Commit b893d583 authored by peterhegman's avatar peterhegman

Only expose `id` and `name` attributes when serializing deploy token

To improve security. Previously we were exposing `token` and
`encrypted_token` attributes.

Changelog: security
parent 1c9796da
......@@ -17,9 +17,6 @@ export default {
revokePath: {
default: '',
},
buttonClass: {
default: '',
},
},
computed: {
modalId() {
......@@ -38,10 +35,9 @@ export default {
<div>
<gl-button
v-gl-modal="modalId"
:class="buttonClass"
category="primary"
variant="danger"
class="float-right"
class="gl-float-right"
data-testid="revoke-button"
>{{ s__('DeployTokens|Revoke') }}</gl-button
>
......
......@@ -9,14 +9,13 @@ export default () => {
}
return containers.forEach((el) => {
const { token, revokePath, buttonClass } = el.dataset;
const { token, revokePath } = el.dataset;
return new Vue({
el,
provide: {
token: JSON.parse(token),
revokePath,
buttonClass,
},
render(h) {
return h(RevokeButton);
......
......@@ -16,4 +16,11 @@ module DeployTokensHelper
Gitlab.config.packages.enabled &&
can?(current_user, :read_package, group_or_project)
end
def deploy_token_revoke_button_data(token:, group_or_project:)
{
token: token.to_json(only: [:id, :name]),
revoke_path: revoke_deploy_token_path(group_or_project, token)
}
end
end
......@@ -25,7 +25,7 @@
%span.token-never-expires-label= _('Never')
%td= token.scopes.present? ? token.scopes.join(', ') : _('no scopes selected')
%td
.js-deploy-token-revoke-button{ data: { button_class: 'float-right', token: token.to_json, revoke_path: revoke_deploy_token_path(group_or_project, token) } }
.js-deploy-token-revoke-button{ data: deploy_token_revoke_button_data(token: token, group_or_project: group_or_project) }
- else
.settings-message.text-center
......
......@@ -70,11 +70,6 @@ describe('RevokeButton', () => {
expect(findRevokeButton().exists()).toBe(true);
});
it('passes the buttonClass to the button', () => {
wrapper = createComponent({ buttonClass: 'my-revoke-button' });
expect(findRevokeButton().classes()).toContain('my-revoke-button');
});
it('opens the modal', () => {
findRevokeButton().trigger('click');
expect(glModalDirective).toHaveBeenCalledWith(wrapper.vm.modalId);
......
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe DeployTokensHelper do
describe '#deploy_token_revoke_button_data' do
let_it_be(:token) { build(:deploy_token) }
let_it_be(:project) { build(:project) }
let_it_be(:revoke_deploy_token_path) { '/foobar/baz/-/deploy_tokens/1/revoke' }
it 'returns expected hash' do
expect(helper).to receive(:revoke_deploy_token_path).with(project, token).and_return(revoke_deploy_token_path)
expect(helper.deploy_token_revoke_button_data(token: token, group_or_project: project)).to match({
token: token.to_json(only: [:id, :name]),
revoke_path: revoke_deploy_token_path
})
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment