Add revoked status to cluster agent tokens

Changelog: added

Add revoked status to cluster agent tokens
Changelog: added
28384244 · Tiger · f8495767 · 28384244 · 28384244 · 28384244
Commit 28384244 authored Dec 10, 2021 by Tiger
12 changed files
--- a/app/graphql/types/clusters/agent_token_type.rb
+++ b/app/graphql/types/clusters/agent_token_type.rb
@@ -44,6 +44,11 @@ module Types
            null: true,
            description: 'Name given to the token.'

+      field :status,
+            GraphQL::Types::String,
+            null: true,
+            description: 'Current status of the token.'
+
      def cluster_agent
        Gitlab::Graphql::Loaders::BatchModelLoader.new(::Clusters::Agent, object.agent_id).find
      end

--- a/app/models/clusters/agent.rb
+++ b/app/models/clusters/agent.rb
@@ -36,8 +36,8 @@ module Clusters
      requested_project == project
    end

-    def active?
-      agent_tokens.where("last_used_at > ?", INACTIVE_AFTER.ago).exists?
+    def connected?
+      agent_tokens.active.where("last_used_at > ?", INACTIVE_AFTER.ago).exists?
    end
  end
 end
--- a/app/models/clusters/agent_token.rb
+++ b/app/models/clusters/agent_token.rb
@@ -23,13 +23,18 @@ module Clusters

    scope :order_last_used_at_desc, -> { order(::Gitlab::Database.nulls_last_order('last_used_at', 'DESC')) }

+    enum status: {
+      active: 0,
+      revoked: 1
+    }
+
    def track_usage
      track_values = { last_used_at: Time.current.utc }

      cache_attributes(track_values)

      if can_update_track_values?
-        log_activity_event!(track_values[:last_used_at]) unless agent.active?
+        log_activity_event!(track_values[:last_used_at]) unless agent.connected?

        # Use update_column so updated_at is skipped
        update_columns(track_values)

--- a/db/migrate/20211209230042_add_status_to_cluster_agent_tokens.rb
+++ b/db/migrate/20211209230042_add_status_to_cluster_agent_tokens.rb
+# frozen_string_literal: true
+
+class AddStatusToClusterAgentTokens < Gitlab::Database::Migration[1.0]
+  def change
+    add_column :cluster_agent_tokens, :status, :smallint, null: false, default: 0
+  end
+end
--- a/db/schema_migrations/20211209230042
+++ b/db/schema_migrations/20211209230042
+907fafc18fa515fff8f716f6464263ccc8a9b6e5ead36f30b05089100fd71b6b
\ No newline at end of file
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -12383,6 +12383,7 @@ CREATE TABLE cluster_agent_tokens (
    description text,
    name text,
    last_used_at timestamp with time zone,
+    status smallint DEFAULT 0 NOT NULL,
    CONSTRAINT check_0fb634d04d CHECK ((name IS NOT NULL)),
    CONSTRAINT check_2b79dbb315 CHECK ((char_length(name) <= 255)),
    CONSTRAINT check_4e4ec5070a CHECK ((char_length(description) <= 1024)),
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -8908,6 +8908,7 @@ GitLab CI/CD configuration template.
 | <a id="clusteragenttokenid"></a>`id` | [`ClustersAgentTokenID!`](#clustersagenttokenid) | Global ID of the token. |
 | <a id="clusteragenttokenlastusedat"></a>`lastUsedAt` | [`Time`](#time) | Timestamp the token was last used. |
 | <a id="clusteragenttokenname"></a>`name` | [`String`](#string) | Name given to the token. |
+| <a id="clusteragenttokenstatus"></a>`status` | [`String`](#string) | Current status of the token. |

 ### `CodeCoverageActivity`

--- a/lib/gitlab/auth/auth_finders.rb
+++ b/lib/gitlab/auth/auth_finders.rb
@@ -165,7 +165,7 @@ module Gitlab

        authorization_token, _options = token_and_options(current_request)

-        ::Clusters::AgentToken.find_by_token(authorization_token)
+        ::Clusters::AgentToken.active.find_by_token(authorization_token)
      end

      def find_runner_from_token

--- a/spec/graphql/types/clusters/agent_token_type_spec.rb
+++ b/spec/graphql/types/clusters/agent_token_type_spec.rb
@@ -3,7 +3,7 @@
 require 'spec_helper'

 RSpec.describe GitlabSchema.types['ClusterAgentToken'] do
-  let(:fields) { %i[cluster_agent created_at created_by_user description id last_used_at name] }
+  let(:fields) { %i[cluster_agent created_at created_by_user description id last_used_at name status] }

  it { expect(described_class.graphql_name).to eq('ClusterAgentToken') }


--- a/spec/lib/gitlab/auth/auth_finders_spec.rb
+++ b/spec/lib/gitlab/auth/auth_finders_spec.rb
@@ -939,21 +939,19 @@ RSpec.describe Gitlab::Auth::AuthFinders do
  end

  describe '#cluster_agent_token_from_authorization_token' do
-    let_it_be(:agent_token, freeze: true) { create(:cluster_agent_token) }
+    let_it_be(:agent_token) { create(:cluster_agent_token) }
+
+    subject { cluster_agent_token_from_authorization_token }

    context 'when route_setting is empty' do
-      it 'returns nil' do
-        expect(cluster_agent_token_from_authorization_token).to be_nil
-      end
+      it { is_expected.to be_nil }
    end

    context 'when route_setting allows cluster agent token' do
      let(:route_authentication_setting) { { cluster_agent_token_allowed: true } }

      context 'Authorization header is empty' do
-        it 'returns nil' do
-          expect(cluster_agent_token_from_authorization_token).to be_nil
-        end
+        it { is_expected.to be_nil }
      end

      context 'Authorization header is incorrect' do
@@ -961,9 +959,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
          request.headers['Authorization'] = 'Bearer ABCD'
        end

-        it 'returns nil' do
-          expect(cluster_agent_token_from_authorization_token).to be_nil
-        end
+        it { is_expected.to be_nil }
      end

      context 'Authorization header is malformed' do
@@ -971,9 +967,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
          request.headers['Authorization'] = 'Bearer'
        end

-        it 'returns nil' do
-          expect(cluster_agent_token_from_authorization_token).to be_nil
-        end
+        it { is_expected.to be_nil }
      end

      context 'Authorization header matches agent token' do
@@ -981,8 +975,14 @@ RSpec.describe Gitlab::Auth::AuthFinders do
          request.headers['Authorization'] = "Bearer #{agent_token.token}"
        end

-        it 'returns the agent token' do
-          expect(cluster_agent_token_from_authorization_token).to eq(agent_token)
+        it { is_expected.to eq(agent_token) }
+
+        context 'agent token has been revoked' do
+          before do
+            agent_token.revoked!
+          end
+
+          it { is_expected.to be_nil }
        end
      end
    end

--- a/spec/models/clusters/agent_spec.rb
+++ b/spec/models/clusters/agent_spec.rb
@@ -76,12 +76,12 @@ RSpec.describe Clusters::Agent do
    end
  end

-  describe '#active?' do
+  describe '#connected?' do
    let_it_be(:agent) { create(:cluster_agent) }

    let!(:token) { create(:cluster_agent_token, agent: agent, last_used_at: last_used_at) }

-    subject { agent.active? }
+    subject { agent.connected? }

    context 'agent has never connected' do
      let(:last_used_at) { nil }
@@ -99,6 +99,14 @@ RSpec.describe Clusters::Agent do
      let(:last_used_at) { 2.minutes.ago }

      it { is_expected.to be_truthy }
+
+      context 'agent token has been revoked' do
+        before do
+          token.revoked!
+        end
+
+        it { is_expected.to be_falsey }
+      end
    end

    context 'agent has multiple tokens' do

--- a/spec/models/clusters/agent_token_spec.rb
+++ b/spec/models/clusters/agent_token_spec.rb
@@ -9,6 +9,8 @@ RSpec.describe Clusters::AgentToken do
  it { is_expected.to validate_length_of(:name).is_at_most(255) }
  it { is_expected.to validate_presence_of(:name) }

+  it_behaves_like 'having unique enum values'
+
  describe 'scopes' do
    describe '.order_last_used_at_desc' do
      let_it_be(:token_1) { create(:cluster_agent_token, last_used_at: 7.days.ago) }
@@ -76,9 +78,9 @@ RSpec.describe Clusters::AgentToken do
        end
      end

-      context 'agent is inactive' do
+      context 'agent is not connected' do
        before do
-          allow(agent).to receive(:active?).and_return(false)
+          allow(agent).to receive(:connected?).and_return(false)
        end

        it 'creates an activity event' do
@@ -94,9 +96,9 @@ RSpec.describe Clusters::AgentToken do
        end
      end

-      context 'agent is active' do
+      context 'agent is connected' do
        before do
-          allow(agent).to receive(:active?).and_return(true)
+          allow(agent).to receive(:connected?).and_return(true)
        end

        it 'does not create an activity event' do