Commit e9c2a836 authored by James Fargher's avatar James Fargher

Merge branch 'feature/get-resource-access-tokens-api' into 'master'

Implement GET API for GATs and PATs

See merge request gitlab-org/gitlab!82714
parents 8701bab5 e0e72c4b
...@@ -20,7 +20,7 @@ GET groups/:id/access_tokens ...@@ -20,7 +20,7 @@ GET groups/:id/access_tokens
| Attribute | Type | required | Description | | Attribute | Type | required | Description |
|-----------|---------|----------|---------------------| |-----------|---------|----------|---------------------|
| `id` | integer or string | yes | The ID or [URL-encoded path of the group](index.md#namespaced-path-encoding) | | `id` | integer or string | yes | ID or [URL-encoded path of the group](index.md#namespaced-path-encoding) |
```shell ```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/<group_id>/access_tokens" curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/<group_id>/access_tokens"
...@@ -44,6 +44,41 @@ curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/a ...@@ -44,6 +44,41 @@ curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/a
] ]
``` ```
## Get a group access token
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/82714) in GitLab 14.10.
Get a [group access token](../user/group/settings/group_access_tokens.md) by ID.
```plaintext
GET groups/:id/access_tokens/:token_id
```
| Attribute | Type | required | Description |
|-----------|---------|----------|---------------------|
| `id` | integer or string | yes | ID or [URL-encoded path of the group](index.md#namespaced-path-encoding) |
| `token_id` | integer or string | yes | ID of the group access token |
```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/<group_id>/access_tokens/<token_id>"
```
```json
{
"user_id" : 141,
"scopes" : [
"api"
],
"name" : "token",
"expires_at" : "2021-01-31",
"id" : 42,
"active" : true,
"created_at" : "2021-01-20T22:11:48.151Z",
"revoked" : false,
"access_level": 40
}
```
## Create a group access token ## Create a group access token
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77236) in GitLab 14.7. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77236) in GitLab 14.7.
...@@ -56,11 +91,11 @@ POST groups/:id/access_tokens ...@@ -56,11 +91,11 @@ POST groups/:id/access_tokens
| Attribute | Type | required | Description | | Attribute | Type | required | Description |
|-----------|---------|----------|---------------------| |-----------|---------|----------|---------------------|
| `id` | integer or string | yes | The ID or [URL-encoded path of the group](index.md#namespaced-path-encoding) | | `id` | integer or string | yes | ID or [URL-encoded path of the group](index.md#namespaced-path-encoding) |
| `name` | String | yes | The name of the group access token | | `name` | String | yes | Name of the group access token |
| `scopes` | `Array[String]` | yes | [List of scopes](../user/group/settings/group_access_tokens.md#scopes-for-a-group-access-token) | | `scopes` | `Array[String]` | yes | [List of scopes](../user/group/settings/group_access_tokens.md#scopes-for-a-group-access-token) |
| `access_level` | Integer | no | A valid access level. Default value is 40 (Maintainer). Other allowed values are 10 (Guest), 20 (Reporter), and 30 (Developer). | | `access_level` | Integer | no | A valid access level. Default value is 40 (Maintainer). Other allowed values are 10 (Guest), 20 (Reporter), and 30 (Developer). |
| `expires_at` | Date | no | The token expires at midnight UTC on that date | | `expires_at` | Date | no | Token expires at midnight UTC on that date |
```shell ```shell
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" \ curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" \
...@@ -99,8 +134,8 @@ DELETE groups/:id/access_tokens/:token_id ...@@ -99,8 +134,8 @@ DELETE groups/:id/access_tokens/:token_id
| Attribute | Type | required | Description | | Attribute | Type | required | Description |
|-----------|---------|----------|---------------------| |-----------|---------|----------|---------------------|
| `id` | integer or string | yes | The ID or [URL-encoded path of the group](index.md#namespaced-path-encoding) | | `id` | integer or string | yes | ID or [URL-encoded path of the group](index.md#namespaced-path-encoding) |
| `token_id` | integer or string | yes | The ID of the group access token | | `token_id` | integer or string | yes | ID of the group access token |
```shell ```shell
curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/<group_id>/access_tokens/<token_id>" curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/<group_id>/access_tokens/<token_id>"
......
...@@ -20,7 +20,7 @@ GET projects/:id/access_tokens ...@@ -20,7 +20,7 @@ GET projects/:id/access_tokens
| Attribute | Type | required | Description | | Attribute | Type | required | Description |
|-----------|---------|----------|---------------------| |-----------|---------|----------|---------------------|
| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) | | `id` | integer or string | yes | ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) |
```shell ```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/<project_id>/access_tokens" curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/<project_id>/access_tokens"
...@@ -44,6 +44,42 @@ curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/a ...@@ -44,6 +44,42 @@ curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/a
] ]
``` ```
## Get a project access token
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/82714) in GitLab 14.10.
Get a [project access token](../user/project/settings/project_access_tokens.md) by ID.
```plaintext
GET projects/:id/access_tokens/:token_id
```
| Attribute | Type | required | Description |
|-----------|---------|----------|---------------------|
| `id` | integer or string | yes | ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) |
| `token_id` | integer or string | yes | ID of the project access token |
```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/<project_id>/access_tokens/<token_id>"
```
```json
{
"user_id" : 141,
"scopes" : [
"api"
],
"name" : "token",
"expires_at" : "2021-01-31",
"id" : 42,
"active" : true,
"created_at" : "2021-01-20T22:11:48.151Z",
"revoked" : false,
"access_level": 40,
"last_used_at": "2022-03-15T11:05:42.437Z"
}
```
## Create a project access token ## Create a project access token
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/55408) in GitLab 13.10. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/55408) in GitLab 13.10.
...@@ -56,11 +92,11 @@ POST projects/:id/access_tokens ...@@ -56,11 +92,11 @@ POST projects/:id/access_tokens
| Attribute | Type | required | Description | | Attribute | Type | required | Description |
|-----------|---------|----------|---------------------| |-----------|---------|----------|---------------------|
| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) | | `id` | integer or string | yes | ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) |
| `name` | String | yes | The name of the project access token | | `name` | String | yes | Name of the project access token |
| `scopes` | `Array[String]` | yes | [List of scopes](../user/project/settings/project_access_tokens.md#scopes-for-a-project-access-token) | | `scopes` | `Array[String]` | yes | [List of scopes](../user/project/settings/project_access_tokens.md#scopes-for-a-project-access-token) |
| `access_level` | Integer | no | A valid access level. Default value is 40 (Maintainer). Other allowed values are 10 (Guest), 20 (Reporter), and 30 (Developer). | | `access_level` | Integer | no | A valid access level. Default value is 40 (Maintainer). Other allowed values are 10 (Guest), 20 (Reporter), and 30 (Developer). |
| `expires_at` | Date | no | The token expires at midnight UTC on that date | | `expires_at` | Date | no | Token expires at midnight UTC on that date |
```shell ```shell
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" \ curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" \
...@@ -99,8 +135,8 @@ DELETE projects/:id/access_tokens/:token_id ...@@ -99,8 +135,8 @@ DELETE projects/:id/access_tokens/:token_id
| Attribute | Type | required | Description | | Attribute | Type | required | Description |
|-----------|---------|----------|---------------------| |-----------|---------|----------|---------------------|
| `id` | integer or string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) | | `id` | integer or string | yes | ID or [URL-encoded path of the project](index.md#namespaced-path-encoding) |
| `token_id` | integer or string | yes | The ID of the project access token | | `token_id` | integer or string | yes | ID of the project access token |
```shell ```shell
curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/<project_id>/access_tokens/<token_id>" curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/<project_id>/access_tokens/<token_id>"
......
...@@ -27,6 +27,28 @@ module API ...@@ -27,6 +27,28 @@ module API
present paginate(tokens), with: Entities::ResourceAccessToken, resource: resource present paginate(tokens), with: Entities::ResourceAccessToken, resource: resource
end end
desc 'Get an access token for the specified resource by ID' do
detail 'This feature was introduced in GitLab 14.10.'
end
params do
requires :id, type: String, desc: "The #{source_type} ID"
requires :token_id, type: String, desc: "The ID of the token"
end
get ":id/access_tokens/:token_id" do
resource = find_source(source_type, params[:id])
next unauthorized! unless current_user.can?(:read_resource_access_tokens, resource)
token = find_token(resource, params[:token_id])
if token.nil?
next not_found!("Could not find #{source_type} access token with token_id: #{params[:token_id]}")
end
resource.members.load
present token, with: Entities::ResourceAccessToken, resource: resource
end
desc 'Revoke a resource access token' do desc 'Revoke a resource access token' do
detail 'This feature was introduced in GitLab 13.9.' detail 'This feature was introduced in GitLab 13.9.'
end end
......
{
"type": "object",
"required": [
"id",
"name",
"user_id",
"active",
"created_at",
"expires_at",
"revoked",
"access_level",
"scopes",
"last_used_at"
],
"properties": {
"id": { "type": "integer" },
"name": { "type": "string" },
"user_id": { "type": "integer" },
"active": { "type": "boolean" },
"created_at": { "type": "string", "format": "date-time" },
"expires_at": { "type": ["string", "null"], "format": "date" },
"revoked": { "type": "boolean" },
"access_level": { "type": "integer" },
"scopes": {
"type": "array",
"items": { "type": "string" }
},
"last_used_at": { "type": ["string", "null"], "format": "date-time" }
},
"additionalProperties": false
}
{
"type": "array",
"items": { "$ref": "resource_access_token.json" }
}
...@@ -29,6 +29,8 @@ RSpec.describe API::ResourceAccessTokens do ...@@ -29,6 +29,8 @@ RSpec.describe API::ResourceAccessTokens do
token_ids = json_response.map { |token| token['id'] } token_ids = json_response.map { |token| token['id'] }
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
expect(response).to include_pagination_headers
expect(response).to match_response_schema('public_api/v4/resource_access_tokens')
expect(token_ids).to match_array(access_tokens.pluck(:id)) expect(token_ids).to match_array(access_tokens.pluck(:id))
end end
...@@ -131,6 +133,103 @@ RSpec.describe API::ResourceAccessTokens do ...@@ -131,6 +133,103 @@ RSpec.describe API::ResourceAccessTokens do
end end
end end
context "GET #{source_type}s/:id/access_tokens/:token_id" do
subject(:get_token) { get api("/#{source_type}s/#{resource_id}/access_tokens/#{token_id}", user) }
let_it_be(:project_bot) { create(:user, :project_bot) }
let_it_be(:token) { create(:personal_access_token, user: project_bot) }
let_it_be(:resource_id) { resource.id }
let_it_be(:token_id) { token.id }
before do
if source_type == 'project'
resource.add_maintainer(project_bot)
else
resource.add_owner(project_bot)
end
end
context "when the user has valid permissions" do
it "gets the #{source_type} access token from the #{source_type}" do
get_token
expect(response).to have_gitlab_http_status(:ok)
expect(response).to match_response_schema('public_api/v4/resource_access_token')
expect(json_response["name"]).to eq(token.name)
expect(json_response["scopes"]).to eq(token.scopes)
if source_type == 'project'
expect(json_response["access_level"]).to eq(resource.team.max_member_access(token.user.id))
else
expect(json_response["access_level"]).to eq(resource.max_member_access_for_user(token.user))
end
expect(json_response["expires_at"]).to eq(token.expires_at.to_date.iso8601)
end
context "when using #{source_type} access token to GET other #{source_type} access token" do
let_it_be(:other_project_bot) { create(:user, :project_bot) }
let_it_be(:other_token) { create(:personal_access_token, user: other_project_bot) }
let_it_be(:token_id) { other_token.id }
before do
resource.add_maintainer(other_project_bot)
end
it "gets the #{source_type} access token from the #{source_type}" do
get_token
expect(response).to have_gitlab_http_status(:ok)
expect(response).to match_response_schema('public_api/v4/resource_access_token')
expect(json_response["name"]).to eq(other_token.name)
expect(json_response["scopes"]).to eq(other_token.scopes)
if source_type == 'project'
expect(json_response["access_level"]).to eq(resource.team.max_member_access(other_token.user.id))
else
expect(json_response["access_level"]).to eq(resource.max_member_access_for_user(other_token.user))
end
expect(json_response["expires_at"]).to eq(other_token.expires_at.to_date.iso8601)
end
end
context "when attempting to get a non-existent #{source_type} access token" do
let_it_be(:token_id) { non_existing_record_id }
it "does not get the token, and returns 404" do
get_token
expect(response).to have_gitlab_http_status(:not_found)
expect(response.body).to include("Could not find #{source_type} access token with token_id: #{token_id}")
end
end
context "when attempting to get a token that does not belong to the specified #{source_type}" do
let_it_be(:resource_id) { other_resource.id }
it "does not get the token, and returns 404" do
get_token
expect(response).to have_gitlab_http_status(:not_found)
expect(response.body).to include("Could not find #{source_type} access token with token_id: #{token_id}")
end
end
end
context "when the user does not have valid permissions" do
let_it_be(:user) { user_non_priviledged }
it "returns 401" do
get_token
expect(response).to have_gitlab_http_status(:unauthorized)
end
end
end
context "DELETE #{source_type}s/:id/access_tokens/:token_id", :sidekiq_inline do context "DELETE #{source_type}s/:id/access_tokens/:token_id", :sidekiq_inline do
subject(:delete_token) { delete api("/#{source_type}s/#{resource_id}/access_tokens/#{token_id}", user) } subject(:delete_token) { delete api("/#{source_type}s/#{resource_id}/access_tokens/#{token_id}", user) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment