Create new policies for read and destroy tokens

Splitting admin resource access tokens into read, destroy, and create tokens

Create new policies for read and destroy tokens
Splitting admin resource access tokens into read, destroy, and create tokens
11d2b257 · Serena Fang · bb2bcbd3 · 11d2b257 · 11d2b257 · 11d2b257
Commit 11d2b257 authored Mar 12, 2021 by Serena Fang
10 changed files
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -810,7 +810,7 @@ module ProjectsHelper
  end

  def project_access_token_available?(project)
-    can?(current_user, :admin_resource_access_tokens, project)
+    can?(current_user, :create_resource_access_tokens, project)
  end

  def build_project_breadcrumb_link(project)

--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -213,8 +213,16 @@ class GroupPolicy < BasePolicy
  rule { developer & dependency_proxy_available }
    .enable :admin_dependency_proxy

-  rule { resource_access_token_available & can?(:admin_group) }.policy do
-    enable :admin_resource_access_tokens
+  rule { can?(:admin_group) }.policy do
+    enable :read_resource_access_tokens
+  end
+
+  rule { can?(:admin_group) }.policy do
+    enable :destroy_resource_access_tokens
+  end
+
+  rule { resource_access_token_available & can?(:read_resource_access_tokens) }.policy do
+    enable :create_resource_access_tokens
  end

  rule { support_bot & has_project_with_service_desk_enabled }.policy do

--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -632,11 +632,17 @@ class ProjectPolicy < BasePolicy

  rule { project_bot }.enable :project_bot_access

-  rule { resource_access_token_available & can?(:admin_project) }.policy do
-    enable :admin_resource_access_tokens
+  rule { can?(:admin_project) }.policy do
+    enable :read_resource_access_tokens
  end

-  rule { can?(:project_bot_access) }.prevent :admin_resource_access_tokens
+  rule { can?(:admin_project) }.policy do
+    enable :destroy_resource_access_tokens
+  end
+
+  rule { resource_access_token_available & can?(:read_resource_access_tokens) }.policy do
+    enable :create_resource_access_tokens
+  end

  rule { user_defined_variables_allowed | can?(:maintainer_access) }.policy do
    enable :set_pipeline_variables

--- a/app/services/resource_access_tokens/create_service.rb
+++ b/app/services/resource_access_tokens/create_service.rb
@@ -39,7 +39,7 @@ module ResourceAccessTokens
    attr_reader :resource_type, :resource

    def has_permission_to_create?
-      %w(project group).include?(resource_type) && can?(current_user, :admin_resource_access_tokens, resource)
+      %w(project group).include?(resource_type) && can?(current_user, :create_resource_access_tokens, resource)
    end

    def create_user

--- a/app/services/resource_access_tokens/revoke_service.rb
+++ b/app/services/resource_access_tokens/revoke_service.rb
@@ -39,9 +39,9 @@ module ResourceAccessTokens

    def can_destroy_bot_member?
      if resource.is_a?(Project)
-        can?(current_user, :admin_project_member, @resource)
+        can?(current_user, :destroy_resource_access_tokens, @resource)
      elsif resource.is_a?(Group)
-        can?(current_user, :admin_group_member, @resource)
+        can?(current_user, :destroy_resource_access_tokens, @resource)
      else
        false
      end

--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -1385,7 +1385,7 @@ RSpec.describe GroupPolicy do
          group.add_owner(owner)
        end

-        it { is_expected.to be_allowed(:admin_resource_access_tokens) }
+        it { is_expected.to be_allowed(:create_resource_access_tokens) }
      end

      context 'with developer' do
@@ -1395,7 +1395,7 @@ RSpec.describe GroupPolicy do
          group.add_developer(developer)
        end

-        it { is_expected.not_to be_allowed(:admin_resource_access_tokens)}
+        it { is_expected.not_to be_allowed(:create_resource_access_tokens)}
      end
    end
  end

--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -1584,7 +1584,7 @@ RSpec.describe ProjectPolicy do
          project.add_maintainer(maintainer)
        end

-        it { is_expected.to be_allowed(:admin_resource_access_tokens) }
+        it { is_expected.to be_allowed(:create_resource_access_tokens) }
      end

      context 'with developer' do
@@ -1594,7 +1594,7 @@ RSpec.describe ProjectPolicy do
          project.add_developer(developer)
        end

-        it { is_expected.not_to be_allowed(:admin_resource_access_tokens)}
+        it { is_expected.not_to be_allowed(:create_resource_access_tokens)}
      end
    end
  end

--- a/lib/api/resource_access_tokens.rb
+++ b/lib/api/resource_access_tokens.rb
@@ -19,7 +19,7 @@ module API
        get ":id/access_tokens" do
          resource = find_source(source_type, params[:id])

-          next unauthorized! unless has_permission_to_read?(resource)
+          next unauthorized! unless can?(:read_resource_access_tokens)

          tokens = PersonalAccessTokensFinder.new({ user: resource.bots, impersonation: false }).execute

@@ -85,10 +85,6 @@ module API
      def find_token(resource, token_id)
        PersonalAccessTokensFinder.new({ user: resource.bots, impersonation: false }).find_by_id(token_id)
      end
-
-      def has_permission_to_read?(resource)
-        can?(current_user, :project_bot_access, resource) || can?(current_user, :admin_resource_access_tokens, resource)
-      end
    end
  end
 end
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -511,7 +511,7 @@ RSpec.describe ProjectPolicy do
        project.add_maintainer(project_bot)
      end

-      it { is_expected.not_to be_allowed(:admin_resource_access_tokens)}
+      it { is_expected.not_to be_allowed(:create_resource_access_tokens)}
    end
  end


--- a/spec/support/shared_examples/policies/resource_access_token_shared_examples.rb
+++ b/spec/support/shared_examples/policies/resource_access_token_shared_examples.rb
@@ -5,16 +5,18 @@ RSpec.shared_examples 'Self-managed Core resource access tokens' do
    allow(::Gitlab).to receive(:com?).and_return(false)
  end

-  context 'with owner' do
-    let(:current_user) { owner }
+  context 'create resource access tokens' do
+    context 'with owner' do
+      let(:current_user) { owner }

-    it { is_expected.to be_allowed(:admin_resource_access_tokens) }
-  end
+      it { is_expected.to be_allowed(:create_resource_access_tokens) }
+    end

-  context 'with developer' do
-    let(:current_user) { developer }
+    context 'with developer' do
+      let(:current_user) { developer }

-    it { is_expected.not_to be_allowed(:admin_resource_access_tokens) }
+      it { is_expected.not_to be_allowed(:create_resource_access_tokens) }
+    end
  end
 end

@@ -27,6 +29,6 @@ RSpec.shared_examples 'GitLab.com Core resource access tokens' do
  context 'with owner' do
    let(:current_user) { owner }

-    it { is_expected.not_to be_allowed(:admin_resource_access_tokens) }
+    it { is_expected.not_to be_allowed(:create_resource_access_tokens) }
  end
 end