Merge branch '21765-group-token-refactor' into 'master'

Group Deploy Tokens interface See merge request gitlab-org/gitlab!24102

Merge branch '21765-group-token-refactor' into 'master'
Group Deploy Tokens interface See merge request gitlab-org/gitlab!24102
e97e979e · Phil Hughes · 23a8677f · 8b7111eb · e97e979e · e97e979e
Commit e97e979e authored Feb 28, 2020 by Phil Hughes
47 changed files
--- a/.haml-lint_todo.yml
+++ b/.haml-lint_todo.yml
@@ -374,6 +374,7 @@ linters:
      - 'app/views/shared/boards/components/sidebar/_due_date.html.haml'
      - 'app/views/shared/boards/components/sidebar/_labels.html.haml'
      - 'app/views/shared/boards/components/sidebar/_milestone.html.haml'
+      - 'app/views/shared/deploy_tokens/_revoke_modal.html.haml'
      - 'app/views/shared/empty_states/_priority_labels.html.haml'
      - 'app/views/shared/hook_logs/_content.html.haml'
      - 'app/views/shared/issuable/_assignees.html.haml'

--- a/app/assets/javascripts/pages/groups/settings/ci_cd/show/index.js
+++ b/app/assets/javascripts/pages/groups/settings/ci_cd/show/index.js
 import initSettingsPanels from '~/settings_panels';
 import AjaxVariableList from '~/ci_variable_list/ajax_variable_list';
 import initVariableList from '~/ci_variable_list';
+import DueDateSelectors from '~/due_date_select';

 document.addEventListener('DOMContentLoaded', () => {
  // Initialize expandable settings panels
  initSettingsPanels();
+  // eslint-disable-next-line no-new
+  new DueDateSelectors();

  if (gon.features.newVariablesUi) {
    initVariableList();

--- a/app/assets/javascripts/pages/projects/settings/ci_cd/show/index.js
+++ b/app/assets/javascripts/pages/projects/settings/ci_cd/show/index.js
@@ -3,6 +3,7 @@ import SecretValues from '~/behaviors/secret_values';
 import AjaxVariableList from '~/ci_variable_list/ajax_variable_list';
 import registrySettingsApp from '~/registry/settings/registry_settings_bundle';
 import initVariableList from '~/ci_variable_list';
+import DueDateSelectors from '~/due_date_select';

 document.addEventListener('DOMContentLoaded', () => {
  // Initialize expandable settings panels
@@ -39,5 +40,8 @@ document.addEventListener('DOMContentLoaded', () => {
    autoDevOpsExtraSettings.classList.toggle('hidden', !target.checked);
  });

+  // eslint-disable-next-line no-new
+  new DueDateSelectors();
+
  registrySettingsApp();
 });
--- a/app/controllers/groups/deploy_tokens_controller.rb
+++ b/app/controllers/groups/deploy_tokens_controller.rb
+# frozen_string_literal: true
+
+class Groups::DeployTokensController < Groups::ApplicationController
+  before_action :authorize_admin_group!
+
+  def revoke
+    @token = @group.deploy_tokens.find(params[:id])
+    @token.revoke!
+
+    redirect_to group_settings_ci_cd_path(@group, anchor: 'js-deploy-tokens')
+  end
+end
--- a/app/controllers/groups/settings/ci_cd_controller.rb
+++ b/app/controllers/groups/settings/ci_cd_controller.rb
@@ -9,9 +9,9 @@ module Groups
      before_action do
        push_frontend_feature_flag(:new_variables_ui, @group, default_enabled: true)
      end
+      before_action :define_variables, only: [:show, :create_deploy_token]

      def show
-        define_ci_variables
      end

      def update
@@ -41,8 +41,23 @@ module Groups
        redirect_to group_settings_ci_cd_path
      end

+      def create_deploy_token
+        @new_deploy_token = Groups::DeployTokens::CreateService.new(@group, current_user, deploy_token_params).execute
+
+        if @new_deploy_token.persisted?
+          flash.now[:notice] = s_('DeployTokens|Your new group deploy token has been created.')
+        end
+
+        render 'show'
+      end
+
      private

+      def define_variables
+        define_ci_variables
+        define_deploy_token_variables
+      end
+
      def define_ci_variables
        @variable = Ci::GroupVariable.new(group: group)
          .present(current_user: current_user)
@@ -50,6 +65,12 @@ module Groups
          .map { |variable| variable.present(current_user: current_user) }
      end

+      def define_deploy_token_variables
+        @deploy_tokens = @group.deploy_tokens.active
+
+        @new_deploy_token = DeployToken.new
+      end
+
      def authorize_admin_group!
        return render_404 unless can?(current_user, :admin_group, group)
      end
@@ -73,6 +94,10 @@ module Groups
      def update_group_params
        params.require(:group).permit(:max_artifacts_size)
      end
+
+      def deploy_token_params
+        params.require(:deploy_token).permit(:name, :expires_at, :read_repository, :read_registry, :username)
+      end
    end
  end
 end
--- a/app/controllers/projects/deploy_tokens_controller.rb
+++ b/app/controllers/projects/deploy_tokens_controller.rb
@@ -7,6 +7,6 @@ class Projects::DeployTokensController < Projects::ApplicationController
    @token = @project.deploy_tokens.find(params[:id])
    @token.revoke!

-    redirect_to project_settings_repository_path(project, anchor: 'js-deploy-tokens')
+    redirect_to project_settings_ci_cd_path(project, anchor: 'js-deploy-tokens')
  end
 end
--- a/app/controllers/projects/settings/ci_cd_controller.rb
+++ b/app/controllers/projects/settings/ci_cd_controller.rb
@@ -46,6 +46,16 @@ module Projects
        redirect_to namespace_project_settings_ci_cd_path
      end

+      def create_deploy_token
+        @new_deploy_token = Projects::DeployTokens::CreateService.new(@project, current_user, deploy_token_params).execute
+
+        if @new_deploy_token.persisted?
+          flash.now[:notice] = s_('DeployTokens|Your new project deploy token has been created.')
+        end
+
+        render 'show'
+      end
+
      private

      def update_params
@@ -64,6 +74,10 @@ module Projects
        end
      end

+      def deploy_token_params
+        params.require(:deploy_token).permit(:name, :expires_at, :read_repository, :read_registry, :username)
+      end
+
      def run_autodevops_pipeline(service)
        return unless service.run_auto_devops_pipeline?

@@ -83,6 +97,7 @@ module Projects
      def define_variables
        define_runners_variables
        define_ci_variables
+        define_deploy_token_variables
        define_triggers_variables
        define_badges_variables
        define_auto_devops_variables
@@ -132,6 +147,12 @@ module Projects
      def define_auto_devops_variables
        @auto_devops = @project.auto_devops || ProjectAutoDevops.new
      end
+
+      def define_deploy_token_variables
+        @deploy_tokens = @project.deploy_tokens.active
+
+        @new_deploy_token = DeployToken.new
+      end
    end
  end
 end

--- a/app/controllers/projects/settings/repository_controller.rb
+++ b/app/controllers/projects/settings/repository_controller.rb
@@ -10,16 +10,6 @@ module Projects
        render_show
      end

-      def create_deploy_token
-        @new_deploy_token = DeployTokens::CreateService.new(@project, current_user, deploy_token_params).execute
-
-        if @new_deploy_token.persisted?
-          flash.now[:notice] = s_('DeployTokens|Your new project deploy token has been created.')
-        end
-
-        render_show
-      end
-
      def cleanup
        cleanup_params = params.require(:project).permit(:bfg_object_map)
        result = Projects::UpdateService.new(project, current_user, cleanup_params).execute
@@ -38,9 +28,7 @@ module Projects

      def render_show
        @deploy_keys = DeployKeysPresenter.new(@project, current_user: current_user)
-        @deploy_tokens = @project.deploy_tokens.active

-        define_deploy_token
        define_protected_refs
        remote_mirror

@@ -93,14 +81,6 @@ module Projects
        gon.push(protectable_branches_for_dropdown)
        gon.push(access_levels_options)
      end
-
-      def define_deploy_token
-        @new_deploy_token ||= DeployToken.new
-      end
-
-      def deploy_token_params
-        params.require(:deploy_token).permit(:name, :expires_at, :read_repository, :read_registry, :username)
-      end
    end
  end
 end

--- a/app/helpers/ci_variables_helper.rb
+++ b/app/helpers/ci_variables_helper.rb
@@ -5,6 +5,22 @@ module CiVariablesHelper
    Gitlab::CurrentSettings.current_application_settings.protected_ci_variables
  end

+  def create_deploy_token_path(entity, opts = {})
+    if entity.is_a?(Group)
+      create_deploy_token_group_settings_ci_cd_path(entity, opts)
+    else
+      create_deploy_token_project_settings_repository_path(entity, opts)
+    end
+  end
+
+  def revoke_deploy_token_path(entity, token)
+    if entity.is_a?(Group)
+      revoke_group_deploy_token_path(entity, token)
+    else
+      revoke_project_deploy_token_path(entity, token)
+    end
+  end
+
  def ci_variable_protected?(variable, only_key_value)
    if variable && !only_key_value
      variable.protected

--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -59,6 +59,9 @@ class Group < Namespace

  has_many :import_failures, inverse_of: :group

+  has_many :group_deploy_tokens
+  has_many :deploy_tokens, through: :group_deploy_tokens
+
  accepts_nested_attributes_for :variables, allow_destroy: true

  validate :visibility_level_allowed_by_projects

--- a/app/models/group_deploy_token.rb
+++ b/app/models/group_deploy_token.rb
@@ -9,7 +9,7 @@ class GroupDeployToken < ApplicationRecord
  validates :deploy_token_id, uniqueness: { scope: [:group_id] }

  def has_access_to?(requested_project)
-    return false unless Feature.enabled?(:allow_group_deploy_token, default: true)
+    return false unless Feature.enabled?(:allow_group_deploy_token, default_enabled: true)

    requested_project_group = requested_project&.group
    return false unless requested_project_group

--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -2343,6 +2343,14 @@ class Project < ApplicationRecord
    Gitlab::CurrentSettings.self_monitoring_project_id == id
  end

+  def deploy_token_create_url(opts = {})
+    Gitlab::Routing.url_helpers.create_deploy_token_project_settings_ci_cd_path(self, opts)
+  end
+
+  def deploy_token_revoke_url_for(token)
+    Gitlab::Routing.url_helpers.revoke_project_deploy_token_path(self, token)
+  end
+
  private

  def closest_namespace_setting(name)

--- a/app/services/concerns/deploy_token_methods.rb
+++ b/app/services/concerns/deploy_token_methods.rb
+# frozen_string_literal: true
+
+module DeployTokenMethods
+  def create_deploy_token_for(entity, params)
+    params[:deploy_token_type] = DeployToken.deploy_token_types["#{entity.class.name.downcase}_type".to_sym]
+
+    entity.deploy_tokens.create(params) do |deploy_token|
+      deploy_token.username = params[:username].presence
+    end
+  end
+end
--- a/app/services/deploy_tokens/create_service.rb
+++ b/app/services/deploy_tokens/create_service.rb
-# frozen_string_literal: true
-
-module DeployTokens
-  class CreateService < BaseService
-    def execute
-      @project.deploy_tokens.create(params) do |deploy_token|
-        deploy_token.username = params[:username].presence
-      end
-    end
-  end
-end
--- a/app/services/groups/deploy_tokens/create_service.rb
+++ b/app/services/groups/deploy_tokens/create_service.rb
+# frozen_string_literal: true
+
+module Groups
+  module DeployTokens
+    class CreateService < BaseService
+      include DeployTokenMethods
+
+      def execute
+        create_deploy_token_for(@group, params)
+      end
+    end
+  end
+end
--- a/app/services/projects/deploy_tokens/create_service.rb
+++ b/app/services/projects/deploy_tokens/create_service.rb
+# frozen_string_literal: true
+
+module Projects
+  module DeployTokens
+    class CreateService < BaseService
+      include DeployTokenMethods
+
+      def execute
+        create_deploy_token_for(@project, params)
+      end
+    end
+  end
+end
--- a/app/views/groups/settings/ci_cd/show.html.haml
+++ b/app/views/groups/settings/ci_cd/show.html.haml
@@ -3,6 +3,7 @@

 - expanded = expanded_by_default?
 - general_expanded = @group.errors.empty? ? expanded : true
+- deploy_token_description = s_('DeployTokens|Group deploy tokens allow read-only access to the repositories and registry images within the group.')

 -# Given we only have one field in this form which is also admin-only,
 -# we don't want to show an empty section to non-admin users,
@@ -24,6 +25,8 @@
  .settings-content
    = render 'ci/variables/index', save_endpoint: group_variables_path

+= render "shared/deploy_tokens/index", group_or_project: @group, description: deploy_token_description
+
 %section.settings#runners-settings.no-animate{ class: ('expanded' if expanded) }
  .settings-header
    %h4

--- a/app/views/projects/settings/ci_cd/show.html.haml
+++ b/app/views/projects/settings/ci_cd/show.html.haml
@@ -4,6 +4,7 @@

 - expanded = expanded_by_default?
 - general_expanded = @project.errors.empty? ? expanded : true
+- deploy_token_description = s_('DeployTokens|Deploy tokens allow read-only access to your repository and registry images.')

 %section.settings#js-general-pipeline-settings.no-animate{ class: ('expanded' if general_expanded) }
  .settings-header
@@ -51,6 +52,8 @@
  .settings-content
    = render 'ci/variables/index', save_endpoint: project_variables_path(@project)

+= render "shared/deploy_tokens/index", group_or_project: @project, description: deploy_token_description
+
 %section.settings.no-animate#js-pipeline-triggers{ class: ('expanded' if expanded) }
  .settings-header
    %h4

--- a/app/views/projects/settings/repository/show.html.haml
+++ b/app/views/projects/settings/repository/show.html.haml
@@ -13,7 +13,6 @@
 = render "projects/settings/repository/protected_branches"

 = render @deploy_keys
-= render "projects/deploy_tokens/index"
 = render "projects/cleanup/show"

 = render_if_exists 'shared/promotions/promote_repository_features'
--- a/app/views/projects/deploy_tokens/_form.html.haml
+++ b/app/views/projects/deploy_tokens/_form.html.haml
 %p.profile-settings-content
  = s_("DeployTokens|Pick a name for the application, and we'll give you a unique deploy token.")

-= form_for token, url: create_deploy_token_namespace_project_settings_repository_path(project.namespace, project, anchor: 'js-deploy-tokens'), method: :post do |f|
+= form_for token, url: create_deploy_token_path(group_or_project, anchor: 'js-deploy-tokens'), method: :post do |f|
  = form_errors(token)

  .form-group
@@ -24,7 +24,7 @@
      = label_tag ("deploy_token_read_repository"), 'read_repository', class: 'label-bold form-check-label'
      .text-secondary= s_('DeployTokens|Allows read-only access to the repository')

-    - if container_registry_enabled?(project)
+    - if container_registry_enabled?(group_or_project)
      %fieldset.form-group.form-check
        = f.check_box :read_registry, class: 'form-check-input qa-deploy-token-read-registry'
        = label_tag ("deploy_token_read_registry"), 'read_registry', class: 'label-bold form-check-label'

--- a/app/views/projects/deploy_tokens/_index.html.haml
+++ b/app/views/projects/deploy_tokens/_index.html.haml
 - expanded = expand_deploy_tokens_section?(@new_deploy_token)

-%section.qa-deploy-tokens-settings.settings.no-animate#js-deploy-tokens{ class: ('expanded' if expanded) }
+%section.qa-deploy-tokens-settings.settings.no-animate#js-deploy-tokens{ class: ('expanded' if expanded), data: { qa_selector: 'deploy_tokens_settings' } }
  .settings-header
    %h4= s_('DeployTokens|Deploy Tokens')
    %button.btn.js-settings-toggle.qa-expand-deploy-keys{ type: 'button' }
      = expanded ? 'Collapse' : 'Expand'
    %p
-      = s_('DeployTokens|Deploy tokens allow read-only access to your repository and registry images.')
+      = description
  .settings-content
    - if @new_deploy_token.persisted?
-      = render 'projects/deploy_tokens/new_deploy_token', deploy_token: @new_deploy_token
+      = render 'shared/deploy_tokens/new_deploy_token', deploy_token: @new_deploy_token
    %h5.prepend-top-0
      = s_('DeployTokens|Add a deploy token')
-    = render 'projects/deploy_tokens/form', project: @project, token: @new_deploy_token, presenter: @deploy_tokens
+    = render 'shared/deploy_tokens/form', group_or_project: group_or_project, token: @new_deploy_token, presenter: @deploy_tokens
    %hr
-    = render 'projects/deploy_tokens/table', project: @project, active_tokens: @deploy_tokens
+    = render 'shared/deploy_tokens/table', group_or_project: group_or_project, active_tokens: @deploy_tokens
+
--- a/app/views/projects/deploy_tokens/_new_deploy_token.html.haml
+++ b/app/views/projects/deploy_tokens/_new_deploy_token.html.haml
--- a/app/views/projects/deploy_tokens/_revoke_modal.html.haml
+++ b/app/views/projects/deploy_tokens/_revoke_modal.html.haml
@@ -3,15 +3,13 @@
    .modal-content
      .modal-header
        %h4.modal-title
-          = s_('DeployTokens|Revoke')
-          %b #{token.name}?
+          = s_('DeployTokens|Revoke %{b_start}%{name}%{b_end}?').html_safe % { b_start: '<b>'.html_safe, name: token.name, b_end: '</b>'.html_safe }
        %button.close{ type: "button", "data-dismiss": "modal", "aria-label" => _('Close') }
          %span{ "aria-hidden": true } &times;
      .modal-body
        %p
-          = s_('DeployTokens|You are about to revoke')
-          %b #{token.name}.
+          = s_('DeployTokens|You are about to revoke %{b_start}%{name}%{b_end}.').html_safe % { b_start: '<b>'.html_safe, name: token.name, b_end: '</b>'.html_safe }
          = s_('DeployTokens|This action cannot be undone.')
      .modal-footer
        %a{ href: '#', data: { dismiss: 'modal' }, class: 'btn btn-default' }= _('Cancel')
-        = link_to s_('DeployTokens|Revoke %{name}') % { name: token.name }, revoke_project_deploy_token_path(project, token), method: :put, class: 'btn btn-danger'
+        = link_to s_('DeployTokens|Revoke %{name}') % { name: token.name }, revoke_deploy_token_path(group_or_project, token), method: :put, class: 'btn btn-danger'
--- a/app/views/projects/deploy_tokens/_table.html.haml
+++ b/app/views/projects/deploy_tokens/_table.html.haml
@@ -22,10 +22,10 @@
                %span{ class: ('text-warning' if token.expires_soon?) }
                  In #{distance_of_time_in_words_to_now(token.expires_at)}
              - else
-                %span.token-never-expires-label Never
-            %td= token.scopes.present? ? token.scopes.join(", ") : "<no scopes selected>"
+                %span.token-never-expires-label= _('Never')
+            %td= token.scopes.present? ? token.scopes.join(", ") : _('<no scopes selected>')
            %td= link_to s_('DeployTokens|Revoke'), "#", class: "btn btn-danger float-right", data: { toggle: "modal", target: "#revoke-modal-#{token.id}"}
-            = render 'projects/deploy_tokens/revoke_modal', token: token, project: project
+            = render 'shared/deploy_tokens/revoke_modal', token: token, group_or_project: group_or_project
 - else
  .settings-message.text-center
-    = s_('DeployTokens|This project has no active Deploy Tokens.')
+    = s_('DeployTokens|This %{entity_type} has no active Deploy Tokens.') % { entity_type: group_or_project.class.name.downcase }
--- a/changelogs/unreleased/21765-group-token-refactor.yml
+++ b/changelogs/unreleased/21765-group-token-refactor.yml
+---
+title: Addition of the Group Deploy Token interface
+merge_request: 24102
+author:
+type: added
--- a/config/routes/group.rb
+++ b/config/routes/group.rb
@@ -29,6 +29,7 @@ constraints(::Constraints::GroupUrlConstrainer.new) do
      resource :ci_cd, only: [:show, :update], controller: 'ci_cd' do
        put :reset_registration_token
        patch :update_auto_devops
+        post :create_deploy_token, path: 'deploy_token/create'
      end
    end

@@ -49,6 +50,12 @@ constraints(::Constraints::GroupUrlConstrainer.new) do
      end
    end

+    resources :deploy_tokens, constraints: { id: /\d+/ }, only: [] do
+      member do
+        put :revoke
+      end
+    end
+
    resource :avatar, only: [:destroy]

    concerns :clusterable

--- a/config/routes/project.rb
+++ b/config/routes/project.rb
@@ -79,7 +79,9 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
          resource :integrations, only: [:show]

          resource :repository, only: [:show], controller: :repository do
-            post :create_deploy_token, path: 'deploy_token/create'
+            # TODO: Move 'create_deploy_token' here to the ':ci_cd' resource above during 12.9.
+            # More details here: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/24102#note_287572556
+            post :create_deploy_token, path: 'deploy_token/create', to: 'ci_cd#create_deploy_token'
            post :cleanup
          end
        end

--- a/ee/app/controllers/ee/projects/settings/ci_cd_controller.rb
+++ b/ee/app/controllers/ee/projects/settings/ci_cd_controller.rb
@@ -8,8 +8,8 @@ module EE
        extend ActiveSupport::Concern

        prepended do
-          before_action :assign_variables_to_gon, only: :show
-          before_action :define_protected_env_variables, only: :show
+          before_action :assign_variables_to_gon, only: [:show, :create_deploy_token]
+          before_action :define_protected_env_variables, only: [:show, :create_deploy_token]
        end

        # rubocop:disable Gitlab/ModuleWithInstanceVariables

--- a/ee/app/controllers/ee/projects/settings/repository_controller.rb
+++ b/ee/app/controllers/ee/projects/settings/repository_controller.rb
@@ -42,7 +42,6 @@ module EE
          @deploy_keys = ::Projects::Settings::DeployKeysPresenter.new(@project, current_user: current_user)
          @deploy_tokens = @project.deploy_tokens.active

-          define_deploy_token
          define_protected_refs
          push_rule
          remote_mirror

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -6507,6 +6507,9 @@ msgstr ""
 msgid "DeployTokens|Expires"
 msgstr ""

+msgid "DeployTokens|Group deploy tokens allow read-only access to the repositories and registry images within the group."
+msgstr ""
+
 msgid "DeployTokens|Name"
 msgstr ""

@@ -6516,16 +6519,19 @@ msgstr ""
 msgid "DeployTokens|Revoke"
 msgstr ""

+msgid "DeployTokens|Revoke %{b_start}%{name}%{b_end}?"
+msgstr ""
+
 msgid "DeployTokens|Revoke %{name}"
 msgstr ""

 msgid "DeployTokens|Scopes"
 msgstr ""

-msgid "DeployTokens|This action cannot be undone."
+msgid "DeployTokens|This %{entity_type} has no active Deploy Tokens."
 msgstr ""

-msgid "DeployTokens|This project has no active Deploy Tokens."
+msgid "DeployTokens|This action cannot be undone."
 msgstr ""

 msgid "DeployTokens|Use this token as a password. Make sure you save it - you won't be able to access it again."
@@ -6537,12 +6543,15 @@ msgstr ""
 msgid "DeployTokens|Username"
 msgstr ""

-msgid "DeployTokens|You are about to revoke"
+msgid "DeployTokens|You are about to revoke %{b_start}%{name}%{b_end}."
 msgstr ""

 msgid "DeployTokens|Your New Deploy Token"
 msgstr ""

+msgid "DeployTokens|Your new group deploy token has been created."
+msgstr ""
+
 msgid "DeployTokens|Your new project deploy token has been created."
 msgstr ""


--- a/qa/qa/page/project/settings/ci_cd.rb
+++ b/qa/qa/page/project/settings/ci_cd.rb
@@ -13,6 +13,16 @@ module QA
            element :variables_settings_content
          end

+          view 'app/views/shared/deploy_tokens/_index.html.haml' do
+            element :deploy_tokens_settings
+          end
+
+          def expand_deploy_tokens(&block)
+            expand_section(:deploy_tokens_settings) do
+              Settings::DeployTokens.perform(&block)
+            end
+          end
+
          def expand_runners_settings(&block)
            expand_section(:runners_settings_content) do
              Settings::Runners.perform(&block)

--- a/qa/qa/page/project/settings/deploy_tokens.rb
+++ b/qa/qa/page/project/settings/deploy_tokens.rb
@@ -5,7 +5,7 @@ module QA
    module Project
      module Settings
        class DeployTokens < Page::Base
-          view 'app/views/projects/deploy_tokens/_form.html.haml' do
+          view 'app/views/shared/deploy_tokens/_form.html.haml' do
            element :deploy_token_name
            element :deploy_token_expires_at
            element :deploy_token_read_repository
@@ -13,7 +13,7 @@ module QA
            element :create_deploy_token
          end

-          view 'app/views/projects/deploy_tokens/_new_deploy_token.html.haml' do
+          view 'app/views/shared/deploy_tokens/_new_deploy_token.html.haml' do
            element :created_deploy_token_section
            element :deploy_token_user
            element :deploy_token

--- a/qa/qa/page/project/settings/repository.rb
+++ b/qa/qa/page/project/settings/repository.rb
@@ -31,12 +31,6 @@ module QA
            end
          end

-          def expand_deploy_tokens(&block)
-            expand_section(:deploy_tokens_settings) do
-              DeployTokens.perform(&block)
-            end
-          end
-
          def expand_mirroring_repositories(&block)
            expand_section(:mirroring_repositories_settings_section) do
              MirroringRepositories.perform(&block)

--- a/qa/qa/resource/deploy_token.rb
+++ b/qa/qa/resource/deploy_token.rb
@@ -6,16 +6,16 @@ module QA
      attr_accessor :name, :expires_at

      attribute :username do
-        Page::Project::Settings::Repository.perform do |repository_page|
-          repository_page.expand_deploy_tokens do |token|
+        Page::Project::Settings::CICD.perform do |cicd_page|
+          cicd_page.expand_deploy_tokens do |token|
            token.token_username
          end
        end
      end

      attribute :password do
-        Page::Project::Settings::Repository.perform do |repository_page|
-          repository_page.expand_deploy_tokens do |token|
+        Page::Project::Settings::CICD.perform do |cicd_page|
+          cicd_page.expand_deploy_tokens do |token|
            token.token_password
          end
        end
@@ -31,12 +31,10 @@ module QA
      def fabricate!
        project.visit!

-        Page::Project::Menu.act do
-          go_to_repository_settings
-        end
+        Page::Project::Menu.perform(&:go_to_ci_cd_settings)

-        Page::Project::Settings::Repository.perform do |setting|
-          setting.expand_deploy_tokens do |page|
+        Page::Project::Settings::CICD.perform do |cicd|
+          cicd.expand_deploy_tokens do |page|
            page.fill_token_name(name)
            page.fill_token_expires_at(expires_at)
            page.fill_scopes(read_repository: true, read_registry: false)

--- a/spec/controllers/groups/settings/ci_cd_controller_spec.rb
+++ b/spec/controllers/groups/settings/ci_cd_controller_spec.rb
@@ -210,4 +210,16 @@ describe Groups::Settings::CiCdController do
      end
    end
  end
+
+  describe 'POST create_deploy_token' do
+    it_behaves_like 'a created deploy token' do
+      let(:entity) { group }
+      let(:create_entity_params) { { group_id: group } }
+      let(:deploy_token_type) { DeployToken.deploy_token_types[:group_type] }
+
+      before do
+        entity.add_owner(user)
+      end
+    end
+  end
 end
--- a/spec/controllers/projects/settings/ci_cd_controller_spec.rb
+++ b/spec/controllers/projects/settings/ci_cd_controller_spec.rb
@@ -247,4 +247,12 @@ describe Projects::Settings::CiCdController do
      end
    end
  end
+
+  describe 'POST create_deploy_token' do
+    it_behaves_like 'a created deploy token' do
+      let(:entity) { project }
+      let(:create_entity_params) { { namespace_id: project.namespace, project_id: project } }
+      let(:deploy_token_type) { DeployToken.deploy_token_types[:project_type] }
+    end
+  end
 end
--- a/spec/controllers/projects/settings/repository_controller_spec.rb
+++ b/spec/controllers/projects/settings/repository_controller_spec.rb
@@ -32,24 +32,4 @@ describe Projects::Settings::RepositoryController do
      expect(RepositoryCleanupWorker).to have_received(:perform_async).once
    end
  end
-
-  describe 'POST create_deploy_token' do
-    let(:deploy_token_params) do
-      {
-        name: 'deployer_token',
-        expires_at: 1.month.from_now.to_date.to_s,
-        username: 'deployer',
-        read_repository: '1'
-      }
-    end
-
-    subject(:create_deploy_token) { post :create_deploy_token, params: { namespace_id: project.namespace, project_id: project, deploy_token: deploy_token_params } }
-
-    it 'creates deploy token' do
-      expect { create_deploy_token }.to change { DeployToken.active.count }.by(1)
-
-      expect(response).to have_gitlab_http_status(:ok)
-      expect(response).to render_template(:show)
-    end
-  end
 end
--- a/spec/features/groups/settings/ci_cd_spec.rb
+++ b/spec/features/groups/settings/ci_cd_spec.rb
@@ -37,6 +37,19 @@ describe 'Group CI/CD settings' do
    end
  end

+  context 'Deploy tokens' do
+    let!(:deploy_token) { create(:deploy_token, :group, groups: [group]) }
+
+    before do
+      stub_container_registry_config(enabled: true)
+      visit group_settings_ci_cd_path(group)
+    end
+
+    it_behaves_like 'a deploy token in ci/cd settings' do
+      let(:entity_type) { 'group' }
+    end
+  end
+
  describe 'Auto DevOps form' do
    before do
      stub_application_setting(auto_devops_enabled: true)

--- a/spec/features/projects/settings/ci_cd_settings_spec.rb
+++ b/spec/features/projects/settings/ci_cd_settings_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'Projects > Settings > CI/CD settings' do
+  let(:project) { create(:project_empty_repo) }
+  let(:user) { create(:user) }
+  let(:role) { :maintainer }
+
+  context 'Deploy tokens' do
+    let!(:deploy_token) { create(:deploy_token, projects: [project]) }
+
+    before do
+      project.add_role(user, role)
+      sign_in(user)
+      stub_container_registry_config(enabled: true)
+      visit project_settings_ci_cd_path(project)
+    end
+
+    it_behaves_like 'a deploy token in ci/cd settings' do
+      let(:entity_type) { 'project' }
+    end
+  end
+end
--- a/spec/features/projects/settings/repository_settings_spec.rb
+++ b/spec/features/projects/settings/repository_settings_spec.rb
@@ -108,39 +108,6 @@ describe 'Projects > Settings > Repository settings' do
      end
    end

-    context 'Deploy tokens' do
-      let!(:deploy_token) { create(:deploy_token, projects: [project]) }
-
-      before do
-        stub_container_registry_config(enabled: true)
-        visit project_settings_repository_path(project)
-      end
-
-      it 'view deploy tokens' do
-        within('.deploy-tokens') do
-          expect(page).to have_content(deploy_token.name)
-          expect(page).to have_content('read_repository')
-          expect(page).to have_content('read_registry')
-        end
-      end
-
-      it 'add a new deploy token' do
-        fill_in 'deploy_token_name', with: 'new_deploy_key'
-        fill_in 'deploy_token_expires_at', with: (Date.today + 1.month).to_s
-        fill_in 'deploy_token_username', with: 'deployer'
-        check 'deploy_token_read_repository'
-        check 'deploy_token_read_registry'
-        click_button 'Create deploy token'
-
-        expect(page).to have_content('Your new project deploy token has been created')
-
-        within('.created-deploy-token-container') do
-          expect(page).to have_selector("input[name='deploy-token-user'][value='deployer']")
-          expect(page).to have_selector("input[name='deploy-token'][readonly='readonly']")
-        end
-      end
-    end
-
    context 'remote mirror settings' do
      let(:user2) { create(:user) }


--- a/spec/features/projects/settings/user_sees_revoke_deploy_token_modal_spec.rb
+++ b/spec/features/projects/settings/user_sees_revoke_deploy_token_modal_spec.rb
@@ -11,7 +11,7 @@ describe 'Repository Settings > User sees revoke deploy token modal', :js do
  before do
    project.add_role(user, role)
    sign_in(user)
-    visit(project_settings_repository_path(project))
+    visit(project_settings_ci_cd_path(project))
    click_link('Revoke')
  end


--- a/spec/routing/project_routing_spec.rb
+++ b/spec/routing/project_routing_spec.rb
@@ -798,6 +798,11 @@ describe 'project routing' do
    end

    it_behaves_like 'redirecting a legacy project path', "/gitlab/gitlabhq/settings/repository", "/gitlab/gitlabhq/-/settings/repository"
+
+    # TODO: remove this test as part of https://gitlab.com/gitlab-org/gitlab/issues/207079 (12.9)
+    it 'to ci_cd#create_deploy_token' do
+      expect(post('gitlab/gitlabhq/-/settings/repository/deploy_token/create')).to route_to('projects/settings/ci_cd#create_deploy_token', namespace_id: 'gitlab', project_id: 'gitlabhq')
+    end
  end

  describe Projects::TemplatesController, 'routing' do

--- a/spec/services/groups/deploy_tokens/create_service_spec.rb
+++ b/spec/services/groups/deploy_tokens/create_service_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Groups::DeployTokens::CreateService do
+  it_behaves_like 'a deploy token creation service' do
+    let(:entity) { create(:group) }
+    let(:deploy_token_class) { GroupDeployToken }
+  end
+end
--- a/spec/services/projects/deploy_tokens/create_service_spec.rb
+++ b/spec/services/projects/deploy_tokens/create_service_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Projects::DeployTokens::CreateService do
+  it_behaves_like 'a deploy token creation service' do
+    let(:entity) { create(:project) }
+    let(:deploy_token_class) { ProjectDeployToken }
+  end
+end
--- a/spec/services/deploy_tokens/create_service_spec.rb
+++ b/spec/services/deploy_tokens/create_service_spec.rb
 # frozen_string_literal: true

-require 'spec_helper'
-
-describe DeployTokens::CreateService do
-  let(:project) { create(:project) }
+RSpec.shared_examples 'a deploy token creation service' do
  let(:user) { create(:user) }
  let(:deploy_token_params) { attributes_for(:deploy_token) }

  describe '#execute' do
-    subject { described_class.new(project, user, deploy_token_params).execute }
+    subject { described_class.new(entity, user, deploy_token_params).execute }

    context 'when the deploy token is valid' do
      it 'creates a new DeployToken' do
@@ -16,7 +13,7 @@ describe DeployTokens::CreateService do
      end

      it 'creates a new ProjectDeployToken' do
-        expect { subject }.to change { ProjectDeployToken.count }.by(1)
+        expect { subject }.to change { deploy_token_class.count }.by(1)
      end

      it 'returns a DeployToken' do
@@ -56,7 +53,7 @@ describe DeployTokens::CreateService do
      end

      it 'does not create a new ProjectDeployToken' do
-        expect { subject }.not_to change { ProjectDeployToken.count }
+        expect { subject }.not_to change { deploy_token_class.count }
      end
    end
  end

--- a/spec/support/shared_examples/controllers/deploy_token_shared_examples.rb
+++ b/spec/support/shared_examples/controllers/deploy_token_shared_examples.rb
+# frozen_string_literal: true
+
+RSpec.shared_examples 'a created deploy token' do
+  let(:deploy_token_params) do
+    {
+      name: 'deployer_token',
+      expires_at: 1.month.from_now.to_date.to_s,
+      username: 'deployer',
+      read_repository: '1',
+      deploy_token_type: deploy_token_type
+    }
+  end
+
+  subject(:create_deploy_token) { post :create_deploy_token, params: create_entity_params.merge({ deploy_token: deploy_token_params }) }
+
+  it 'creates deploy token' do
+    expect { create_deploy_token }.to change { DeployToken.active.count }.by(1)
+
+    expect(response).to have_gitlab_http_status(:ok)
+    expect(response).to render_template(:show)
+  end
+end
--- a/spec/support/shared_examples/features/deploy_token_shared_examples.rb
+++ b/spec/support/shared_examples/features/deploy_token_shared_examples.rb
+# frozen_string_literal: true
+
+RSpec.shared_examples 'a deploy token in ci/cd settings' do
+  it 'view deploy tokens' do
+    within('.deploy-tokens') do
+      expect(page).to have_content(deploy_token.name)
+      expect(page).to have_content('read_repository')
+      expect(page).to have_content('read_registry')
+    end
+  end
+
+  it 'add a new deploy token' do
+    fill_in 'deploy_token_name', with: 'new_deploy_key'
+    fill_in 'deploy_token_expires_at', with: (Date.today + 1.month).to_s
+    fill_in 'deploy_token_username', with: 'deployer'
+    check 'deploy_token_read_repository'
+    check 'deploy_token_read_registry'
+    click_button 'Create deploy token'
+
+    expect(page).to have_content("Your new #{entity_type} deploy token has been created")
+
+    within('.created-deploy-token-container') do
+      expect(page).to have_selector("input[name='deploy-token-user'][value='deployer']")
+      expect(page).to have_selector("input[name='deploy-token'][readonly='readonly']")
+    end
+  end
+end