notify on expiring and expired tokens

Author: mawinter69

core/src/main/java/hudson/model/userproperty/UserPropertyCategorySecurityAction.java

@@ -34,7 +34,9 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
+import jenkins.management.Badge;
 import jenkins.model.Jenkins;
+import jenkins.security.ApiTokenProperty;
 import org.jenkinsci.Symbol;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
@@ -64,6 +66,14 @@ public String getUrlName() {
         return UserProperty.allByCategoryClass(UserPropertyCategory.Security.class);
     }
 
+    public Badge getBadge() {
+        ApiTokenProperty apiTokenProperty = getTargetUser().getProperty(ApiTokenProperty.class);
+        if (apiTokenProperty != null) {
+            return apiTokenProperty.getBadge();
+        }
+        return null;
+    }
+
     /**
      * Inject the outer class configuration page into the sidenav and the request routing of the user
      */

core/src/main/java/jenkins/model/navigation/UserAction.java

@@ -32,6 +32,8 @@
 import hudson.model.User;
 import java.util.ArrayList;
 import java.util.List;
+import jenkins.management.Badge;
+import jenkins.security.ApiTokenProperty;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
 
@@ -80,6 +82,20 @@ public User getUser() {
         return User.current();
     }
 
+    @Override
+    public Badge getBadge() {
+        User current = User.current();
+
+        if (User.current() == null) {
+            return null;
+        }
+        ApiTokenProperty apiTokenProperty = current.getProperty(ApiTokenProperty.class);
+        if (apiTokenProperty != null) {
+            return apiTokenProperty.getBadge();
+        }
+        return null;
+    }
+
     @Override
     public boolean isPrimaryAction() {
         return true;

core/src/main/java/jenkins/security/ApiTokenProperty.java

@@ -52,6 +52,7 @@
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import java.util.stream.Collectors;
+import jenkins.management.Badge;
 import jenkins.model.Jenkins;
 import jenkins.security.apitoken.ApiTokenPropertyConfiguration;
 import jenkins.security.apitoken.ApiTokenStats;
@@ -258,6 +259,7 @@ public static class TokenInfoAndStats {
         public final long numDaysUse;
         public final String expirationDate;
         public final boolean expired;
+        public final boolean aboutToExpire;
 
         public TokenInfoAndStats(@NonNull ApiTokenStore.HashedToken token, @NonNull ApiTokenStats.SingleTokenStats stats) {
             this.uuid = token.getUuid();
@@ -266,6 +268,7 @@ public TokenInfoAndStats(@NonNull ApiTokenStore.HashedToken token, @NonNull ApiT
             this.numDaysCreation = token.getNumDaysCreation();
             this.isLegacy = token.isLegacy();
             this.expired = token.isExpired();
+            this.aboutToExpire = token.isAboutToExpire();
 
             LocalDate expirationDate = token.getExpirationDate();
             if (expirationDate == null) {
@@ -795,4 +798,25 @@ public HttpResponse doRevokeAllExcept(@AncestorInPath User u,
     @Deprecated
     @Restricted(NoExternalUse.class)
     public static final HMACConfidentialKey API_KEY_SEED = new HMACConfidentialKey(ApiTokenProperty.class, "seed", 16);
+
+    @Restricted(NoExternalUse.class)
+    public Badge getBadge() {
+        long expiringTokenCount = getTokenList().stream().filter(t -> t.aboutToExpire && !t.expired).count();
+        long expiredTokenCount = getTokenList().stream().filter(t -> t.expired).count();
+        StringBuilder tooltip = new StringBuilder();
+        if (expiringTokenCount > 0) {
+            tooltip.append(jenkins.model.navigation.Messages.UserAction_aboutToExpireTokens(expiringTokenCount));
+        }
+        if (expiredTokenCount > 0) {
+            if (expiringTokenCount > 0) {
+                tooltip.append("\n");
+            }
+            tooltip.append(jenkins.model.navigation.Messages.UserAction_expiredTokens(expiredTokenCount));
+        }
+        if (expiredTokenCount + expiringTokenCount > 0) {
+            return new Badge(Long.toString(expiringTokenCount + expiredTokenCount), tooltip.toString(), Badge.Severity.WARNING);
+        } else {
+            return null;
+        }
+    }
 }

core/src/main/java/jenkins/security/apitoken/ApiTokenStore.java

@@ -433,6 +433,14 @@ public void rename(String newName) {
             this.name = newName;
         }
 
+        public boolean isAboutToExpire() {
+            if (expirationDate == null) {
+                return false;
+            }
+            LocalDate warnLimit = LocalDate.now().plusDays(7);
+            return expirationDate.isBefore(warnLimit);
+        }
+
         public boolean isExpired() {
             LocalDate now = LocalDate.now();
             LocalDate expiration = Objects.requireNonNullElseGet(expirationDate, LocalDate::now);

core/src/main/resources/jenkins/model/navigation/Messages.properties

@@ -0,0 +1,2 @@
+UserAction.expiredTokens={0} expired tokens.
+UserAction.aboutToExpireTokens={0} tokens about to expire.

core/src/main/resources/jenkins/model/navigation/UserAction/jumplist.jelly

@@ -15,7 +15,8 @@
     <j:forEach var="action" items="${it.actions}">
       <dd:item icon="${action.iconFileName}"
                text="${action.displayName}"
-               href="${rootURL}/${it.user.url}/${action.urlName}" />
+               href="${rootURL}/${it.user.url}/${action.urlName}"
+               badge="${action.badge}"/>
     </j:forEach>
 
     <dd:separator />

core/src/main/resources/jenkins/security/ApiTokenProperty/config.jelly

@@ -175,7 +175,7 @@ THE SOFTWARE.
                                             </span>
                                         </j:when>
                                         <j:otherwise>
-                                            <span>
+                                            <span class="${token.aboutToExpire ? 'warning' : ''}">
                                                 ${%tokenExpiresOn(token.expirationDate)}
                                             </span>
                                         </j:otherwise>

core/src/main/resources/jenkins/security/ApiTokenProperty/resources.js

@@ -109,6 +109,7 @@ function appendTokenToTable(data) {
   apiTokenRow.querySelector(".token-name").innerText = data.tokenName;
   tokenShowButton.dataset.tokenValue = data.tokenValue;
   tokenShowButton.dataset.title = data.tokenName;
+  tokenShowButton.dataset.expirationDate = data.expirationDate;
   tokenShowButton.classList.remove("jenkins-hidden");
   tokenList.appendChild(apiTokenRow);
   adjustTokenEmptyListMessage();
@@ -333,6 +334,7 @@ Behaviour.specify(
       showToken(
         button.dataset.title,
         button.dataset.tokenValue,
+        button.dataset.expirationDate,
         button.dataset.buttonDone,
       );
     };

core/src/main/resources/lib/hudson/actions.jelly

@@ -46,7 +46,7 @@ THE SOFTWARE.
             </l:task>
           </j:when>
           <j:otherwise>
-            <l:task icon="${icon}" title="${action.displayName}" href="${h.getActionUrl(it.url,action)}" contextMenu="${h.isContextMenuVisible(action)}"/>
+            <l:task icon="${icon}" title="${action.displayName}" href="${h.getActionUrl(it.url,action)}" contextMenu="${h.isContextMenuVisible(action)}" badge="${action.badge}"/>
           </j:otherwise>
         </j:choose>
       </j:if>