Merge branch '21811-group-delete-deploy-token' into 'master'

API endpoint for deleting group deploy tokens See merge request gitlab-org/gitlab!25222

Merge branch '21811-group-delete-deploy-token' into 'master'
API endpoint for deleting group deploy tokens See merge request gitlab-org/gitlab!25222
d7d8d70f · James Fargher · 60eb3ff9 · 4439a9f9 · d7d8d70f · d7d8d70f
Commit d7d8d70f authored Mar 08, 2020 by James Fargher
5 changed files
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -93,6 +93,7 @@ class GroupPolicy < BasePolicy
    enable :create_cluster
    enable :update_cluster
    enable :admin_cluster
+    enable :destroy_deploy_token
  end
  rule { owner }.policy do

--- a/changelogs/unreleased/21811-group-delete-deploy-token.yml
+++ b/changelogs/unreleased/21811-group-delete-deploy-token.yml
+---
+title: Add API endpoint for deleting group deploy tokens
+merge_request: 25222
+author:
+type: added
--- a/doc/api/deploy_tokens.md
+++ b/doc/api/deploy_tokens.md
@@ -71,3 +71,26 @@ Example response:
  }
 ]
 ```
+## Group deploy tokens
+These endpoints require group maintainer access or higher.
+### Delete a group deploy token
+Removes a deploy token from the group.
+```
+DELETE /groups/:id/deploy_tokens/:token_id
+```
+| Attribute | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `id`      | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user |
+| `token_id`  | integer | yes | The ID of the deploy token |
+Example request:
+```shell
+curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/5/deploy_tokens/13"
+```
--- a/lib/api/deploy_tokens.rb
+++ b/lib/api/deploy_tokens.rb
@@ -34,5 +34,22 @@ module API
        present paginate(user_project.deploy_tokens), with: Entities::DeployToken
      end
    end
+    params do
+      requires :id, type: Integer, desc: 'The ID of a group'
+    end
+    resource :groups, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
+      desc 'Delete a group deploy token' do
+        detail 'This feature was introduced in GitLab 12.9'
+      end
+      delete ':id/deploy_tokens/:token_id' do
+        authorize!(:destroy_deploy_token, user_group)
+        deploy_token = user_group.group_deploy_tokens
+          .find_by_deploy_token_id!(params[:token_id])
+        destroy_conditionally!(deploy_token)
+      end
+    end
  end
 end
--- a/spec/requests/api/deploy_tokens_spec.rb
+++ b/spec/requests/api/deploy_tokens_spec.rb
@@ -3,10 +3,12 @@
 require 'spec_helper'
 describe API::DeployTokens do
-  let(:user)          { create(:user) }
+  let_it_be(:user)          { create(:user) }
-  let(:creator)       { create(:user) }
+  let_it_be(:creator)       { create(:user) }
-  let(:project)       { create(:project, creator_id: creator.id) }
+  let_it_be(:project)       { create(:project, creator_id: creator.id) }
+  let_it_be(:group)         { create(:group) }
  let!(:deploy_token) { create(:deploy_token, projects: [project]) }
+  let!(:group_deploy_token) { create(:deploy_token, :group, groups: [group]) }
  describe 'GET /deploy_tokens' do
    subject do
@@ -84,4 +86,51 @@ describe API::DeployTokens do
      end
    end
  end
+  describe 'DELETE /groups/:id/deploy_tokens/:token_id' do
+    subject do
+      delete api("/groups/#{group.id}/deploy_tokens/#{group_deploy_token.id}", user)
+      response
+    end
+    context 'when unauthenticated' do
+      let(:user) { nil }
+      it { is_expected.to have_gitlab_http_status(:forbidden) }
+    end
+    context 'when authenticated as non-admin user' do
+      before do
+        group.add_developer(user)
+      end
+      it { is_expected.to have_gitlab_http_status(:forbidden) }
+    end
+    context 'when authenticated as maintainer' do
+      before do
+        group.add_maintainer(user)
+      end
+      it 'deletes the deploy token' do
+        expect { subject }.to change { group.deploy_tokens.count }.by(-1)
+        expect(group.deploy_tokens).to be_empty
+      end
+      context 'invalid request' do
+        it 'returns bad request with invalid group id' do
+          delete api("/groups/bad_id/deploy_tokens/#{group_deploy_token.id}", user)
+          expect(response).to have_gitlab_http_status(:bad_request)
+        end
+        it 'returns not found with invalid deploy token id' do
+          delete api("/groups/#{group.id}/deploy_tokens/bad_id", user)
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+    end
+  end
 end