Merge branch 'if-492968-add_rotated_tokens_to_resource_access_token_factory' into 'master'

Change default factory for resource access tokens See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/167036 Merged-by: Drew Blessing <drew@gitlab.com> Approved-by: Drew Blessing <drew@gitlab.com> Reviewed-by: Bogdan Denkovych <bdenkovych@gitlab.com> Co-authored-by: Bogdan Denkovych <bdenkovych@gitlab.com> Co-authored-by: Imre Farkas <ifarkas@gitlab.com>

Merge branch 'if-492968-add_rotated_tokens_to_resource_access_token_factory' into 'master'
e36e0581 · Drew Blessing · GitLab · 01351f48 · 842044fd · e36e0581
--- a/spec/factories/personal_access_tokens.rb
+++ b/spec/factories/personal_access_tokens.rb
@@ -47,5 +47,35 @@

  factory :resource_access_token, parent: :personal_access_token do
    user { association :user, :project_bot }
+
+    transient do
+      rotated_at { 6.months.ago }
+      resource { create(:group) } # rubocop:disable RSpec/FactoryBot/InlineAssociation -- this is not direct association of the factory created here
+      access_level { Gitlab::Access::DEVELOPER }
+    end
+
+    after(:create) do |token, evaluator|
+      if Feature.enabled?(:retain_resource_access_token_user_after_revoke, evaluator.resource.root_ancestor)
+        evaluator.resource.add_member(token.user, evaluator.access_level)
+      else
+        evaluator.resource.add_member(token.user, evaluator.access_level, expires_at: token.expires_at)
+      end
+    end
+
+    trait :with_rotated_token do
+      after(:create) do |token, evaluator|
+        rotated_at = evaluator.rotated_at
+        previous_access_token = create( # rubocop:disable RSpec/FactoryBot/StrategyInCallback -- this is not direct association of the factory created here
+          :personal_access_token,
+          :revoked,
+          user: token.user,
+          created_at: rotated_at - 6.months,
+          expires_at: rotated_at,
+          updated_at: rotated_at
+        )
+
+        token.update!(previous_personal_access_token_id: previous_access_token.id)
+      end
+    end
  end
 end
--- a/spec/workers/resource_access_tokens/inactive_tokens_deletion_cron_worker_spec.rb
+++ b/spec/workers/resource_access_tokens/inactive_tokens_deletion_cron_worker_spec.rb
@@ -101,6 +101,12 @@
        create(:resource_access_token, updated_at: cut_off)
      non_revoked_resource_access_token_updated_after_cut_off =
        create(:personal_access_token, updated_at: cut_off + 1.second)
+      resource_access_token_with_rotated_token_before_cut_off =
+        create(:resource_access_token, :with_rotated_token, rotated_at: cut_off - 1.second)
+      resource_access_token_with_rotated_token_at_cut_off =
+        create(:resource_access_token, :with_rotated_token, rotated_at: cut_off)
+      resource_access_token_with_rotated_token_after_cut_off =
+        create(:resource_access_token, :with_rotated_token, rotated_at: cut_off + 1.second)

      tokens_to_keep = [
        active_personal_access_token,
@@ -121,13 +127,18 @@
        resource_access_token_revoked_after_cut_off,
        non_revoked_resource_access_token_updated_before_cut_off,
        non_revoked_resource_access_token_updated_at_cut_off,
-        non_revoked_resource_access_token_updated_after_cut_off
+        non_revoked_resource_access_token_updated_after_cut_off,
+        resource_access_token_with_rotated_token_at_cut_off,
+        resource_access_token_with_rotated_token_after_cut_off
      ]
      users_to_keep = tokens_to_keep.map(&:user)

      tokens_to_delete = [
        resource_access_token_expired_before_cut_off,
-        resource_access_token_revoked_before_cut_off
+        resource_access_token_revoked_before_cut_off,
+        # This token should be kept.
+        # See bug related to https://gitlab.com/gitlab-org/gitlab/-/issues/492871
+        resource_access_token_with_rotated_token_before_cut_off
      ]
      users_to_delete = tokens_to_delete.map(&:user)