Merge branch 'release-job-token' into 'master'

Allow JOB-TOKEN to perform all release REST API operations See merge request gitlab-org/gitlab!72448

Merge branch 'release-job-token' into 'master'
Allow JOB-TOKEN to perform all release REST API operations See merge request gitlab-org/gitlab!72448
5bd05f3c · Shinya Maeda · f83a51fc · 3cea963f · 5bd05f3c · 5bd05f3c
Commit 5bd05f3c authored Oct 27, 2021 by Shinya Maeda
6 changed files
--- a/doc/api/releases/index.md
+++ b/doc/api/releases/index.md
@@ -26,6 +26,8 @@ For authentication, the Releases API accepts either:

 ## List Releases

+> [Changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/72448) to allow for `JOB-TOKEN` in GitLab 14.5.
+
 Paginated list of Releases, sorted by `released_at`.

 ```plaintext
@@ -231,6 +233,8 @@ Example response:

 ## Get a Release by a tag name

+> [Changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/72448) to allow for `JOB-TOKEN` in GitLab 14.5.
+
 Get a Release for the given tag.

 ```plaintext
@@ -508,7 +512,8 @@ adding milestones for ancestor groups raises an error.

 ## Collect release evidence **(PREMIUM SELF)**

-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/199065) in GitLab 12.10.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/199065) in GitLab 12.10.
+> - [Changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/72448) to allow for `JOB-TOKEN` in GitLab 14.5.

 Create Evidence for an existing Release.

@@ -535,6 +540,8 @@ Example response:

 ## Update a release

+> [Changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/72448) to allow for `JOB-TOKEN` in GitLab 14.5.
+
 Update a release. Developer level access to the project is required to update a release.

 ```plaintext
@@ -642,6 +649,8 @@ Example response:

 ## Delete a Release

+> [Changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/72448) to allow for `JOB-TOKEN` in GitLab 14.5.
+
 Delete a release. Deleting a release doesn't delete the associated tag. Maintainer level access to the project is required to delete a release.

 ```plaintext

--- a/doc/ci/jobs/ci_job_token.md
+++ b/doc/ci/jobs/ci_job_token.md
@@ -20,7 +20,7 @@ You can use a GitLab CI/CD job token to authenticate with specific API endpoints
 - [Get job artifacts](../../api/job_artifacts.md#get-job-artifacts).
 - [Get job token's job](../../api/jobs.md#get-job-tokens-job).
 - [Pipeline triggers](../../api/pipeline_triggers.md), using the `token=` parameter.
- [Release creation](../../api/releases/index.md#create-a-release).
+- [Releases](../../api/releases/index.md).
 - [Terraform plan](../../user/infrastructure/index.md).

 The token has the same permissions to access the API as the user that executes the

--- a/ee/lib/ee/api/releases.rb
+++ b/ee/lib/ee/api/releases.rb
@@ -14,6 +14,7 @@ module EE
          params do
            requires :tag_name, type: String, desc: 'The name of the tag', as: :tag
          end
+          route_setting :authentication, job_token_allowed: true
          post ':id/releases/:tag_name/evidence', requirements: ::API::Releases::RELEASE_ENDPOINT_REQUIREMENTS do
            authorize_create_evidence!


--- a/ee/spec/requests/api/releases_spec.rb
+++ b/ee/spec/requests/api/releases_spec.rb
@@ -270,6 +270,14 @@ RSpec.describe API::Releases do
      expect(response).to have_gitlab_http_status(:accepted)
    end

+    it 'accepts the request when using JOB-TOKEN auth' do
+      job = create(:ci_build, :running, project: project, user: maintainer)
+
+      post api("/projects/#{project.id}/releases/#{tag_name}/evidence"), params: { job_token: job.token }
+
+      expect(response).to have_gitlab_http_status(:accepted)
+    end
+
    it 'creates the Evidence', :sidekiq_inline do
      expect do
        post api("/projects/#{project.id}/releases/#{tag_name}/evidence", maintainer)

--- a/lib/api/releases.rb
+++ b/lib/api/releases.rb
@@ -32,6 +32,7 @@ module API
        optional :include_html_description, type: Boolean,
                               desc: 'If `true`, a response includes HTML rendered markdown of the release description.'
      end
+      route_setting :authentication, job_token_allowed: true
      get ':id/releases' do
        releases = ::ReleasesFinder.new(user_project, current_user, declared_params.slice(:order_by, :sort)).execute

@@ -59,6 +60,7 @@ module API
        optional :include_html_description, type: Boolean,
                               desc: 'If `true`, a response includes HTML rendered markdown of the release description.'
      end
+      route_setting :authentication, job_token_allowed: true
      get ':id/releases/:tag_name', requirements: RELEASE_ENDPOINT_REQUIREMENTS do
        authorize_download_code!

@@ -117,6 +119,7 @@ module API
        optional :released_at, type: DateTime, desc: 'The date when the release will be/was ready.'
        optional :milestones,  type: Array[String], coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce, desc: 'The titles of the related milestones'
      end
+      route_setting :authentication, job_token_allowed: true
      put ':id/releases/:tag_name', requirements: RELEASE_ENDPOINT_REQUIREMENTS do
        authorize_update_release!

@@ -142,6 +145,7 @@ module API
      params do
        requires :tag_name, type: String, desc: 'The name of the tag', as: :tag
      end
+      route_setting :authentication, job_token_allowed: true
      delete ':id/releases/:tag_name', requirements: RELEASE_ENDPOINT_REQUIREMENTS do
        authorize_destroy_release!


--- a/spec/requests/api/releases_spec.rb
+++ b/spec/requests/api/releases_spec.rb
@@ -42,6 +42,14 @@ RSpec.describe API::Releases do
        expect(response).to have_gitlab_http_status(:ok)
      end

+      it 'returns 200 HTTP status when using JOB-TOKEN auth' do
+        job = create(:ci_build, :running, project: project, user: maintainer)
+
+        get api("/projects/#{project.id}/releases"), params: { job_token: job.token }
+
+        expect(response).to have_gitlab_http_status(:ok)
+      end
+
      it 'returns releases ordered by released_at' do
        get api("/projects/#{project.id}/releases", maintainer)

@@ -316,6 +324,14 @@ RSpec.describe API::Releases do
        expect(response).to have_gitlab_http_status(:ok)
      end

+      it 'returns 200 HTTP status when using JOB-TOKEN auth' do
+        job = create(:ci_build, :running, project: project, user: maintainer)
+
+        get api("/projects/#{project.id}/releases/v0.1"), params: { job_token: job.token }
+
+        expect(response).to have_gitlab_http_status(:ok)
+      end
+
      it 'returns a release entry' do
        get api("/projects/#{project.id}/releases/v0.1", maintainer)

@@ -1008,6 +1024,14 @@ RSpec.describe API::Releases do
      expect(response).to have_gitlab_http_status(:ok)
    end

+    it 'accepts the request when using JOB-TOKEN auth' do
+      job = create(:ci_build, :running, project: project, user: maintainer)
+
+      put api("/projects/#{project.id}/releases/v0.1"), params: params.merge(job_token: job.token)
+
+      expect(response).to have_gitlab_http_status(:ok)
+    end
+
    it 'updates the description' do
      put api("/projects/#{project.id}/releases/v0.1", maintainer), params: params

@@ -1220,6 +1244,14 @@ RSpec.describe API::Releases do
      expect(response).to have_gitlab_http_status(:ok)
    end

+    it 'accepts the request when using JOB-TOKEN auth' do
+      job = create(:ci_build, :running, project: project, user: maintainer)
+
+      delete api("/projects/#{project.id}/releases/v0.1"), params: { job_token: job.token }
+
+      expect(response).to have_gitlab_http_status(:ok)
+    end
+
    it 'destroys the release' do
      expect do
        delete api("/projects/#{project.id}/releases/v0.1", maintainer)