Merge branch '21811-group-list-deploy-tokens' into 'master'

API endpoint to list deploy tokens in a group See merge request gitlab-org/gitlab!25219

Merge branch '21811-group-list-deploy-tokens' into 'master'
API endpoint to list deploy tokens in a group See merge request gitlab-org/gitlab!25219
68f4922d · Shinya Maeda · 2a04cd76 · df535ca4 · 68f4922d · 68f4922d
Commit 68f4922d authored Mar 11, 2020 by Shinya Maeda
5 changed files
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -94,6 +94,7 @@ class GroupPolicy < BasePolicy
    enable :update_cluster
    enable :admin_cluster
    enable :destroy_deploy_token
+    enable :read_deploy_token
  end
  rule { owner }.policy do

--- a/changelogs/unreleased/21811-group-list-deploy-tokens.yml
+++ b/changelogs/unreleased/21811-group-list-deploy-tokens.yml
+---
+title: Add api endpoint for listing deploy tokens for a group
+merge_request: 25219
+author:
+type: added
--- a/doc/api/deploy_tokens.md
+++ b/doc/api/deploy_tokens.md
@@ -2,6 +2,8 @@
 ## List all deploy tokens
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/21811) in GitLab 12.9.
 Get a list of all deploy tokens across the GitLab instance. This endpoint requires admin access.
 ```plaintext
@@ -37,6 +39,8 @@ Project deploy token API endpoints require project maintainer access or higher.
 ### List project deploy tokens
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/21811) in GitLab 12.9.
 Get a list of a project's deploy tokens.
 ```plaintext
@@ -113,8 +117,49 @@ Example response:
 These endpoints require group maintainer access or higher.
+### List group deploy deploy tokens
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/21811) in GitLab 12.9.
+Get a list of a group's deploy tokens
+```
+GET /groups/:id/deploy_tokens
+```
+Parameters:
+| Attribute      | Type           | Required | Description                                                                  |
+|:---------------|:---------------|:---------|:-----------------------------------------------------------------------------|
+| `id`           | integer/string | yes      | ID or [URL-encoded path of the project](README.md#namespaced-path-encoding). |
+Example request:
+```shell
+curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/1/deploy_tokens"
+```
+Example response:
+```json
+[
+  {
+    "id": 1,
+    "name": "MyToken",
+    "username": "gitlab+deploy-token-1",
+    "expires_at": "2020-02-14T00:00:00.000Z",
+    "scopes": [
+      "read_repository",
+      "read_registry"
+    ]
+  }
+]
+```
 ### Delete a group deploy token
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/21811) in GitLab 12.9.
 Removes a deploy token from the group.
 ```

--- a/lib/api/deploy_tokens.rb
+++ b/lib/api/deploy_tokens.rb
@@ -23,6 +23,8 @@ module API
      use :pagination
    end
    get 'deploy_tokens' do
+      service_unavailable! unless Feature.enabled?(:deploy_tokens_api, default_enabled: true)
      authenticated_as_admin!
      present paginate(DeployToken.all), with: Entities::DeployToken
@@ -32,6 +34,10 @@ module API
      requires :id, type: Integer, desc: 'The ID of a project'
    end
    resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
+      before do
+        service_unavailable! unless Feature.enabled?(:deploy_tokens_api, user_project, default_enabled: true)
+      end
      params do
        use :pagination
      end
@@ -71,6 +77,23 @@ module API
      requires :id, type: Integer, desc: 'The ID of a group'
    end
    resource :groups, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
+      before do
+        service_unavailable! unless Feature.enabled?(:deploy_tokens_api, user_group, default_enabled: true)
+      end
+      params do
+        use :pagination
+      end
+      desc 'List deploy tokens for a group' do
+        detail 'This feature was introduced in GitLab 12.9'
+        success Entities::DeployToken
+      end
+      get ':id/deploy_tokens' do
+        authorize!(:read_deploy_token, user_group)
+        present paginate(user_group.deploy_tokens), with: Entities::DeployToken
+      end
      desc 'Delete a group deploy token' do
        detail 'This feature was introduced in GitLab 12.9'
      end

--- a/spec/requests/api/deploy_tokens_spec.rb
+++ b/spec/requests/api/deploy_tokens_spec.rb
@@ -10,12 +10,24 @@ describe API::DeployTokens do
  let!(:deploy_token) { create(:deploy_token, projects: [project]) }
  let!(:group_deploy_token) { create(:deploy_token, :group, groups: [group]) }
+  shared_examples 'with feature flag disabled' do
+    context 'disabled feature flag' do
+      before do
+        stub_feature_flags(deploy_tokens_api: false)
+      end
+      it { is_expected.to have_gitlab_http_status(:service_unavailable) }
+    end
+  end
  describe 'GET /deploy_tokens' do
    subject do
      get api('/deploy_tokens', user)
      response
    end
+    it_behaves_like 'with feature flag disabled'
    context 'when unauthenticated' do
      let(:user) { nil }
@@ -69,6 +81,8 @@ describe API::DeployTokens do
        project.add_maintainer(user)
      end
+      it_behaves_like 'with feature flag disabled'
      it { is_expected.to have_gitlab_http_status(:ok) }
      it 'returns all deploy tokens for the project' do
@@ -87,6 +101,53 @@ describe API::DeployTokens do
    end
  end
+  describe 'GET /groups/:id/deploy_tokens' do
+    subject do
+      get api("/groups/#{group.id}/deploy_tokens", user)
+      response
+    end
+    context 'when unauthenticated' do
+      let(:user) { nil }
+      it { is_expected.to have_gitlab_http_status(:forbidden) }
+    end
+    context 'when authenticated as non-admin user' do
+      before do
+        group.add_developer(user)
+      end
+      it { is_expected.to have_gitlab_http_status(:forbidden) }
+    end
+    context 'when authenticated as maintainer' do
+      let!(:other_deploy_token) { create(:deploy_token, :group) }
+      before do
+        group.add_maintainer(user)
+      end
+      it_behaves_like 'with feature flag disabled'
+      it { is_expected.to have_gitlab_http_status(:ok) }
+      it 'returns all deploy tokens for the group' do
+        subject
+        expect(response).to include_pagination_headers
+        expect(response).to match_response_schema('public_api/v4/deploy_tokens')
+      end
+      it 'does not return deploy tokens for other groups' do
+        subject
+        token_ids = json_response.map { |token| token['id'] }
+        expect(token_ids).not_to include(other_deploy_token.id)
+      end
+    end
+  end
  describe 'DELETE /groups/:id/deploy_tokens/:token_id' do
    subject do
      delete api("/groups/#{group.id}/deploy_tokens/#{group_deploy_token.id}", user)
@@ -119,10 +180,10 @@ describe API::DeployTokens do
      end
      context 'invalid request' do
-        it 'returns bad request with invalid group id' do
+        it 'returns not found with invalid group id' do
          delete api("/groups/bad_id/deploy_tokens/#{group_deploy_token.id}", user)
-          expect(response).to have_gitlab_http_status(:bad_request)
+          expect(response).to have_gitlab_http_status(:not_found)
        end
        it 'returns not found with invalid deploy token id' do