Commit 5552d7e8 authored by Etienne Baqué's avatar Etienne Baqué

Fixed group deploy token API authorizations

Updated authorizations for group deploy tokens API.
Updated rspec accordingly.
parent c9d043c6
...@@ -34,6 +34,18 @@ class Groups::ApplicationController < ApplicationController ...@@ -34,6 +34,18 @@ class Groups::ApplicationController < ApplicationController
end end
end end
def authorize_create_deploy_token!
unless can?(current_user, :create_deploy_token, group)
return render_404
end
end
def authorize_destroy_deploy_token!
unless can?(current_user, :destroy_deploy_token, group)
return render_404
end
end
def authorize_admin_group_member! def authorize_admin_group_member!
unless can?(current_user, :admin_group_member, group) unless can?(current_user, :admin_group_member, group)
return render_403 return render_403
......
# frozen_string_literal: true # frozen_string_literal: true
class Groups::DeployTokensController < Groups::ApplicationController class Groups::DeployTokensController < Groups::ApplicationController
before_action :authorize_admin_group! before_action :authorize_destroy_deploy_token!
def revoke def revoke
@token = @group.deploy_tokens.find(params[:id]) @token = @group.deploy_tokens.find(params[:id])
......
...@@ -4,7 +4,7 @@ module Groups ...@@ -4,7 +4,7 @@ module Groups
module Settings module Settings
class RepositoryController < Groups::ApplicationController class RepositoryController < Groups::ApplicationController
skip_cross_project_access_check :show skip_cross_project_access_check :show
before_action :authorize_admin_group! before_action :authorize_create_deploy_token!
before_action :define_deploy_token_variables before_action :define_deploy_token_variables
before_action do before_action do
push_frontend_feature_flag(:ajax_new_deploy_token, @group) push_frontend_feature_flag(:ajax_new_deploy_token, @group)
......
...@@ -110,9 +110,7 @@ class GroupPolicy < BasePolicy ...@@ -110,9 +110,7 @@ class GroupPolicy < BasePolicy
enable :create_cluster enable :create_cluster
enable :update_cluster enable :update_cluster
enable :admin_cluster enable :admin_cluster
enable :destroy_deploy_token
enable :read_deploy_token enable :read_deploy_token
enable :create_deploy_token
end end
rule { owner }.policy do rule { owner }.policy do
...@@ -124,6 +122,8 @@ class GroupPolicy < BasePolicy ...@@ -124,6 +122,8 @@ class GroupPolicy < BasePolicy
enable :set_note_created_at enable :set_note_created_at
enable :set_emails_disabled enable :set_emails_disabled
enable :update_default_branch_protection enable :update_default_branch_protection
enable :create_deploy_token
enable :destroy_deploy_token
end end
rule { can?(:read_nested_project_resources) }.policy do rule { can?(:read_nested_project_resources) }.policy do
......
---
title: Fix group deploy token API authorizations
merge_request:
author:
type: security
...@@ -136,7 +136,8 @@ curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" "https://git ...@@ -136,7 +136,8 @@ curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" "https://git
## Group deploy tokens ## Group deploy tokens
These endpoints require group maintainer access or higher. Group maintainers and owners can list group deploy
tokens. Only group owners can create and delete group deploy tokens.
### List group deploy tokens ### List group deploy tokens
......
...@@ -255,6 +255,8 @@ group. ...@@ -255,6 +255,8 @@ group.
| Edit epic comments (posted by any user) **(ULTIMATE)** | | | | ✓ (2) | ✓ (2) | | Edit epic comments (posted by any user) **(ULTIMATE)** | | | | ✓ (2) | ✓ (2) |
| Edit group settings | | | | | ✓ | | Edit group settings | | | | | ✓ |
| Manage group level CI/CD variables | | | | | ✓ | | Manage group level CI/CD variables | | | | | ✓ |
| List group deploy tokens | | | | ✓ | ✓ |
| Create/Delete group deploy tokens | | | | | ✓ |
| Manage group members | | | | | ✓ | | Manage group members | | | | | ✓ |
| Delete group | | | | | ✓ | | Delete group | | | | | ✓ |
| Delete group epic **(ULTIMATE)** | | | | | ✓ | | Delete group epic **(ULTIMATE)** | | | | | ✓ |
......
...@@ -204,7 +204,7 @@ describe API::DeployTokens do ...@@ -204,7 +204,7 @@ describe API::DeployTokens do
end end
context 'deploy token creation' do context 'deploy token creation' do
shared_examples 'creating a deploy token' do |entity, unauthenticated_response| shared_examples 'creating a deploy token' do |entity, unauthenticated_response, authorized_role|
let(:expires_time) { 1.year.from_now } let(:expires_time) { 1.year.from_now }
let(:params) do let(:params) do
{ {
...@@ -231,9 +231,9 @@ describe API::DeployTokens do ...@@ -231,9 +231,9 @@ describe API::DeployTokens do
it { is_expected.to have_gitlab_http_status(:forbidden) } it { is_expected.to have_gitlab_http_status(:forbidden) }
end end
context 'when authenticated as maintainer' do context "when authenticated as #{authorized_role}" do
before do before do
send(entity).add_maintainer(user) send(entity).send("add_#{authorized_role}", user)
end end
it 'creates the deploy token' do it 'creates the deploy token' do
...@@ -282,7 +282,7 @@ describe API::DeployTokens do ...@@ -282,7 +282,7 @@ describe API::DeployTokens do
response response
end end
it_behaves_like 'creating a deploy token', :project, :not_found it_behaves_like 'creating a deploy token', :project, :not_found, :maintainer
end end
describe 'POST /groups/:id/deploy_tokens' do describe 'POST /groups/:id/deploy_tokens' do
...@@ -291,7 +291,17 @@ describe API::DeployTokens do ...@@ -291,7 +291,17 @@ describe API::DeployTokens do
response response
end end
it_behaves_like 'creating a deploy token', :group, :forbidden it_behaves_like 'creating a deploy token', :group, :forbidden, :owner
context 'when authenticated as maintainer' do
before do
group.add_maintainer(user)
end
let(:params) { { name: 'test', scopes: ['read_repository'] } }
it { is_expected.to have_gitlab_http_status(:forbidden) }
end
end end
end end
...@@ -320,6 +330,14 @@ describe API::DeployTokens do ...@@ -320,6 +330,14 @@ describe API::DeployTokens do
group.add_maintainer(user) group.add_maintainer(user)
end end
it { is_expected.to have_gitlab_http_status(:forbidden) }
end
context 'when authenticated as owner' do
before do
group.add_owner(user)
end
it 'calls the deploy token destroy service' do it 'calls the deploy token destroy service' do
expect(::Groups::DeployTokens::DestroyService).to receive(:new) expect(::Groups::DeployTokens::DestroyService).to receive(:new)
.with(group, user, token_id: group_deploy_token.id) .with(group, user, token_id: group_deploy_token.id)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment