Allow Runner to access Releases API

Part of https://gitlab.com/gitlab-org/gitlab/issues/26013 See merge request https://gitlab.com/gitlab-org/gitlab/merge_requests/20632

Allow Runner to access Releases API
Part of https://gitlab.com/gitlab-org/gitlab/issues/26013 See merge request https://gitlab.com/gitlab-org/gitlab/merge_requests/20632
27d5526e · Sean Carroll · d1b475fd · 27d5526e · 27d5526e · 27d5526e
Commit 27d5526e authored Dec 11, 2019 by Sean Carroll
3 changed files
--- a/changelogs/unreleased/26013-release-generation-from-within-gitlab-ci-yml-6.yml
+++ b/changelogs/unreleased/26013-release-generation-from-within-gitlab-ci-yml-6.yml
+---
+title: Allow Job-Token authentication on Releases creation API
+merge_request: 20632
+author:
+type: added
--- a/lib/api/releases.rb
+++ b/lib/api/releases.rb
@@ -57,6 +57,7 @@ module API
        optional :milestones, type: Array, desc: 'The titles of the related milestones', default: []
        optional :released_at, type: DateTime, desc: 'The date when the release will be/was ready. Defaults to the current time.'
      end
+      route_setting :authentication, job_token_allowed: true
      post ':id/releases' do
        authorize_create_release!


--- a/spec/requests/api/releases_spec.rb
+++ b/spec/requests/api/releases_spec.rb
@@ -558,6 +558,43 @@ describe API::Releases do
      end
    end

+    context 'when using JOB-TOKEN auth' do
+      let(:job) { create(:ci_build, user: maintainer) }
+      let(:params) do
+        {
+          name: 'Another release',
+          tag_name: 'v0.2',
+          description: 'Another nice release',
+          released_at: '2019-04-25T10:00:00+09:00'
+        }
+      end
+
+      context 'when no token is provided' do
+        it 'returns a :not_found error' do
+          post api("/projects/#{project.id}/releases"), params: params
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+
+      context 'when an invalid token is provided' do
+        it 'returns an :unauthorized error' do
+          post api("/projects/#{project.id}/releases"), params: params.merge(job_token: 'yadayadayada')
+
+          expect(response).to have_gitlab_http_status(:unauthorized)
+        end
+      end
+
+      context 'when a valid token is provided' do
+        it 'creates the release' do
+          post api("/projects/#{project.id}/releases"), params: params.merge(job_token: job.token)
+
+          expect(response).to have_gitlab_http_status(:created)
+          expect(project.releases.last.description).to eq('Another nice release')
+        end
+      end
+    end
+
    context 'when tag does not exist in git repository' do
      let(:params) do
        {