rb

@@ -66,6 +66,8 @@ module EE
         scope
       }
 
+      scope :managed_by, ->(group) { where(managing_group: group) }
+
       scope :excluding_guests, -> { joins(:members).merge(::Member.non_guests).distinct }
 
       scope :subscribed_for_admin_email, -> { where(admin_email_unsubscribed_at: nil) }

ee/app/services/ee/groups/update_service.rb

@@ -23,6 +23,15 @@ module EE
 
       private
 
+      override :after_update
+      def after_update
+        super
+
+        if group.saved_change_to_max_personal_access_token_lifetime?
+          group.update_personal_access_tokens_lifetime
+        end
+      end
+
       override :before_assignment_hook
       def before_assignment_hook(group, params)
         # Repository size limit comes as MB from the view

ee/app/services/personal_access_tokens/groups/update_lifetime_service.rb

+# frozen_string_literal: true
+
+module PersonalAccessTokens
+  module Groups
+    class UpdateLifetimeService < PersonalAccessTokens::Instance::UpdateLifetimeService
+      extend ::Gitlab::Utils::Override
+
+      def initialize(group)
+        @group = group
+      end
+
+      private
+
+      attr_reader :group
+
+      override :perform
+      def perform
+        ::PersonalAccessTokens::Groups::PolicyWorker.perform_in(DEFAULT_LEASE_TIMEOUT, group.id)
+      end
+
+      # Used by ExclusiveLeaseGuard
+      # This should be unique per group
+      override :lease_key
+      def lease_key
+        "#{super}:group_id:#{group.id}"
+      end
+    end
+  end
+end

ee/app/services/personal_access_tokens/instance/update_lifetime_service.rb

+# frozen_string_literal: true
+
+module PersonalAccessTokens
+  module Instance
+    class UpdateLifetimeService
+      include ExclusiveLeaseGuard
+
+      DEFAULT_LEASE_TIMEOUT = 3.hours.to_i
+
+      def execute
+        try_obtain_lease do
+          perform
+        end
+      end
+
+      private
+
+      def perform
+        ::PersonalAccessTokens::Instance::PolicyWorker.perform_in(DEFAULT_LEASE_TIMEOUT)
+      end
+
+      # Used by ExclusiveLeaseGuard
+      def lease_timeout
+        DEFAULT_LEASE_TIMEOUT
+      end
+
+      # Used by ExclusiveLeaseGuard
+      # Overriding value as we never release the lease
+      # before the timeout in order to prevent multiple
+      # PersonalAccessTokens::Instance::PolicyWorker to start in
+      # a short span of time
+      def lease_release?
+        false
+      end
+    end
+  end
+end

ee/app/services/personal_access_tokens/update_lifetime_service.rb

-# frozen_string_literal: true
-
-module PersonalAccessTokens
-  class UpdateLifetimeService
-    include ExclusiveLeaseGuard
-
-    DEFAULT_LEASE_TIMEOUT = 3.hours.to_i
-
-    def execute
-      try_obtain_lease do
-        ::PersonalAccessTokens::PolicyWorker.perform_in(DEFAULT_LEASE_TIMEOUT)
-      end
-    end
-
-    private
-
-    # Used by ExclusiveLeaseGuard
-    def lease_timeout
-      DEFAULT_LEASE_TIMEOUT
-    end
-
-    # Used by ExclusiveLeaseGuard
-    # Overriding value as we never release the lease
-    # before the timeout in order to prevent multiple
-    # PersonalAccessTokens::PolicyWorker to start in
-    # a short span of time
-    def lease_release?
-      false
-    end
-  end
-end

ee/app/views/groups/_personal_access_token_expiration_policy.html.haml

+- return unless group.personal_access_token_expiration_policy_available?
+
+- instance_level_policy = ::Gitlab::CurrentSettings.max_personal_access_token_lifetime
+- instance_level_policy_in_words = instance_level_policy ? n_("%{no_of_days} day", "%{no_of_days} days", instance_level_policy) % { no_of_days: instance_level_policy } : _('no expiration')
+
+.form-group
+  = f.label :max_personal_access_token_lifetime, _('Maximum allowable lifetime for personal access token (days)'), class: 'label-light'
+  = f.number_field :max_personal_access_token_lifetime, class: 'form-control form-control-sm w-auto'
+  %span.form-text.text-muted#max_personal_access_token_lifetime= _('If blank, set allowable lifetime to %{instance_level_policy_in_words}, as defined by the instance admin. Once set, existing tokens for users in this group may be revoked.') % { instance_level_policy_in_words: instance_level_policy_in_words }

ee/app/views/personal_access_tokens/_callout_max_personal_access_token_lifetime.html.haml

 - return unless personal_access_token_expiration_policy_enabled?
 
 .bs-callout.bs-callout-danger
-  = _('Maximum lifetime allowable for Personal Access Tokens is active, your expire date must be set before %{maximum_allowable_date}.') % { maximum_allowable_date: ::Gitlab::CurrentSettings.max_personal_access_token_lifetime_from_now }
+  = _('Maximum lifetime allowable for Personal Access Tokens is active, your expire date must be set before %{maximum_allowable_date}.') % { maximum_allowable_date: personal_access_token_max_expiry_date.to_date }

ee/app/workers/all_queues.yml

@@ -402,6 +402,20 @@
   :resource_boundary: :unknown
   :weight: 1
   :idempotent: 
+- :name: personal_access_tokens:personal_access_tokens_groups_policy
+  :feature_category: :authentication_and_authorization
+  :has_external_dependencies: 
+  :urgency: :low
+  :resource_boundary: :unknown
+  :weight: 1
+  :idempotent: true
+- :name: personal_access_tokens:personal_access_tokens_instance_policy
+  :feature_category: :authentication_and_authorization
+  :has_external_dependencies: 
+  :urgency: :low
+  :resource_boundary: :unknown
+  :weight: 1
+  :idempotent: 
 - :name: personal_access_tokens:personal_access_tokens_policy
   :feature_category: :authentication_and_authorization
   :has_external_dependencies: 

ee/app/workers/personal_access_tokens/groups/policy_worker.rb

+# frozen_string_literal: true
+
+module PersonalAccessTokens
+  module Groups
+    class PolicyWorker
+      include ApplicationWorker
+
+      idempotent!
+
+      queue_namespace :personal_access_tokens
+      feature_category :authentication_and_authorization
+
+      def perform(group_id)
+        group = ::Group.find_by_id(group_id)
+
+        return unless group
+
+        expiration_date = group.max_personal_access_token_lifetime_from_now
+
+        return unless expiration_date
+
+        ::User.managed_by(group).with_invalid_expires_at_tokens(expiration_date).find_each do |user|
+          PersonalAccessTokens::RevokeInvalidTokens.new(user, expiration_date).execute
+        end
+      end
+    end
+  end
+end

ee/app/workers/personal_access_tokens/instance/policy_worker.rb

+# frozen_string_literal: true
+
+module PersonalAccessTokens
+  module Instance
+    class PolicyWorker # rubocop:disable Scalability/IdempotentWorker
+      include ApplicationWorker
+
+      queue_namespace :personal_access_tokens
+      feature_category :authentication_and_authorization
+
+      def perform
+        expiration_date = ::Gitlab::CurrentSettings.max_personal_access_token_lifetime_from_now
+
+        return unless expiration_date
+
+        # for users who are not managed by any group
+        User.not_managed.with_invalid_expires_at_tokens(expiration_date).find_each do |user|
+          PersonalAccessTokens::RevokeInvalidTokens.new(user, expiration_date).execute
+        end
+
+        # for users who are managed by groups, but these groups follow the instance level expiry policy
+        ::Group.with_managed_accounts_enabled.with_no_pat_expiry_policy.find_each do |group|
+          User.managed_by(group).with_invalid_expires_at_tokens(expiration_date).find_each do |user|
+            PersonalAccessTokens::RevokeInvalidTokens.new(user, expiration_date).execute
+          end
+        end
+      end
+    end
+  end
+end

ee/app/workers/personal_access_tokens/policy_worker.rb

 # frozen_string_literal: true
 
+# TODO: https://gitlab.com/gitlab-org/gitlab/-/issues/213791
+# Deprecate this worker in GitLab 13.0 in favor of PersonalAccessTokens::Instance::PolicyWorker
+
 module PersonalAccessTokens
   class PolicyWorker # rubocop:disable Scalability/IdempotentWorker
     include ApplicationWorker

ee/changelogs/unreleased/118893-extend-pat-expiration-setting-to-gitlab-com.yml

+---
+title: Allow GMA groups to specify their own PAT expiry setting
+merge_request: 25963
+author:
+type: added

ee/spec/controllers/ee/groups_controller_spec.rb

@@ -293,5 +293,81 @@ describe GroupsController do
         end
       end
     end
+
+    context 'when `max_personal_access_token_lifetime` is specified' do
+      let!(:managed_group) do
+        create(:group_with_managed_accounts, :private, max_personal_access_token_lifetime: 1)
+      end
+
+      let(:user) { create(:user, :group_managed, managing_group: managed_group ) }
+
+      let(:params) { { max_personal_access_token_lifetime: max_personal_access_token_lifetime } }
+      let(:max_personal_access_token_lifetime) { 10 }
+
+      subject do
+        put :update, params: { id: managed_group.to_param, group: params }
+      end
+
+      before do
+        allow_any_instance_of(EE::Group).to receive(:enforced_group_managed_accounts?).and_return(true)
+
+        managed_group.add_owner(user)
+        sign_in(user)
+      end
+
+      context 'without `personal_access_token_expiration_policy` licensed' do
+        before do
+          stub_licensed_features(personal_access_token_expiration_policy: false)
+        end
+
+        it 'does not update the attribute' do
+          expect { subject }.not_to change { managed_group.reload.max_personal_access_token_lifetime }
+        end
+
+        it "doesn't call the update lifetime service" do
+          expect(::PersonalAccessTokens::Groups::UpdateLifetimeService).not_to receive(:new)
+
+          subject
+        end
+      end
+
+      context 'with personal_access_token_expiration_policy licensed' do
+        before do
+          stub_licensed_features(personal_access_token_expiration_policy: true)
+        end
+
+        context 'when `max_personal_access_token_lifetime` is updated to a non-null value' do
+          it 'updates the attribute' do
+            subject
+
+            expect(managed_group.reload.max_personal_access_token_lifetime).to eq(max_personal_access_token_lifetime)
+          end
+
+          it 'executes the update lifetime service' do
+            expect_next_instance_of(::PersonalAccessTokens::Groups::UpdateLifetimeService, managed_group) do |service|
+              expect(service).to receive(:execute)
+            end
+
+            subject
+          end
+        end
+
+        context 'when `max_personal_access_token_lifetime` is updated to null value' do
+          let(:max_personal_access_token_lifetime) { nil }
+
+          it 'updates the attribute' do
+            subject
+
+            expect(managed_group.reload.max_personal_access_token_lifetime).to eq(max_personal_access_token_lifetime)
+          end
+
+          it "doesn't call the update lifetime service" do
+            expect(::PersonalAccessTokens::Groups::UpdateLifetimeService).not_to receive(:new)
+
+            subject
+          end
+        end
+      end
+    end
   end
 end

ee/spec/helpers/personal_access_tokens_helper_spec.rb

@@ -3,50 +3,144 @@
 require 'spec_helper'
 
 describe PersonalAccessTokensHelper do
-  describe '#personal_access_token_expiration_policy_licensed?' do
-    subject { helper.personal_access_token_expiration_policy_licensed? }
+  let(:group) do
+    build(:group, max_personal_access_token_lifetime: group_level_max_personal_access_token_lifetime)
+  end
+
+  let(:group_level_max_personal_access_token_lifetime) { nil }
+  let(:instance_level_max_personal_access_token_lifetime) { nil }
+  let(:user) { build(:user) }
+  let(:managed_user) { build(:user, managing_group: group) }
+
+  before do
+    allow(helper).to receive(:current_user) { user }
+    stub_application_setting(max_personal_access_token_lifetime: instance_level_max_personal_access_token_lifetime)
+  end
+
+  describe '#personal_access_token_expiration_policy_enabled?' do
+    subject { helper.personal_access_token_expiration_policy_enabled? }
 
-    context 'when is not licensed' do
+    context 'with `personal_access_token_expiration_policy` licensed' do
       before do
-        stub_licensed_features(personal_access_token_expiration_policy: false)
+        stub_licensed_features(personal_access_token_expiration_policy: true)
       end
 
-      it { is_expected.to be_falsey }
+      shared_examples_for 'instance level PAT expiry setting' do
+        context 'the instance has an expiry setting' do
+          let(:instance_level_max_personal_access_token_lifetime) { 20 }
+
+          it { is_expected.to be_truthy }
+        end
+
+        context 'the instance does not have an expiry setting' do
+          it { is_expected.to be_falsey }
+        end
+      end
+
+      context 'when the current user belongs to a managed group' do
+        let(:user) { managed_user }
+
+        context 'when the managed group has a PAT expiry policy' do
+          let(:group_level_max_personal_access_token_lifetime) { 10 }
+
+          it { is_expected.to be_truthy }
+        end
+
+        context 'when the managed group does not have a PAT expiry setting' do
+          it_behaves_like 'instance level PAT expiry setting'
+        end
+      end
+
+      context 'when the current user does not belong to a managed group' do
+        it_behaves_like 'instance level PAT expiry setting'
+      end
     end
 
-    context 'when is licensed' do
+    context 'with `personal_access_token_expiration_policy` not licensed' do
       before do
-        stub_licensed_features(personal_access_token_expiration_policy: true)
+        stub_licensed_features(personal_access_token_expiration_policy: false)
       end
 
-      it { is_expected.to be_truthy }
+      shared_examples_for 'instance level PAT expiry setting' do
+        context 'the instance has an expiry setting' do
+          let(:instance_level_max_personal_access_token_lifetime) { 20 }
+
+          it { is_expected.to be_falsey }
+        end
+
+        context 'the instance does not have an expiry setting' do
+          it { is_expected.to be_falsey }
+        end
+      end
+
+      context 'when the current user belongs to a managed group' do
+        let(:user) { managed_user }
+
+        context 'when the managed group has a PAT expiry policy' do
+          let(:group_level_max_personal_access_token_lifetime) { 10 }
+
+          it { is_expected.to be_falsey }
+        end
+
+        context 'when the managed group does not have a PAT expiry setting' do
+          it_behaves_like 'instance level PAT expiry setting'
+        end
+      end
+
+      context 'when the current user does not belong to a managed group' do
+        it_behaves_like 'instance level PAT expiry setting'
+      end
     end
   end
 
-  describe '#personal_access_token_expiration_policy_enabled?' do
-    subject { helper.personal_access_token_expiration_policy_enabled? }
+  describe '#personal_access_token_max_expiry_date' do
+    subject { helper.personal_access_token_max_expiry_date }
 
-    context 'when is licensed and used' do
-      before do
-        stub_licensed_features(personal_access_token_expiration_policy: true)
-        stub_application_setting(max_personal_access_token_lifetime: 1)
+    shared_examples_for 'instance level PAT expiry setting' do
+      context 'the instance has an expiry setting' do
+        let(:instance_level_max_personal_access_token_lifetime) { 20 }
+
+        it { is_expected.to be_like_time(20.days.from_now) }
       end
 
-      it { is_expected.to be_truthy }
+      context 'the instance does not have an expiry setting' do
+        it { is_expected.to be_nil }
+      end
     end
 
-    context 'when is not licensed' do
-      before do
-        stub_licensed_features(personal_access_token_expiration_policy: false)
+    context 'when the current user belongs to a managed group' do
+      let(:user) { managed_user }
+
+      context 'when the managed group has a PAT expiry policy' do
+        let(:group_level_max_personal_access_token_lifetime) { 10 }
+
+        it { is_expected.to be_like_time(10.days.from_now) }
       end
 
-      it { is_expected.to be_falsey }
+      context 'when the managed group does not have a PAT expiry setting' do
+        it_behaves_like 'instance level PAT expiry setting'
+      end
+    end
+
+    context 'when the current user does not belong to a managed group' do
+      it_behaves_like 'instance level PAT expiry setting'
     end
+  end
+
+  describe '#personal_access_token_expiration_policy_licensed?' do
+    subject { helper.personal_access_token_expiration_policy_licensed? }
 
-    context 'when is licensed but not used' do
+    context 'with `personal_access_token_expiration_policy` licensed' do
       before do
         stub_licensed_features(personal_access_token_expiration_policy: true)
-        stub_application_setting(max_personal_access_token_lifetime: nil)
+      end
+
+      it { is_expected.to be_truthy }
+    end
+
+    context 'with `personal_access_token_expiration_policy` not licensed' do
+      before do
+        stub_licensed_features(personal_access_token_expiration_policy: false)
       end
 
       it { is_expected.to be_falsey }

ee/spec/models/application_setting_spec.rb

@@ -514,7 +514,7 @@ describe ApplicationSetting do
       end
 
       it "doesn't call the update lifetime service" do
-        expect(::PersonalAccessTokens::UpdateLifetimeService).not_to receive(:new)
+        expect(::PersonalAccessTokens::Instance::UpdateLifetimeService).not_to receive(:new)
 
         setting.save
       end
@@ -527,7 +527,7 @@ describe ApplicationSetting do
       end
 
       it 'executes the update lifetime service' do
-        expect_next_instance_of(::PersonalAccessTokens::UpdateLifetimeService) do |service|
+        expect_next_instance_of(::PersonalAccessTokens::Instance::UpdateLifetimeService) do |service|
           expect(service).to receive(:execute)
         end
 

ee/spec/models/ee/personal_access_token_spec.rb

@@ -46,7 +46,8 @@ describe PersonalAccessToken do
   end
 
   describe 'validations' do
-    let(:personal_access_token) { build(:personal_access_token) }
+    let(:user) { build(:user) }
+    let(:personal_access_token) { build(:personal_access_token, user: user) }
 
     it 'allows to define expires_at' do
       personal_access_token.expires_at = 1.day.from_now
@@ -61,18 +62,28 @@ describe PersonalAccessToken do
     end
 
     context 'with expiration policy' do
-      let(:pat_expiration_policy) { 30 }
-      let(:max_expiration_date) { pat_expiration_policy.days.from_now }
+      let(:instance_level_pat_expiration_policy) { 30 }
+      let(:instance_level_max_expiration_date) { instance_level_pat_expiration_policy.days.from_now }
 
       before do
-        stub_ee_application_setting(max_personal_access_token_lifetime: pat_expiration_policy)
+        stub_ee_application_setting(max_personal_access_token_lifetime: instance_level_pat_expiration_policy)
       end
 
-      context 'when the feature is licensed' do
-        before do
-          stub_licensed_features(personal_access_token_expiration_policy: true)
+      shared_examples_for 'PAT expiry rules are not enforced' do
+        it 'allows expiry to be after the max_personal_access_token_lifetime' do
+          personal_access_token.expires_at = max_expiration_date + 1.day
+
+          expect(personal_access_token).to be_valid
         end
 
+        it 'can be blank' do
+          personal_access_token.expires_at = nil
+
+          expect(personal_access_token).to be_valid
+        end
+      end
+
+      shared_examples_for 'PAT expiry rules are enforced' do
         it 'requires to be less or equal than the max_personal_access_token_lifetime' do
           personal_access_token.expires_at = max_expiration_date + 1.day
 
@@ -88,15 +99,61 @@ describe PersonalAccessToken do
         end
       end
 
+      context 'when the feature is licensed' do
+        before do
+          stub_licensed_features(personal_access_token_expiration_policy: true)
+        end
+
+        context 'when the user does not belong to a managed group' do
+          it_behaves_like 'PAT expiry rules are enforced' do
+            let(:max_expiration_date) { instance_level_max_expiration_date }
+          end
+        end
+
+        context 'when the user belongs to a managed group' do
+          let(:group_level_pat_expiration_policy) { nil }
+          let(:group) do
+            build(:group_with_managed_accounts, max_personal_access_token_lifetime: group_level_pat_expiration_policy)
+          end
+
+          let(:user) { build(:user, managing_group: group) }
+
+          context 'when the group has enforced a PAT expiry rule' do
+            let(:group_level_pat_expiration_policy) { 20 }
+            let(:group_level_max_expiration_date) { group_level_pat_expiration_policy.days.from_now }
+
+            it_behaves_like 'PAT expiry rules are enforced' do
+              let(:max_expiration_date) { group_level_max_expiration_date }
+            end
+          end
+
+          context 'when the group has not enforced a PAT expiry setting' do
+            context 'when the instance has enforced a PAT expiry setting' do
+              it_behaves_like 'PAT expiry rules are enforced' do
+                let(:max_expiration_date) { instance_level_max_expiration_date }
+              end
+            end
+
+            context 'when the instance does not enforce a PAT expiry setting' do
+              before do
+                stub_ee_application_setting(max_personal_access_token_lifetime: nil)
+              end
+
+              it_behaves_like 'PAT expiry rules are not enforced' do
+                let(:max_expiration_date) { instance_level_max_expiration_date }
+              end
+            end
+          end
+        end
+      end
+
       context 'when the feature is not available' do
         before do
           stub_licensed_features(personal_access_token_expiration_policy: false)
         end
 
-        it 'allows to be after the max_personal_access_token_lifetime' do
-          personal_access_token.expires_at = max_expiration_date + 1.day
-
-          expect(personal_access_token).to be_valid
+        it_behaves_like 'PAT expiry rules are not enforced' do
+          let(:max_expiration_date) { instance_level_max_expiration_date }
         end
       end
     end

ee/spec/models/group_spec.rb

@@ -78,9 +78,42 @@ describe Group do
         expect(described_class.for_epics(epics)).to contain_exactly(epic1.group)
       end
     end
+
+    describe '.with_managed_accounts_enabled' do
+      subject { described_class.with_managed_accounts_enabled }
+
+      let!(:group_with_with_managed_accounts_enabled) { create(:group_with_managed_accounts) }
+      let!(:group_without_managed_accounts_enabled) { create(:group) }
+
+      it 'includes the groups that has managed accounts enabled' do
+        expect(subject).to contain_exactly(group_with_with_managed_accounts_enabled)
+      end
+    end
+
+    describe '.with_no_pat_expiry_policy' do
+      subject { described_class.with_no_pat_expiry_policy }
+
+      let!(:group_with_pat_expiry_policy) { create(:group, max_personal_access_token_lifetime: 1) }
+      let!(:group_with_no_pat_expiry_policy) { create(:group, max_personal_access_token_lifetime: nil) }
+
+      it 'includes the groups that has no PAT expiry policy set' do
+        expect(subject).to contain_exactly(group_with_no_pat_expiry_policy)
+      end
+    end
   end
 
   describe 'validations' do
+    context 'max_personal_access_token_lifetime' do
+      it { is_expected.to allow_value(1).for(:max_personal_access_token_lifetime) }
+      it { is_expected.to allow_value(nil).for(:max_personal_access_token_lifetime) }
+      it { is_expected.to allow_value(10).for(:max_personal_access_token_lifetime) }
+      it { is_expected.to allow_value(365).for(:max_personal_access_token_lifetime) }
+      it { is_expected.not_to allow_value("value").for(:max_personal_access_token_lifetime) }
+      it { is_expected.not_to allow_value(2.5).for(:max_personal_access_token_lifetime) }
+      it { is_expected.not_to allow_value(-5).for(:max_personal_access_token_lifetime) }
+      it { is_expected.not_to allow_value(366).for(:max_personal_access_token_lifetime) }
+    end
+
     context 'validates if custom_project_templates_group_id is allowed' do
       let(:subgroup_1) { create(:group, parent: group) }
 
@@ -757,4 +790,120 @@ describe Group do
       end
     end
   end
+
+  describe '#personal_access_token_expiration_policy_available?' do
+    subject { group.personal_access_token_expiration_policy_available? }
+
+    let(:group) { build(:group) }
+
+    context 'when the group does not enforce managed accounts' do
+      it { is_expected.to be_falsey }
+    end
+
+    context 'when the group enforces managed accounts' do
+      before do
+        allow(group).to receive(:enforced_group_managed_accounts?).and_return(true)
+      end
+
+      context 'with `personal_access_token_expiration_policy` licensed' do
+        before do
+          stub_licensed_features(personal_access_token_expiration_policy: true)
+        end
+
+        it { is_expected.to be_truthy }
+      end
+
+      context 'with `personal_access_token_expiration_policy` not licensed' do
+        before do
+          stub_licensed_features(personal_access_token_expiration_policy: false)
+        end
+
+        it { is_expected.to be_falsey }
+      end
+    end
+  end
+
+  describe '#update_personal_access_tokens_lifetime' do
+    subject { group.update_personal_access_tokens_lifetime }
+
+    let(:limit) { 1 }
+    let(:group) { build(:group, max_personal_access_token_lifetime: limit) }
+
+    shared_examples_for 'it does not call the update lifetime service' do
+      it 'doesn not call the update lifetime service' do
+        expect(::PersonalAccessTokens::Groups::UpdateLifetimeService).not_to receive(:new)
+
+        subject
+      end
+    end
+
+    context 'when the group does not enforce managed accounts' do
+      it_behaves_like 'it does not call the update lifetime service'
+    end
+
+    context 'when the group enforces managed accounts' do
+      before do
+        allow(group).to receive(:enforced_group_managed_accounts?).and_return(true)
+      end
+
+      context 'with `personal_access_token_expiration_policy` not licensed' do
+        before do
+          stub_licensed_features(personal_access_token_expiration_policy: false)
+        end
+
+        it_behaves_like 'it does not call the update lifetime service'
+      end
+
+      context 'with `personal_access_token_expiration_policy` licensed' do
+        before do
+          stub_licensed_features(personal_access_token_expiration_policy: true)
+        end
+
+        context 'when the group does not enforce a PAT expiry policy' do
+          let(:limit) { nil }
+
+          it_behaves_like 'it does not call the update lifetime service'
+        end
+
+        context 'when the group enforces a PAT expiry policy' do
+          it 'executes the update lifetime service' do
+            expect_next_instance_of(::PersonalAccessTokens::Groups::UpdateLifetimeService, group) do |service|
+              expect(service).to receive(:execute)
+            end
+
+            subject
+          end
+        end
+      end
+    end
+  end
+
+  describe '#max_personal_access_token_lifetime_from_now' do
+    subject { group.max_personal_access_token_lifetime_from_now }
+
+    let(:days_from_now) { nil }
+    let(:group) { build(:group, max_personal_access_token_lifetime: days_from_now) }
+
+    context 'when max_personal_access_token_lifetime is defined' do
+      let(:days_from_now) { 30 }
+
+      it 'is a date time' do
+        expect(subject).to be_a Time
+      end
+
+      it 'is in the future' do
+        expect(subject).to be > Time.zone.now
+      end
+
+      it 'is in days_from_now' do
+        expect(subject.to_date - Date.today).to eq days_from_now
+      end
+    end
+
+    context 'when max_personal_access_token_lifetime is nil' do
+      it 'is nil' do
+        expect(subject).to be_nil
+      end
+    end
+  end
 end

ee/spec/models/user_spec.rb

@@ -111,6 +111,15 @@ describe User do
         expect(non_internal.all?(&:internal?)).to eq(false)
       end
     end
+
+    describe '.managed_by' do
+      let!(:group) { create(:group_with_managed_accounts) }
+      let!(:managed_users) { create_list(:user, 2, managing_group: group) }
+
+      it 'returns users managed by the specified group' do
+        expect(described_class.managed_by(group)).to match_array(managed_users)
+      end
+    end
   end
 
   describe '.find_by_smartcard_identity' do

ee/spec/services/groups/update_service_spec.rb

@@ -328,6 +328,69 @@ describe Groups::UpdateService, '#execute' do
     end
   end
 
+  context 'updating `max_personal_access_token_lifetime` param' do
+    subject { update_group(group, user, attrs) }
+
+    let!(:group) do
+      create(:group_with_managed_accounts, :public, max_personal_access_token_lifetime: 1)
+    end
+
+    let(:limit) { 10 }
+    let(:attrs) { { max_personal_access_token_lifetime: limit } }
+
+    shared_examples_for 'it does not call the update lifetime service' do
+      it 'doesn not call the update lifetime service' do
+        expect(::PersonalAccessTokens::Groups::UpdateLifetimeService).not_to receive(:new)
+
+        subject
+      end
+    end
+
+    it 'updates the attribute' do
+      expect { subject }.to change { group.reload.max_personal_access_token_lifetime }.from(1).to(10)
+    end
+
+    context 'when the group does not enforce managed accounts' do
+      it_behaves_like 'it does not call the update lifetime service'
+    end
+
+    context 'when the group enforces managed accounts' do
+      before do
+        allow(group).to receive(:enforced_group_managed_accounts?).and_return(true)
+      end
+
+      context 'without `personal_access_token_expiration_policy` licensed' do
+        before do
+          stub_licensed_features(personal_access_token_expiration_policy: false)
+        end
+
+        it_behaves_like 'it does not call the update lifetime service'
+      end
+
+      context 'with personal_access_token_expiration_policy licensed' do
+        before do
+          stub_licensed_features(personal_access_token_expiration_policy: true)
+        end
+
+        context 'when `max_personal_access_token_lifetime` is updated to null value' do
+          let(:limit) { nil }
+
+          it_behaves_like 'it does not call the update lifetime service'
+        end
+
+        context 'when `max_personal_access_token_lifetime` is updated to a non-null value' do
+          it 'executes the update lifetime service' do
+            expect_next_instance_of(::PersonalAccessTokens::Groups::UpdateLifetimeService, group) do |service|
+              expect(service).to receive(:execute)
+            end
+
+            subject
+          end
+        end
+      end
+    end
+  end
+
   def update_group(group, user, opts)
     Groups::UpdateService.new(group, user, opts).execute
   end

ee/spec/services/personal_access_tokens/groups/update_lifetime_service_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe PersonalAccessTokens::Groups::UpdateLifetimeService do
+  include ExclusiveLeaseHelpers
+
+  describe '#execute', :clean_gitlab_redis_shared_state do
+    let_it_be(:group) { create(:group_with_managed_accounts)}
+    subject { described_class.new(group) }
+
+    let(:lease_key) { "personal_access_tokens/groups/update_lifetime_service:group_id:#{group.id}" }
+
+    context 'when we can obtain the lease' do
+      it 'schedules the worker' do
+        stub_exclusive_lease(lease_key, timeout: described_class::DEFAULT_LEASE_TIMEOUT)
+
+        expect(::PersonalAccessTokens::Groups::PolicyWorker).to receive(:perform_in).once
+
+        subject.execute
+      end
+    end
+
+    context "when we can't obtain the lease" do
+      it 'does not schedule the worker' do
+        stub_exclusive_lease_taken(lease_key, timeout: described_class::DEFAULT_LEASE_TIMEOUT)
+
+        expect(::PersonalAccessTokens::Groups::PolicyWorker).not_to receive(:perform_in)
+
+        subject.execute
+      end
+    end
+  end
+end

ee/spec/services/personal_access_tokens/update_lifetime_service_spec.rb → ee/spec/services/personal_access_tokens/instance/update_lifetime_service_spec.rb

@@ -2,17 +2,17 @@
 
 require 'spec_helper'
 
-describe PersonalAccessTokens::UpdateLifetimeService do
+describe PersonalAccessTokens::Instance::UpdateLifetimeService do
   describe '#execute', :clean_gitlab_redis_shared_state do
     include ExclusiveLeaseHelpers
 
-    let(:lease_key) { 'personal_access_tokens/update_lifetime_service' }
+    let(:lease_key) { 'personal_access_tokens/instance/update_lifetime_service' }
 
     context 'when we can obtain the lease' do
       it 'schedules the worker' do
         stub_exclusive_lease(lease_key, timeout: described_class::DEFAULT_LEASE_TIMEOUT)
 
-        expect(::PersonalAccessTokens::PolicyWorker).to receive(:perform_in).once
+        expect(::PersonalAccessTokens::Instance::PolicyWorker).to receive(:perform_in).once
 
         subject.execute
       end
@@ -22,7 +22,7 @@ describe PersonalAccessTokens::UpdateLifetimeService do
       it 'does not schedule the worker' do
         stub_exclusive_lease_taken(lease_key, timeout: described_class::DEFAULT_LEASE_TIMEOUT)
 
-        expect(::PersonalAccessTokens::PolicyWorker).not_to receive(:perform_in)
+        expect(::PersonalAccessTokens::Instance::PolicyWorker).not_to receive(:perform_in)
 
         subject.execute
       end

ee/spec/workers/personal_access_tokens/groups/policy_worker_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe PersonalAccessTokens::Groups::PolicyWorker, type: :worker do
+  let(:group) do
+    create(:group_with_managed_accounts, max_personal_access_token_lifetime: limit)
+  end
+
+  let!(:pat) do
+    create(:personal_access_token, expires_at: expires_at, user: create(:user, managing_group: group))
+  end
+
+  let(:expires_at) { nil }
+  let(:limit) { 7 }
+  let(:expires_after_max_token_lifetime) { (limit + 1).days.from_now.to_date }
+  let(:expires_before_max_token_lifetime) { (limit - 1).days.from_now.to_date }
+
+  describe '#perform' do
+    subject do
+      described_class.new.perform(group.id)
+    end
+
+    it_behaves_like 'an idempotent worker' do
+      let(:job_args) { [group.id] }
+
+      context 'when the group has set a PAT expiry policy' do
+        context 'valid PATs' do
+          let(:expires_at) { expires_before_max_token_lifetime }
+
+          it 'does not revoke valid PATs' do
+            expect { subject }.not_to change { pat.reload.revoked }
+          end
+        end
+
+        context 'invalid PATs' do
+          let(:expires_at) { expires_after_max_token_lifetime }
+
+          it 'revokes invalid PATs' do
+            expect { subject }.to change { pat.reload.revoked }.from(false).to(true)
+          end
+        end
+      end
+
+      context 'when the group has not set a PAT expiry policy' do
+        let(:group_limit) { nil }
+        let(:expires_at) { 1.day.from_now.to_date }
+
+        it 'does not revoke any tokens' do
+          expect { subject }.not_to change { pat.reload.revoked }
+        end
+      end
+    end
+  end
+end

ee/spec/workers/personal_access_tokens/instance/policy_worker_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe PersonalAccessTokens::Instance::PolicyWorker, type: :worker do
+  describe '#perform' do
+    let(:instance_limit) { 7 }
+    let!(:pat) { create(:personal_access_token, expires_at: expire_at) }
+
+    before do
+      stub_application_setting(max_personal_access_token_lifetime: instance_limit)
+    end
+
+    context 'when a token is valid' do
+      let(:expire_at) { (instance_limit - 1).days.from_now.to_date }
+
+      it "doesn't revoked valid tokens" do
+        expect { subject.perform }.not_to change { pat.reload.revoked }
+      end
+    end
+
+    context 'when limit is nil' do
+      let(:instance_limit) { nil }
+      let(:expire_at) { 1.day.from_now }
+
+      it "doesn't revoked valid tokens" do
+        expect { subject.perform }.not_to change { pat.reload.revoked }
+      end
+
+      it "doesn't call the revoke invalid service" do
+        expect(PersonalAccessTokens::RevokeInvalidTokens).not_to receive(:new)
+
+        subject.perform
+      end
+    end
+
+    context 'invalid tokens' do
+      context 'PATs of users that do not belong to a managed group' do
+        context "when a token doesn't have an expiration time" do
+          let(:expire_at) { nil }
+
+          it 'enforces the policy on tokens' do
+            expect { subject.perform }.to change { pat.reload.revoked }.from(false).to(true)
+          end
+        end
+
+        context 'when a token expires after the limit' do
+          let(:expire_at) { (instance_limit + 1).days.from_now.to_date }
+
+          it 'enforces the policy on tokens' do
+            expect { subject.perform }.to change { pat.reload.revoked }.from(false).to(true)
+          end
+        end
+      end
+
+      context 'PATs of users that belongs to a managed group' do
+        let(:group) do
+          create(:group_with_managed_accounts, max_personal_access_token_lifetime: group_limit)
+        end
+
+        let(:user) { create(:user, managing_group: group) }
+        let!(:pat) { create(:personal_access_token, expires_at: expires_at, user: user) }
+
+        context 'when the group has set a PAT expiry policy' do
+          let(:group_limit) { 10 }
+
+          context 'PAT invalid as per the instance PAT expiration policy' do
+            let(:expires_at) { (instance_limit + 1).days.from_now.to_date }
+
+            it 'does not revoke the PAT' do
+              expect { subject.perform }.not_to change { pat.reload.revoked }
+            end
+          end
+
+          context 'PAT invalid as per the group PAT expiration policy' do
+            let(:expires_at) { (group_limit + 1).days.from_now.to_date }
+
+            it 'does not revoke the PAT' do
+              expect { subject.perform }.not_to change { pat.reload.revoked }
+            end
+          end
+        end
+
+        context 'when the group has not set a PAT expiry policy' do
+          let(:group_limit) { nil }
+
+          context 'PAT invalid as per the instance PAT expiration policy' do
+            let(:expires_at) { (instance_limit + 1).days.from_now.to_date }
+
+            it 'revokes the PAT' do
+              expect { subject.perform }.to change { pat.reload.revoked }.from(false).to(true)
+            end
+          end
+
+          context 'PAT valid as per the instance PAT expiration policy' do
+            let(:expires_at) { (instance_limit - 1).days.from_now.to_date }
+
+            it 'does not revoke the PAT' do
+              expect { subject.perform }.not_to change { pat.reload.revoked }
+            end
+          end
+        end
+      end
+    end
+  end
+end

locale/gitlab.pot

@@ -385,6 +385,11 @@ msgstr ""
 msgid "%{name}'s avatar"
 msgstr ""
 
+msgid "%{no_of_days} day"
+msgid_plural "%{no_of_days} days"
+msgstr[0] ""
+msgstr[1] ""
+
 msgid "%{number_commits_behind} commits behind %{default_branch}, %{number_commits_ahead} commits ahead"
 msgstr ""
 
@@ -10840,6 +10845,9 @@ msgstr ""
 msgid "If any job surpasses this timeout threshold, it will be marked as failed. Human readable time input language is accepted like \"1 hour\". Values without specification represent seconds."
 msgstr ""
 
+msgid "If blank, set allowable lifetime to %{instance_level_policy_in_words}, as defined by the instance admin. Once set, existing tokens for users in this group may be revoked."
+msgstr ""
+
 msgid "If checked, group owners can manage LDAP group links and LDAP member overrides"
 msgstr ""
 
@@ -25015,6 +25023,9 @@ msgstr ""
 msgid "no contributions"
 msgstr ""
 
+msgid "no expiration"
+msgstr ""
+
 msgid "no one can merge"
 msgstr ""