Commit 7dca878b authored by Matthias Käppler's avatar Matthias Käppler

Merge branch 'runner-token-expiration-api' into 'master'

API: Add functionality for runner token expiration

See merge request gitlab-org/gitlab!78941
parents a77bef6d ab82bbf4
......@@ -425,7 +425,10 @@ module ApplicationSettingsHelper
:suggest_pipeline_enabled,
:user_email_lookup_limit,
:users_get_by_id_limit,
:users_get_by_id_limit_allowlist_raw
:users_get_by_id_limit_allowlist_raw,
:runner_token_expiration_interval,
:group_runner_token_expiration_interval,
:project_runner_token_expiration_interval
].tap do |settings|
settings << :deactivate_dormant_users unless Gitlab.com?
end
......
......@@ -679,7 +679,8 @@ Example response:
```json
{
"id": 12345,
"token": "6337ff461c94fd3fa32ba3b1ff4125"
"token": "6337ff461c94fd3fa32ba3b1ff4125",
"token_expires_at": "2021-09-27T21:05:03.203Z"
}
```
......@@ -819,6 +820,7 @@ Example response:
```json
{
"token": "6337ff461c94fd3fa32ba3b1ff4125"
"token": "6337ff461c94fd3fa32ba3b1ff4125",
"token_expires_at": "2021-09-27T21:05:03.203Z"
}
```
......@@ -143,7 +143,7 @@ module API
authenticate_update_runner!(runner)
runner.reset_token!
present runner.token, with: Entities::Ci::ResetTokenResult
present runner.token_with_expiration, with: Entities::Ci::ResetTokenResult
end
end
......@@ -249,7 +249,7 @@ module API
authorize! :update_runners_registration_token
ApplicationSetting.current.reset_runners_registration_token!
present ApplicationSetting.current_without_cache.runners_registration_token, with: Entities::Ci::ResetTokenResult
present ApplicationSetting.current_without_cache.runners_registration_token_with_expiration, with: Entities::Ci::ResetTokenResult
end
end
......@@ -267,7 +267,7 @@ module API
authorize! :update_runners_registration_token, project
project.reset_runners_token!
present project.runners_token, with: Entities::Ci::ResetTokenResult
present project.runners_token_with_expiration, with: Entities::Ci::ResetTokenResult
end
end
......@@ -285,7 +285,7 @@ module API
authorize! :update_runners_registration_token, group
group.reset_runners_token!
present group.runners_token, with: Entities::Ci::ResetTokenResult
present group.runners_token_with_expiration, with: Entities::Ci::ResetTokenResult
end
end
......
......@@ -4,7 +4,8 @@ module API
module Entities
module Ci
class ResetTokenResult < Grape::Entity
expose(:token) {|object| object}
expose(:token)
expose(:token_expires_at, if: -> (object, options) { object.expirable? })
end
end
end
......
......@@ -4,7 +4,7 @@ module API
module Entities
module Ci
class RunnerRegistrationDetails < Grape::Entity
expose :id, :token
expose :id, :token, :token_expires_at
end
end
end
......
......@@ -178,6 +178,9 @@ module API
optional :user_deactivation_emails_enabled, type: Boolean, desc: 'Send emails to users upon account deactivation'
optional :suggest_pipeline_enabled, type: Boolean, desc: 'Enable pipeline suggestion banner'
optional :users_get_by_id_limit, type: Integer, desc: "Maximum number of calls to the /users/:id API per 10 minutes per user. Set to 0 for unlimited requests."
optional :runner_token_expiration_interval, type: Integer, desc: 'Token expiration interval for shared runners, in seconds'
optional :group_runner_token_expiration_interval, type: Integer, desc: 'Token expiration interval for group runners, in seconds'
optional :project_runner_token_expiration_interval, type: Integer, desc: 'Token expiration interval for project runners, in seconds'
ApplicationSetting::SUPPORTED_KEY_TYPES.each do |type|
optional :"#{type}_key_restriction",
......
......@@ -62,12 +62,26 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do
end
end
context 'when token_expires_at is nil' do
it 'creates runner' do
request
expect(response).to have_gitlab_http_status(:created)
expect(json_response['id']).to eq(new_runner.id)
expect(json_response['token']).to eq(new_runner.token)
expect(json_response).to eq({ 'id' => new_runner.id, 'token' => new_runner.token, 'token_expires_at' => nil })
end
end
context 'when token_expires_at is a valid date' do
before do
new_runner.token_expires_at = DateTime.new(2022, 1, 11, 14, 39, 24)
end
it 'creates runner' do
request
expect(response).to have_gitlab_http_status(:created)
expect(json_response).to eq({ 'id' => new_runner.id, 'token' => new_runner.token, 'token_expires_at' => '2022-01-11T14:39:24.000Z' })
end
end
it_behaves_like 'storing arguments in the application context for the API' do
......
......@@ -664,7 +664,7 @@ RSpec.describe API::Ci::Runners do
post api("/runners/#{shared_runner.id}/reset_authentication_token", admin)
expect(response).to have_gitlab_http_status(:success)
expect(json_response).to eq({ 'token' => shared_runner.reload.token })
expect(json_response).to eq({ 'token' => shared_runner.reload.token, 'token_expires_at' => nil })
end.to change { shared_runner.reload.token }
end
......@@ -688,7 +688,7 @@ RSpec.describe API::Ci::Runners do
post api("/runners/#{project_runner.id}/reset_authentication_token", user)
expect(response).to have_gitlab_http_status(:success)
expect(json_response).to eq({ 'token' => project_runner.reload.token })
expect(json_response).to eq({ 'token' => project_runner.reload.token, 'token_expires_at' => nil })
end.to change { project_runner.reload.token }
end
......@@ -729,7 +729,22 @@ RSpec.describe API::Ci::Runners do
post api("/runners/#{group_runner_a.id}/reset_authentication_token", user)
expect(response).to have_gitlab_http_status(:success)
expect(json_response).to eq({ 'token' => group_runner_a.reload.token })
expect(json_response).to eq({ 'token' => group_runner_a.reload.token, 'token_expires_at' => nil })
end.to change { group_runner_a.reload.token }
end
it 'resets group runner authentication token with owner access with expiration time', :freeze_time do
expect(group_runner_a.reload.token_expires_at).to be_nil
group.update!(runner_token_expiration_interval: 5.days)
expect do
post api("/runners/#{group_runner_a.id}/reset_authentication_token", user)
group_runner_a.reload
expect(response).to have_gitlab_http_status(:success)
expect(json_response).to eq({ 'token' => group_runner_a.token, 'token_expires_at' => group_runner_a.token_expires_at.iso8601(3) })
expect(group_runner_a.token_expires_at).to eq(5.days.from_now)
end.to change { group_runner_a.reload.token }
end
end
......
......@@ -51,6 +51,9 @@ RSpec.describe API::Settings, 'Settings', :do_not_mock_admin_mode_setting do
expect(json_response['whats_new_variant']).to eq('all_tiers')
expect(json_response['user_deactivation_emails_enabled']).to be(true)
expect(json_response['suggest_pipeline_enabled']).to be(true)
expect(json_response['runner_token_expiration_interval']).to be_nil
expect(json_response['group_runner_token_expiration_interval']).to be_nil
expect(json_response['project_runner_token_expiration_interval']).to be_nil
end
end
......@@ -652,5 +655,37 @@ RSpec.describe API::Settings, 'Settings', :do_not_mock_admin_mode_setting do
end
end
end
context 'runner token expiration_intervals' do
it 'updates the settings' do
put api("/application/settings", admin), params: {
runner_token_expiration_interval: 3600,
group_runner_token_expiration_interval: 3600 * 2,
project_runner_token_expiration_interval: 3600 * 3
}
expect(response).to have_gitlab_http_status(:ok)
expect(json_response).to include(
'runner_token_expiration_interval' => 3600,
'group_runner_token_expiration_interval' => 3600 * 2,
'project_runner_token_expiration_interval' => 3600 * 3
)
end
it 'updates the settings with empty values' do
put api("/application/settings", admin), params: {
runner_token_expiration_interval: nil,
group_runner_token_expiration_interval: nil,
project_runner_token_expiration_interval: nil
}
expect(response).to have_gitlab_http_status(:ok)
expect(json_response).to include(
'runner_token_expiration_interval' => nil,
'group_runner_token_expiration_interval' => nil,
'project_runner_token_expiration_interval' => nil
)
end
end
end
end
......@@ -85,6 +85,17 @@ RSpec.describe ::Ci::RegisterRunnerService, '#execute' do
expect(subject.ip_address).to eq args[:ip_address]
end
end
context 'with runner token expiration interval', :freeze_time do
before do
stub_application_setting(runner_token_expiration_interval: 5.days)
end
it 'creates runner with token expiration' do
is_expected.to be_an_instance_of(::Ci::Runner)
expect(subject.token_expires_at).to eq(5.days.from_now)
end
end
end
context 'when project token is used' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment