[TBT-46] Handle new web token with expiry (#1340)

* handle new web token with expiry

* handle expired auth token on regenerate fix specs

* add audit log for regenerate token

* set the auth cli token to expire

* fix job/jobs find_specs vm_size

* add user_id to find web_token for expiry reset

* add puts

* set default expiries to 5 mins, more puts

* remove puts

* remove user_id

* return user_id and defaults for api and cli tokens

* add unlimited expiry two years if env set

* rename env variable for web token

* change default expiries for testing

* refactor reset_expiry

* bring back default expiries

Author: nikolaTrichkovski

lib/travis/api/app/access_token.rb

@@ -18,6 +18,9 @@ def self.find_by_token(token)
       return token if token.is_a? self
       user_id, app_id, *scopes = redis.lrange(key(token), 0, -1)
       extra = decode_json(scopes.pop) if scopes.last && scopes.last =~ /^json:/
+
+      reset_expiry(token, user_id, app_id)
+
       new(token: token, scopes: scopes, user_id: user_id, app_id: app_id, extra: extra) if user_id
     end
 
@@ -101,5 +104,30 @@ def reuse_key
           keys.join(':')
         end
       end
+
+      def self.reset_expiry(token, user_id, app_id)
+        web_token = Token.find_by(user_id: user_id, purpose: :web)
+
+        if web_token && (token == web_token.token)
+          redis.expire(key(token), web_token_expires_in)
+        elsif app_id == '1' # This is the TravisCLI token app_id
+          redis.expire(key(token), auth_cli_token_expires_in)
+          redis.expire("r:#{user_id}:#{app_id}", auth_cli_token_expires_in)
+        else
+          redis.expire(key(token), auth_token_expires_in)
+        end
+      end
+
+      def self.web_token_expires_in
+        Travis.config.tokens&.web_token.expires_in
+      end
+
+      def self.auth_token_expires_in
+        Travis.config.tokens&.auth_token.expires_in
+      end
+
+      def self.auth_cli_token_expires_in
+        Travis.config.tokens&.auth_cli_token.expires_in
+      end
   end
 end

lib/travis/api/app/endpoint/authorization.rb

@@ -162,6 +162,7 @@ def serialize_user(user)
           rendered['user'].merge(
             'token' => token,
             'rss_token' => user.tokens.rss.first.try(:token) || token,
+            'web_token' => user.tokens.web.first.try(:token) || token
           )
         end
 

lib/travis/api/v3/queries/access_token.rb

@@ -1,8 +1,19 @@
 module Travis::API::V3
   class Queries::AccessToken < Query
-    def regenerate_token(user, token, app_id)
+    def regenerate_token(user, token, app_id, expires_in: nil)
       Travis.redis.del("t:#{token}")
-      Travis::Api::App::AccessToken.create(user: user, app_id: app_id, force: true).token
+      new_token = Travis::Api::App::AccessToken.create(user: user, app_id: app_id, expires_in:, force: true).token
+      Travis::API::V3::Models::Audit.create!(
+        owner: user,
+        change_source: 'travis-api',
+        source: user,
+        source_changes: {
+          action: 'regenerate_token',
+          old_api_token: token,
+          new_api_token: new_token,
+        }
+      )
+      new_token
     end
 
     def remove_token(user, token, app_id)

lib/travis/api/v3/services/access_token/regenerate_token.rb

@@ -1,9 +1,11 @@
 module Travis::API::V3
   class Services::AccessToken::RegenerateToken < Service
+    params :token
+
     def run!
       raise LoginRequired unless access_control.logged_in?
-      app_id = Travis::Api::App::AccessToken.find_by_token(access_control.token)&.app_id
-      result query.regenerate_token(access_control.user, access_control.token, app_id)
+      app_id = Travis::Api::App::AccessToken.find_by_token(params['token'])&.app_id || 0
+      result query.regenerate_token(access_control.user, params['token'], app_id, expires_in: Travis::Api::App::AccessToken.auth_token_expires_in)
     end
   end
 end

lib/travis/config/defaults.rb

@@ -37,7 +37,18 @@ def fallback_logs_api_auth_token
             shorten_host:         'trvs.io',
             public_mode:          !!ENV['PUBLIC_MODE'],
             applications:         {},
-            tokens:               { internal: 'token' },
+            tokens: {
+              internal: 'token',
+              web_token: {
+                expires_in: ENV['WEB_TOKEN_EXPIRES_IN_HOURS'] == 'unlimited' ? 2 * 365 * 86_400 : (ENV['WEB_TOKEN_EXPIRES_IN_HOURS'] ? ENV['WEB_TOKEN_EXPIRES_IN_HOURS'].to_i * 3_600 : 1 * 3_600)
+              },
+              auth_token: {
+                expires_in: ENV['AUTH_TOKEN_EXPIRES_IN_DAYS'] == 'unlimited' ? 2 * 365 * 86_400 : (ENV['AUTH_TOKEN_EXPIRES_IN_DAYS'] ? ENV['AUTH_TOKEN_EXPIRES_IN_DAYS'].to_i * 86_400 : 90 * 86_400)
+              },
+              auth_cli_token: {
+                expires_in: ENV['AUTH_CLI_TOKEN_EXPIRES_IN_DAYS'] == 'unlimited' ? 2 * 365 * 86_400 : (ENV['AUTH_CLI_TOKEN_EXPIRES_IN_DAYS'] ? ENV['AUTH_CLI_TOKEN_EXPIRES_IN_DAYS'].to_i * 86_400 : 90 * 86_400)
+              }
+            },
             auth:                 { target_origin: nil },
             assets:               { host: HOSTS[Travis.env.to_sym] },
             amqp:                 { username: 'guest', password: 'guest', host: 'localhost', prefetch: 1 },

lib/travis/model/token.rb

@@ -8,7 +8,7 @@
 # that people cannot throw random repositories at Travis CI.
 class Token < Travis::Model
   self.table_name = 'tokens'
-  enum purpose: [ :asset, :rss ]
+  enum purpose: [ :asset, :rss, :web ]
 
   belongs_to :user
 

lib/travis/model/user.rb

@@ -172,7 +172,8 @@ def inspect
 
   def create_the_tokens
     self.tokens.asset.create! unless self.tokens.asset.exists?
-    self.tokens.rss.create!
+    self.tokens.rss.create! unless self.tokens.rss.exists?
+    self.tokens.web.create! unless self.tokens.web.exists?
   end
 
   def github?

spec/unit/access_token_spec.rb

@@ -19,13 +19,15 @@
   end
 
   it 'expires the token after given period of time' do
-    token = described_class.new(app_id: 1, user_id: 2, expires_in: 1).tap(&:save)
+    token = described_class.new(app_id: 1, user_id: 2).tap(&:save)
+    key = "t:#{token.token}"
+    Travis.redis.expire(key, 1)
 
-    expect(described_class.find_by_token(token.token)).not_to be_nil
+    expect(Travis.redis.exists(key)).to eq 1
 
     sleep 2
 
-    expect(described_class.find_by_token(token.token)).to be_nil
+    expect(Travis.redis.exists(key)).to eq 0
   end
 
   it 'allows to save extra information' do

spec/v3/services/access_token/regenerate_token_spec.rb

@@ -1,13 +1,17 @@
 describe Travis::API::V3::Services::AccessToken::RegenerateToken, set_app: true do
   let(:user)    { FactoryBot.create(:user) }
   let(:token)   { Travis::Api::App::AccessToken.create(user: user, app_id: 0) }
-  let(:headers) {{ 'HTTP_AUTHORIZATION' => "token #{token}" }}
-  let(:parsed_body) { JSON.load(body) }
+  let(:headers) {{ 'HTTP_AUTHORIZATION' => "token #{token}", 'CONTENT_TYPE' => 'application/json' }}
+  let(:params)  {{ token: token.token }.to_json }
+  let(:parsed_body) { JSON.load(last_response.body) }
 
   describe "regenerating the API access token" do
-    before     { patch('/v3/access_token', {}, headers) }
-    example    { expect(last_response.status).to eq 200 }
-    example    { expect(Travis.redis.exists?("t:#{token}")).to be_falsey }
-    example    { expect(Travis.redis.exists?("t:#{parsed_body['token']}")).to be_truthy }
+    before do
+      patch('/v3/access_token', params, headers)
+    end
+
+    example { expect(last_response.status).to eq 200 }
+    example { expect(Travis.redis.exists?("t:#{token.token}")).to be_falsey }
+    example { expect(Travis.redis.exists?("t:#{parsed_body['token']}")).to be_truthy }
   end
 end

spec/v3/services/job/find_spec.rb

@@ -69,6 +69,7 @@
       "private"               => false,
       "restarted_at"          => nil,
       "restarted_by"          => nil,
+      "vm_size"               => nil,
       "build"                 => {
         "@type"               => "build",
         "@href"               => "/v3/build/#{build.id}",
@@ -158,7 +159,7 @@
 
   describe "fetching job on private repository, private API, authenticated as user with access" do
     let(:token)   { Travis::Api::App::AccessToken.create(user: repo.owner, app_id: 1) }
-    let(:headers) {{ 'HTTP_AUTHORIZATION' => "token #{token}"                        }}
+    let(:headers) {{ 'HTTP_AUTHORIZATION' => "token #{token}", 'CONTENT_TYPE' => 'application/json' }}
     before        { Travis::API::V3::Models::Permission.create(repository: repo, user: repo.owner, pull: true) }
     before        { repo.update_attribute(:private, true)                             }
     before        { allow_any_instance_of(Travis::API::V3::Permissions::Job).to receive(:delete_log?).and_return(true) }
@@ -191,6 +192,7 @@
       "private"               => false,
       "restarted_at"          => nil,
       "restarted_by"          => nil,
+      "vm_size"               => nil,
       "build"                 => {
         "@type"               => "build",
         "@href"               => "/v3/build/#{build.id}",
@@ -274,6 +276,7 @@
       "private"               => false,
       "restarted_at"          => nil,
       "restarted_by"          => nil,
+      "vm_size"               => nil,
       "build"                 => {
         "@type"               => "build",
         "@href"               => "/v3/build/#{build.id}",