Fixes #3411 - Microsoft 365: The refresh token has expired due to inactivity. The token was issued on 2020-11-17T13:30:55.3656422Z and was inactive for 90.00:00:00.

.gitlab-ci.yml

@@ -48,9 +48,17 @@ cache:
   key: "centos7ruby266"
   paths:
     - vendor/ruby
+    # ATTENTION: This should be a dedicated cache only used in the job "TODO".
+    # ATTENTION: Remember to update the global CI ENV setting with the latest
+    #   version of the ENV from an artifact of the "TODO" job to use a valid key.
+    # A dedicated cache should be used because the ENVs are not bound to the Ruby version and OS.
+    # Unfortunately GitLab is not yet capable of having multiple cache-s per job
+    # See: https://gitlab.com/gitlab-org/gitlab/-/issues/32814
+    - fresh.env
 
 # Initialize application env
 before_script:
   - source /etc/profile.d/rvm.sh
+  - FRESHENVFILE=fresh.env && test -f $FRESHENVFILE && source $FRESHENVFILE
   - bundle install -j $(nproc) --path vendor
   - bundle exec ruby script/build/database_config.rb

.gitlab/ci/pre.yml

@@ -33,3 +33,26 @@ github:
     - "" # no RVM present in deploy ENV
   script:
     - script/build/sync_repo.sh git@github.com:zammad/zammad.git
+
+global_refresh_envs:
+  extends:
+    - .tags_docker
+    - .services_postgresql
+  stage: pre
+  # ensure that only one Job runs in the whole project (branches etc.)
+  resource_group: global_refresh_envs
+  # allow download via the web UI to restore ENVs in case global cache got deleted (see: `.gitlab-ci.yml`)
+  artifacts:
+    expire_in: 1 day
+    paths:
+    - fresh.env
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+      when: never
+    - if: '$CI_COMMIT_BRANCH =~ /^private/'
+      when: manual
+      allow_failure: true
+    - when: always
+
+  script:
+    - bundle exec rake zammad:ci:refresh_envs

Gemfile

@@ -206,6 +206,9 @@ group :development, :test do
 
   # image comparison in tests
   gem 'chunky_png'
+
+  # refresh ENVs in CI environment
+  gem 'dotenv', require: false
 end
 
 # Want to extend Zammad with additional gems?

Gemfile.lock

@@ -177,6 +177,7 @@ GEM
       unf (>= 0.0.5, < 1.0.0)
     doorkeeper (5.3.2)
       railties (>= 5)
+    dotenv (2.7.6)
     eco (1.0.0)
       coffee-script
       eco-source
@@ -603,6 +604,7 @@ DEPENDENCIES
   deprecation_toolkit
   diffy
   doorkeeper
+  dotenv
   eco
   em-websocket
   eventmachine

lib/external_credential/microsoft365.rb

@@ -233,10 +233,9 @@ class ExternalCredential::Microsoft365
       raise "Request failed! ERROR: #{result['error']} (#{result['error_description']})"
     end
 
-    token.merge(
-      created_at:   Time.zone.now,
-      access_token: result['access_token'],
-    ).symbolize_keys
+    token.merge(result.symbolize_keys).merge(
+      created_at: Time.zone.now,
+    )
   end
 
   def self.user_info(id_token)

lib/tasks/zammad/ci/refresh_envs.rake

@@ -0,0 +1,24 @@
+require 'dotenv'
+
+namespace :zammad do
+
+  namespace :ci do
+
+    desc 'Re-fresh-es dynamic ENV variables'
+    task refresh_envs: :environment do
+
+      Dotenv.overload('fresh.env')
+
+      result = ExternalCredential::Microsoft365.refresh_token(
+        created_at:    30.days.ago,
+        client_id:     ENV['MICROSOFT365_CLIENT_ID'],
+        client_secret: ENV['MICROSOFT365_CLIENT_SECRET'],
+        refresh_token: ENV['MICROSOFT365_REFRESH_TOKEN'],
+      )
+
+      token_env = %(MICROSOFT365_REFRESH_TOKEN="#{result[:refresh_token]}")
+
+      File.write(Rails.root.join('fresh.env'), token_env)
+    end
+  end
+end