Merge branch '214322-remove-token-from-runners-api' into 'master'

Remove token attribute from Runners API

See merge request gitlab-org/gitlab!31448

changelogs/unreleased/214322-remove-token-from-runners-api.yml

+---
+title: Remove token attribute from Runners API
+merge_request: 31448
+author:
+type: removed

doc/api/runners.md

@@ -162,9 +162,9 @@ GET /runners/:id
 curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/runners/6"
 ```
 
-CAUTION: **Deprecation**
-The `token` attribute in the response is deprecated [since GitLab 12.10](https://gitlab.com/gitlab-org/gitlab/-/issues/214320).
-It will be removed in [GitLab 13.0](https://gitlab.com/gitlab-org/gitlab/-/issues/214322).
+NOTE: **Note:**
+The `token` attribute in the response was deprecated [in GitLab 12.10](https://gitlab.com/gitlab-org/gitlab/-/issues/214320).
+and removed in [GitLab 13.0](https://gitlab.com/gitlab-org/gitlab/-/issues/214322).
 
 Example response:
 
@@ -190,7 +190,6 @@ Example response:
             "path_with_namespace": "gitlab-org/gitlab-foss"
         }
     ],
-    "token": "205086a8e3b9a2b818ffac9b89d102",
     "revision": null,
     "tag_list": [
         "ruby",
@@ -225,9 +224,9 @@ PUT /runners/:id
 curl --request PUT --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/runners/6" --form "description=test-1-20150125-test" --form "tag_list=ruby,mysql,tag1,tag2"
 ```
 
-CAUTION: **Deprecation**
-The `token` attribute in the response is deprecated [since GitLab 12.10](https://gitlab.com/gitlab-org/gitlab/-/issues/214320).
-It will be removed in [GitLab 13.0](https://gitlab.com/gitlab-org/gitlab/-/issues/214322).
+NOTE: **Note:**
+The `token` attribute in the response was deprecated [in GitLab 12.10](https://gitlab.com/gitlab-org/gitlab/-/issues/214320).
+and removed in [GitLab 13.0](https://gitlab.com/gitlab-org/gitlab/-/issues/214322).
 
 Example response:
 
@@ -253,7 +252,6 @@ Example response:
             "path_with_namespace": "gitlab-org/gitlab-foss"
         }
     ],
-    "token": "205086a8e3b9a2b818ffac9b89d102",
     "revision": null,
     "tag_list": [
         "ruby",

lib/api/entities/runner_details.rb

@@ -11,9 +11,12 @@ module API
       expose :version, :revision, :platform, :architecture
       expose :contacted_at
 
-      # @deprecated in 12.10 https://gitlab.com/gitlab-org/gitlab/-/issues/214320
-      # will be removed by 13.0 https://gitlab.com/gitlab-org/gitlab/-/issues/214322
-      expose :token, if: lambda { |runner, options| options[:current_user].admin? || !runner.instance_type? }
+      # Will be removed: https://gitlab.com/gitlab-org/gitlab/-/issues/217105
+      expose(:token, if: ->(runner, options) do
+        return false if ::Feature.enabled?(:hide_token_from_runners_api, default_enabled: true)
+
+        options[:current_user].admin? || !runner.instance_type?
+      end)
 
       # rubocop: disable CodeReuse/ActiveRecord
       expose :projects, with: Entities::BasicProjectDetails do |runner, options|

spec/requests/api/runners_spec.rb

@@ -326,6 +326,32 @@ describe API::Runners do
         expect(response).to have_gitlab_http_status(:unauthorized)
       end
     end
+
+    context 'FF hide_token_from_runners_api is enabled' do
+      before do
+        stub_feature_flags(hide_token_from_runners_api: true)
+      end
+
+      it "does not return runner's token" do
+        get api("/runners/#{shared_runner.id}", admin)
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(json_response).not_to have_key('token')
+      end
+    end
+
+    context 'FF hide_token_from_runners_api is disabled' do
+      before do
+        stub_feature_flags(hide_token_from_runners_api: false)
+      end
+
+      it "returns runner's token" do
+        get api("/runners/#{shared_runner.id}", admin)
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(json_response).to have_key('token')
+      end
+    end
   end
 
   describe 'PUT /runners/:id' do