Merge branch '21811-project-delete-deploy-token' into 'master'

API endpoint for deleting project deploy tokens

See merge request gitlab-org/gitlab!25220

app/policies/project_policy.rb

@@ -315,6 +315,7 @@ class ProjectPolicy < BasePolicy
     enable :read_deploy_token
     enable :create_deploy_token
     enable :read_pod_logs
+    enable :destroy_deploy_token
   end
 
   rule { (mirror_available & can?(:admin_project)) | admin }.enable :admin_remote_mirror

changelogs/unreleased/21811-project-delete-deploy-token.yml

+---
+title: Add API endpoint for deleting project deploy tokens
+merge_request: 25220
+author:
+type: added

doc/api/deploy_tokens.md

@@ -78,7 +78,7 @@ Example response:
 
 ### Create a project deploy token
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/21811) in GitLab 12.9.
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/21811) in GitLab 12.9.
 
 Creates a new deploy token for a project.
 
@@ -113,6 +113,27 @@ Example response:
 }
 ```
 
+### Delete a project deploy token
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/21811) in GitLab 12.9.
+
+Removes a deploy token from the project.
+
+```
+DELETE /projects/:id/deploy_tokens/:token_id
+```
+
+| Attribute | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `id`      | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user |
+| `token_id`  | integer | yes | The ID of the deploy token |
+
+Example request:
+
+```shell
+curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/5/deploy_tokens/13"
+```
+
 ## Group deploy tokens
 
 These endpoints require group maintainer access or higher.

lib/api/deploy_tokens.rb

@@ -71,6 +71,24 @@ module API
 
         present deploy_token, with: Entities::DeployTokenWithToken
       end
+
+      desc 'Delete a project deploy token' do
+        detail 'This feature was introduced in GitLab 12.9'
+      end
+      params do
+        requires :token_id, type: Integer, desc: 'The deploy token ID'
+      end
+      delete ':id/deploy_tokens/:token_id' do
+        authorize!(:destroy_deploy_token, user_project)
+
+        deploy_token = user_project.project_deploy_tokens
+          .find_by_deploy_token_id(params[:token_id])
+
+        not_found!('Deploy Token') unless deploy_token
+
+        deploy_token.destroy
+        no_content!
+      end
     end
 
     params do

spec/policies/project_policy_spec.rb

@@ -52,7 +52,7 @@ describe ProjectPolicy do
       admin_snippet admin_project_member admin_note admin_wiki admin_project
       admin_commit_status admin_build admin_container_image
       admin_pipeline admin_environment admin_deployment destroy_release add_cluster
-      daily_statistics read_deploy_token create_deploy_token
+      daily_statistics read_deploy_token create_deploy_token destroy_deploy_token
     ]
   end
 

spec/requests/api/deploy_tokens_spec.rb

@@ -148,21 +148,21 @@ describe API::DeployTokens do
     end
   end
 
-  describe 'DELETE /groups/:id/deploy_tokens/:token_id' do
+  describe 'DELETE /projects/:id/deploy_tokens/:token_id' do
     subject do
-      delete api("/groups/#{group.id}/deploy_tokens/#{group_deploy_token.id}", user)
+      delete api("/projects/#{project.id}/deploy_tokens/#{deploy_token.id}", user)
       response
     end
 
     context 'when unauthenticated' do
       let(:user) { nil }
 
-      it { is_expected.to have_gitlab_http_status(:forbidden) }
+      it { is_expected.to have_gitlab_http_status(:not_found) }
     end
 
     context 'when authenticated as non-admin user' do
       before do
-        group.add_developer(user)
+        project.add_developer(user)
       end
 
       it { is_expected.to have_gitlab_http_status(:forbidden) }
@@ -170,26 +170,26 @@ describe API::DeployTokens do
 
     context 'when authenticated as maintainer' do
       before do
-        group.add_maintainer(user)
+        project.add_maintainer(user)
       end
 
-      it 'deletes the deploy token' do
-        expect { subject }.to change { group.deploy_tokens.count }.by(-1)
+      it { is_expected.to have_gitlab_http_status(:no_content) }
 
-        expect(group.deploy_tokens).to be_empty
+      it 'deletes the deploy token' do
+        expect { subject }.to change { project.deploy_tokens.count }.by(-1)
       end
 
       context 'invalid request' do
         it 'returns not found with invalid group id' do
-          delete api("/groups/bad_id/deploy_tokens/#{group_deploy_token.id}", user)
+          delete api("/projects/bad_id/deploy_tokens/#{group_deploy_token.id}", user)
 
           expect(response).to have_gitlab_http_status(:not_found)
         end
 
-        it 'returns not found with invalid deploy token id' do
-          delete api("/groups/#{group.id}/deploy_tokens/bad_id", user)
+        it 'returns bad_request with invalid token id' do
+          delete api("/projects/#{project.id}/deploy_tokens/123abc", user)
 
-          expect(response).to have_gitlab_http_status(:not_found)
+          expect(response).to have_gitlab_http_status(:bad_request)
         end
       end
     end
@@ -262,4 +262,51 @@ describe API::DeployTokens do
       it_behaves_like 'creating a deploy token', :group, :forbidden
     end
   end
+
+  describe 'DELETE /groups/:id/deploy_tokens/:token_id' do
+    subject do
+      delete api("/groups/#{group.id}/deploy_tokens/#{group_deploy_token.id}", user)
+      response
+    end
+
+    context 'when unauthenticated' do
+      let(:user) { nil }
+
+      it { is_expected.to have_gitlab_http_status(:forbidden) }
+    end
+
+    context 'when authenticated as non-admin user' do
+      before do
+        group.add_developer(user)
+      end
+
+      it { is_expected.to have_gitlab_http_status(:forbidden) }
+    end
+
+    context 'when authenticated as maintainer' do
+      before do
+        group.add_maintainer(user)
+      end
+
+      it 'deletes the deploy token' do
+        expect { subject }.to change { group.deploy_tokens.count }.by(-1)
+
+        expect(group.deploy_tokens).to be_empty
+      end
+
+      context 'invalid request' do
+        it 'returns bad request with invalid group id' do
+          delete api("/groups/bad_id/deploy_tokens/#{group_deploy_token.id}", user)
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+
+        it 'returns not found with invalid deploy token id' do
+          delete api("/groups/#{group.id}/deploy_tokens/bad_id", user)
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+    end
+  end
 end