From a86b288f4c8ccb8180baca589854027a34f29f7f Mon Sep 17 00:00:00 2001
From: Rolf Schmidt <rolf.schmidt@znuny.com>
Date: Thu, 25 Feb 2021 17:46:39 +0000
Subject: [PATCH] Fixes #3411 - Microsoft 365: The refresh token has expired
 due to inactivity. The token was issued on 2020-11-17T13:30:55.3656422Z and
 was inactive for 90.00:00:00.

---
 .gitlab-ci.yml                          |  8 ++++++++
 .gitlab/ci/pre.yml                      | 23 +++++++++++++++++++++++
 Gemfile                                 |  3 +++
 Gemfile.lock                            |  2 ++
 lib/external_credential/microsoft365.rb |  7 +++----
 lib/tasks/zammad/ci/refresh_envs.rake   | 24 ++++++++++++++++++++++++
 6 files changed, 63 insertions(+), 4 deletions(-)
 create mode 100644 lib/tasks/zammad/ci/refresh_envs.rake

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 0e623a43c..d4c793244 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -48,9 +48,17 @@ cache:
   key: "centos7ruby266"
   paths:
     - vendor/ruby
+    # ATTENTION: This should be a dedicated cache only used in the job "TODO".
+    # ATTENTION: Remember to update the global CI ENV setting with the latest
+    #   version of the ENV from an artifact of the "TODO" job to use a valid key.
+    # A dedicated cache should be used because the ENVs are not bound to the Ruby version and OS.
+    # Unfortunately GitLab is not yet capable of having multiple cache-s per job
+    # See: https://gitlab.com/gitlab-org/gitlab/-/issues/32814
+    - fresh.env
 
 # Initialize application env
 before_script:
   - source /etc/profile.d/rvm.sh
+  - FRESHENVFILE=fresh.env && test -f $FRESHENVFILE && source $FRESHENVFILE
   - bundle install -j $(nproc) --path vendor
   - bundle exec ruby script/build/database_config.rb
diff --git a/.gitlab/ci/pre.yml b/.gitlab/ci/pre.yml
index 7a0e80845..a628d5a88 100644
--- a/.gitlab/ci/pre.yml
+++ b/.gitlab/ci/pre.yml
@@ -33,3 +33,26 @@ github:
     - "" # no RVM present in deploy ENV
   script:
     - script/build/sync_repo.sh git@github.com:zammad/zammad.git
+
+global_refresh_envs:
+  extends:
+    - .tags_docker
+    - .services_postgresql
+  stage: pre
+  # ensure that only one Job runs in the whole project (branches etc.)
+  resource_group: global_refresh_envs
+  # allow download via the web UI to restore ENVs in case global cache got deleted (see: `.gitlab-ci.yml`)
+  artifacts:
+    expire_in: 1 day
+    paths:
+    - fresh.env
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+      when: never
+    - if: '$CI_COMMIT_BRANCH =~ /^private/'
+      when: manual
+      allow_failure: true
+    - when: always
+
+  script:
+    - bundle exec rake zammad:ci:refresh_envs
diff --git a/Gemfile b/Gemfile
index 78d07aeb9..032282dee 100644
--- a/Gemfile
+++ b/Gemfile
@@ -206,6 +206,9 @@ group :development, :test do
 
   # image comparison in tests
   gem 'chunky_png'
+
+  # refresh ENVs in CI environment
+  gem 'dotenv', require: false
 end
 
 # Want to extend Zammad with additional gems?
diff --git a/Gemfile.lock b/Gemfile.lock
index 3a0a35bc5..1c6eb5cb3 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -177,6 +177,7 @@ GEM
       unf (>= 0.0.5, < 1.0.0)
     doorkeeper (5.3.2)
       railties (>= 5)
+    dotenv (2.7.6)
     eco (1.0.0)
       coffee-script
       eco-source
@@ -603,6 +604,7 @@ DEPENDENCIES
   deprecation_toolkit
   diffy
   doorkeeper
+  dotenv
   eco
   em-websocket
   eventmachine
diff --git a/lib/external_credential/microsoft365.rb b/lib/external_credential/microsoft365.rb
index f7ada482b..869b52399 100644
--- a/lib/external_credential/microsoft365.rb
+++ b/lib/external_credential/microsoft365.rb
@@ -233,10 +233,9 @@ class ExternalCredential::Microsoft365
       raise "Request failed! ERROR: #{result['error']} (#{result['error_description']})"
     end
 
-    token.merge(
-      created_at:   Time.zone.now,
-      access_token: result['access_token'],
-    ).symbolize_keys
+    token.merge(result.symbolize_keys).merge(
+      created_at: Time.zone.now,
+    )
   end
 
   def self.user_info(id_token)
diff --git a/lib/tasks/zammad/ci/refresh_envs.rake b/lib/tasks/zammad/ci/refresh_envs.rake
new file mode 100644
index 000000000..10ce64d8d
--- /dev/null
+++ b/lib/tasks/zammad/ci/refresh_envs.rake
@@ -0,0 +1,24 @@
+require 'dotenv'
+
+namespace :zammad do
+
+  namespace :ci do
+
+    desc 'Re-fresh-es dynamic ENV variables'
+    task refresh_envs: :environment do
+
+      Dotenv.overload('fresh.env')
+
+      result = ExternalCredential::Microsoft365.refresh_token(
+        created_at:    30.days.ago,
+        client_id:     ENV['MICROSOFT365_CLIENT_ID'],
+        client_secret: ENV['MICROSOFT365_CLIENT_SECRET'],
+        refresh_token: ENV['MICROSOFT365_REFRESH_TOKEN'],
+      )
+
+      token_env = %(MICROSOFT365_REFRESH_TOKEN="#{result[:refresh_token]}")
+
+      File.write(Rails.root.join('fresh.env'), token_env)
+    end
+  end
+end