Merge branch '21811-project-create-deploy-tokens' into 'master'

API endpoint for creating project deploy tokens See merge request gitlab-org/gitlab!25270

Merge branch '21811-project-create-deploy-tokens' into 'master'
API endpoint for creating project deploy tokens See merge request gitlab-org/gitlab!25270
0765ffdc · Achilleas Pipinellis · 92e160e6 · 6a7f693a · 0765ffdc · 0765ffdc
Commit 0765ffdc authored Mar 10, 2020 by Achilleas Pipinellis
8 changed files
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -313,6 +313,7 @@ class ProjectPolicy < BasePolicy
    enable :daily_statistics
    enable :admin_operations
    enable :read_deploy_token
+    enable :create_deploy_token
  end
  rule { (mirror_available & can?(:admin_project)) | admin }.enable :admin_remote_mirror

--- a/changelogs/unreleased/21811-project-create-deploy-tokens.yml
+++ b/changelogs/unreleased/21811-project-create-deploy-tokens.yml
+---
+title: Add api endpoint to create deploy tokens
+merge_request: 25270
+author:
+type: added
--- a/doc/api/deploy_tokens.md
+++ b/doc/api/deploy_tokens.md
@@ -72,6 +72,43 @@ Example response:
 ]
 ```
+### Create a project deploy token
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/21811) in GitLab 12.9.
+Creates a new deploy token for a project.
+```
+POST /projects/:id/deploy_tokens
+```
+| Attribute  | Type | Required | Description |
+| ---------  | ---- | -------- | ----------- |
+| `id`       | integer/string   | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user |
+| `name`            | string    | yes | New deploy token's name |
+| `expires_at`      | datetime  | no  | Expiration date for the deploy token. Does not expire if no value is provided. |
+| `username`        | string    | no  | Username for deploy token. Default is `gitlab+deploy-token-{n}` |
+| `scopes`   | array of strings | yes | Indicates the deploy token scopes. Must be at least one of `read_repository` or `read_registry`. |
+```shell
+curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" --header "Content-Type: application/json" --data '{"name": "My deploy token", "expires_at": "2021-01-01", "username": "custom-user", "scopes": ["read_repository"]}' "https://gitlab.example.com/api/v4/projects/5/deploy_tokens/"
+```
+Example response:
+```json
+{
+  "id": 1,
+  "name": "My deploy token",
+  "username": "custom-user",
+  "expires_at": "2021-01-01T00:00:00.000Z",
+  "token": "jMRvtPNxrn3crTAGukpZ",
+  "scopes": [
+    "read_repository"
+  ]
+}
+```
 ## Group deploy tokens
 These endpoints require group maintainer access or higher.

--- a/lib/api/deploy_tokens.rb
+++ b/lib/api/deploy_tokens.rb
@@ -4,6 +4,17 @@ module API
  class DeployTokens < Grape::API
    include PaginationParams
+    helpers do
+      def scope_params
+        scopes = params.delete(:scopes)
+        result_hash = {}
+        result_hash[:read_registry] = scopes.include?('read_registry')
+        result_hash[:read_repository] = scopes.include?('read_repository')
+        result_hash
+      end
+    end
    desc 'Return all deploy tokens' do
      detail 'This feature was introduced in GitLab 12.9.'
      success Entities::DeployToken
@@ -33,6 +44,27 @@ module API
        present paginate(user_project.deploy_tokens), with: Entities::DeployToken
      end
+      params do
+        requires :name, type: String, desc: "New deploy token's name"
+        requires :expires_at, type: DateTime, desc: 'Expiration date for the deploy token. Does not expire if no value is provided.'
+        requires :username, type: String, desc: 'Username for deploy token. Default is `gitlab+deploy-token-{n}`'
+        requires :scopes, type: Array[String], values: ::DeployToken::AVAILABLE_SCOPES.map(&:to_s),
+          desc: 'Indicates the deploy token scopes. Must be at least one of "read_repository" or "read_registry".'
+      end
+      desc 'Create a project deploy token' do
+        detail 'This feature was introduced in GitLab 12.9'
+        success Entities::DeployTokenWithToken
+      end
+      post ':id/deploy_tokens' do
+        authorize!(:create_deploy_token, user_project)
+        deploy_token = ::Projects::DeployTokens::CreateService.new(
+          user_project, current_user, scope_params.merge(declared(params, include_missing: false, include_parent_namespaces: false))
+        ).execute
+        present deploy_token, with: Entities::DeployTokenWithToken
+      end
    end
    params do

--- a/lib/api/entities/deploy_token_with_token.rb
+++ b/lib/api/entities/deploy_token_with_token.rb
+# frozen_string_literal: true
+module API
+  module Entities
+    class DeployTokenWithToken < Entities::DeployToken
+      expose :token
+    end
+  end
+end
--- a/spec/fixtures/api/schemas/public_api/v4/deploy_token.json
+++ b/spec/fixtures/api/schemas/public_api/v4/deploy_token.json
@@ -25,7 +25,9 @@
      "items": {
        "type": "string"
      }
-    }
    },
-  "additionalProperties": false
+    "token": {
+      "type": "string"
+    }
+  }
 }
\ No newline at end of file
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -52,7 +52,7 @@ describe ProjectPolicy do
      admin_snippet admin_project_member admin_note admin_wiki admin_project
      admin_commit_status admin_build admin_container_image
      admin_pipeline admin_environment admin_deployment destroy_release add_cluster
-      daily_statistics read_deploy_token
+      daily_statistics read_deploy_token create_deploy_token
    ]
  end

--- a/spec/requests/api/deploy_tokens_spec.rb
+++ b/spec/requests/api/deploy_tokens_spec.rb
@@ -133,4 +133,57 @@ describe API::DeployTokens do
      end
    end
  end
+  describe 'POST /projects/:id/deploy_tokens' do
+    let(:params) do
+      {
+        name: 'Foo',
+        expires_at: 1.year.from_now,
+        scopes: [
+          'read_repository'
+        ],
+        username: 'Bar'
+      }
+    end
+    subject do
+      post api("/projects/#{project.id}/deploy_tokens", user), params: params
+      response
+    end
+    context 'when unauthenticated' do
+      let(:user) { nil }
+      it { is_expected.to have_gitlab_http_status(:not_found) }
+    end
+    context 'when authenticated as non-admin user' do
+      before do
+        project.add_developer(user)
+      end
+      it { is_expected.to have_gitlab_http_status(:forbidden) }
+    end
+    context 'when authenticated as maintainer' do
+      before do
+        project.add_maintainer(user)
+      end
+      it 'creates the deploy token' do
+        expect { subject }.to change { DeployToken.count }.by(1)
+        expect(response).to have_gitlab_http_status(:created)
+        expect(response).to match_response_schema('public_api/v4/deploy_token')
+      end
+      context 'with an invalid scope' do
+        before do
+          params[:scopes] = %w[read_repository all_access]
+        end
+        it { is_expected.to have_gitlab_http_status(:bad_request) }
+      end
+    end
+  end
 end