fix: make groupaccesstokens expirydate nullable (#241)

raweber42 · web-flow · commit dca305e0c6f6 · 2025-11-26T14:39:03.000+01:00
* fix: make groupaccesstokens expirydate nullable

Signed-off-by: ralf.weber &lt;ralf.weber@cistec.com&gt;

* fix: Remove hard-coded expiry default

Signed-off-by: ralf.weber &lt;ralf.weber@cistec.com&gt;

---------

Signed-off-by: ralf.weber &lt;ralf.weber@cistec.com&gt;
diff --git a/apis/cluster/groups/v1alpha1/zz_accesstoken_types.go b/apis/cluster/groups/v1alpha1/zz_accesstoken_types.go
diff --git a/apis/namespaced/groups/v1alpha1/accesstoken_types.go b/apis/namespaced/groups/v1alpha1/accesstoken_types.go
@@ -41,10 +41,10 @@ type AccessTokenParameters struct {
 	GroupIDSelector *xpv1.NamespacedSelector `json:"groupIdSelector,omitempty"`
 
 	// Expiration date of the access token. The date cannot be set later than the maximum allowable lifetime of an access token.
-	// If not set, the maximum allowable lifetime of a personal access token is 365 days.
+	// If not set, the maximum allowable lifetime of a group access token is configured to the maximum allowable lifetime limit.
 	// Expected in ISO 8601 format (2019-03-15T08:00:00Z)
 	// +immutable
-	ExpiresAt *metav1.Time `json:"expiresAt,omitempty"`
+	ExpiresAt *metav1.Time `json:"expiresAt"`
 
 	// Access level for the group. Default is 40.
 	// Valid values are 10 (Guest), 20 (Reporter), 30 (Developer), 40 (Maintainer), and 50 (Owner).
diff --git a/package/crds/groups.gitlab.crossplane.io_accesstokens.yaml b/package/crds/groups.gitlab.crossplane.io_accesstokens.yaml
@@ -81,7 +81,7 @@ spec:
                   expiresAt:
                     description: |-
                       Expiration date of the access token. The date cannot be set later than the maximum allowable lifetime of an access token.
-                      If not set, the maximum allowable lifetime of a personal access token is 365 days.
+                      If not set, the maximum allowable lifetime of a group access token is configured to the maximum allowable lifetime limit.
                       Expected in ISO 8601 format (2019-03-15T08:00:00Z)
                     format: date-time
                     type: string
@@ -177,6 +177,7 @@ spec:
                       type: string
                     type: array
                 required:
+                - expiresAt
                 - name
                 - scopes
                 type: object
diff --git a/package/crds/groups.gitlab.m.crossplane.io_accesstokens.yaml b/package/crds/groups.gitlab.m.crossplane.io_accesstokens.yaml
@@ -67,7 +67,7 @@ spec:
                   expiresAt:
                     description: |-
                       Expiration date of the access token. The date cannot be set later than the maximum allowable lifetime of an access token.
-                      If not set, the maximum allowable lifetime of a personal access token is 365 days.
+                      If not set, the maximum allowable lifetime of a group access token is configured to the maximum allowable lifetime limit.
                       Expected in ISO 8601 format (2019-03-15T08:00:00Z)
                     format: date-time
                     type: string
@@ -169,6 +169,7 @@ spec:
                       type: string
                     type: array
                 required:
+                - expiresAt
                 - name
                 - scopes
                 type: object
diff --git a/pkg/cluster/clients/groups/zz_accesstoken_test.go b/pkg/cluster/clients/groups/zz_accesstoken_test.go
diff --git a/pkg/namespaced/clients/groups/accesstoken_test.go b/pkg/namespaced/clients/groups/accesstoken_test.go
@@ -0,0 +1,108 @@
+/*
+Copyright 2021 The Crossplane Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package groups
+
+import (
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	gitlab "gitlab.com/gitlab-org/api/client-go"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/crossplane-contrib/provider-gitlab/apis/namespaced/groups/v1alpha1"
+)
+
+func TestGenerateCreateGroupAccessTokenOptions(t *testing.T) {
+	name := "Name"
+	var expiresAt time.Time
+	scopes := []string{"scope1", "scope2"}
+	accessLevel := 40
+	type args struct {
+		name       string
+		parameters *v1alpha1.AccessTokenParameters
+	}
+	cases := map[string]struct {
+		args args
+		want *gitlab.CreateGroupAccessTokenOptions
+	}{
+		"AllFields": {
+			args: args{
+				name: name,
+				parameters: &v1alpha1.AccessTokenParameters{
+					Name:        name,
+					AccessLevel: (*v1alpha1.AccessLevelValue)(&accessLevel),
+					ExpiresAt:   &v1.Time{Time: expiresAt},
+					Scopes:      scopes,
+				},
+			},
+			want: &gitlab.CreateGroupAccessTokenOptions{
+				Name:        &name,
+				AccessLevel: (*gitlab.AccessLevelValue)(&accessLevel),
+				ExpiresAt:   (*gitlab.ISOTime)(&expiresAt),
+				Scopes:      &scopes,
+			},
+		},
+		"noExpiresAt": {
+			args: args{
+				name: name,
+				parameters: &v1alpha1.AccessTokenParameters{
+					Name:        name,
+					AccessLevel: (*v1alpha1.AccessLevelValue)(&accessLevel),
+					ExpiresAt:   nil,
+					Scopes:      scopes,
+				},
+			},
+			want: &gitlab.CreateGroupAccessTokenOptions{
+				Name:        &name,
+				AccessLevel: (*gitlab.AccessLevelValue)(&accessLevel),
+				ExpiresAt:   nil,
+				Scopes:      &scopes,
+			},
+		},
+	}
+	for name, tc := range cases {
+		t.Run(name, func(t *testing.T) {
+			got := GenerateCreateGroupAccessTokenOptions(tc.args.name, tc.args.parameters)
+
+			// Compare fields individually since gitlab.ISOTime has unexported fields
+			if tc.want.Name != nil && got.Name != nil && *tc.want.Name != *got.Name {
+				t.Errorf("Name: want %v, got %v", *tc.want.Name, *got.Name)
+			}
+
+			if tc.want.AccessLevel != nil && got.AccessLevel != nil && *tc.want.AccessLevel != *got.AccessLevel {
+				t.Errorf("AccessLevel: want %v, got %v", *tc.want.AccessLevel, *got.AccessLevel)
+			}
+
+			if tc.want.ExpiresAt != nil && got.ExpiresAt != nil {
+				wantTime := time.Time(*tc.want.ExpiresAt)
+				gotTime := time.Time(*got.ExpiresAt)
+				wantDay := wantTime.Truncate(24 * time.Hour)
+				gotDay := gotTime.Truncate(24 * time.Hour)
+				if !wantDay.Equal(gotDay) {
+					t.Errorf("ExpiresAt: want %v, got %v", wantDay, gotDay)
+				}
+			} else if tc.want.ExpiresAt != got.ExpiresAt {
+				t.Errorf("ExpiresAt: want %v, got %v", tc.want.ExpiresAt, got.ExpiresAt)
+			}
+
+			if diff := cmp.Diff(tc.want.Scopes, got.Scopes); diff != "" {
+				t.Errorf("Scopes: -want, +got:\n%s", diff)
+			}
+		})
+	}
+}
