Move PAT API to CE

Moves PAT API endpoints from EE
Ultimate to CE for all users.

changelogs/unreleased/270200-downtier-pat-apis.yml

+---
+title: Move Personal Access Token API to Core
+merge_request: 46145
+author:
+type: changed

doc/api/personal_access_tokens.md

@@ -4,13 +4,14 @@ group: unassigned
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers
 ---
 
-# Personal access tokens API **(ULTIMATE)**
+# Personal access tokens API
 
 You can read more about [personal access tokens](../user/profile/personal_access_tokens.md#personal-access-tokens).
 
 ## List personal access tokens
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/227264) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.3.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/227264) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.3.
+> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/270200) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.6.
 
 Get a list of personal access tokens.
 

ee/app/models/license.rb

@@ -136,7 +136,6 @@ class License < ApplicationRecord
     insights
     issuable_health_status
     license_scanning
-    personal_access_token_api_management
     personal_access_token_expiration_policy
     enforce_pat_expiration
     prometheus_alerts

ee/lib/ee/api/api.rb

@@ -26,7 +26,6 @@ module EE
         mount ::API::Ldap
         mount ::API::LdapGroupLinks
         mount ::API::License
-        mount ::API::PersonalAccessTokens
         mount ::API::ProjectMirror
         mount ::API::ProjectPushRule
         mount ::API::GroupPushRule

lib/api/api.rb

@@ -236,6 +236,7 @@ module API
       mount ::API::ProjectTemplates
       mount ::API::Terraform::State
       mount ::API::Terraform::StateVersion
+      mount ::API::PersonalAccessTokens
       mount ::API::ProtectedBranches
       mount ::API::ProtectedTags
       mount ::API::Releases

ee/lib/api/personal_access_tokens.rb → lib/api/personal_access_tokens.rb

@@ -37,11 +37,6 @@ module API
       def find_token(id)
         PersonalAccessToken.find(id) || not_found!
       end
-
-      def authenticate!
-        unauthorized! unless ::License.feature_available?(:personal_access_token_api_management)
-        super
-      end
     end
 
     resources :personal_access_tokens do

ee/spec/requests/api/personal_access_tokens_spec.rb → spec/requests/api/personal_access_tokens_spec.rb

@@ -9,41 +9,23 @@ RSpec.describe API::PersonalAccessTokens do
   let_it_be(:current_user) { create(:user) }
 
   describe 'GET /personal_access_tokens' do
-    context 'when unlicensed' do
-      before do
-        stub_licensed_features(personal_access_token_api_management: false)
-      end
+    context 'logged in as an Administrator' do
+      let_it_be(:current_user) { create(:admin) }
 
-      it 'responds with unauthorized' do
+      it 'returns all PATs by default' do
         get api(path, current_user)
 
-        expect(response).to have_gitlab_http_status(:unauthorized)
-      end
-    end
-
-    context 'when licensed' do
-      before do
-        stub_licensed_features(personal_access_token_api_management: true)
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(json_response.count).to eq(PersonalAccessToken.all.count)
       end
 
-      context 'logged in as an Administrator' do
-        let_it_be(:current_user) { create(:admin) }
-
-        it 'returns all PATs by default' do
-          get api(path, current_user)
+      context 'filtered with user_id parameter' do
+        it 'returns only PATs belonging to that user' do
+          get api(path, current_user), params: { user_id: token1.user.id }
 
           expect(response).to have_gitlab_http_status(:ok)
-          expect(json_response.count).to eq(PersonalAccessToken.all.count)
-        end
-
-        context 'filtered with user_id parameter' do
-          it 'returns only PATs belonging to that user' do
-            get api(path, current_user), params: { user_id: token1.user.id }
-
-            expect(response).to have_gitlab_http_status(:ok)
-            expect(json_response.count).to eq(1)
-            expect(json_response.first['user_id']).to eq(token1.user.id)
-          end
+          expect(json_response.count).to eq(1)
+          expect(json_response.first['user_id']).to eq(token1.user.id)
         end
       end
 
@@ -91,57 +73,39 @@ RSpec.describe API::PersonalAccessTokens do
   describe 'DELETE /personal_access_tokens/:id' do
     let(:path) { "/personal_access_tokens/#{token1.id}" }
 
-    context 'when unlicensed' do
-      before do
-        stub_licensed_features(personal_access_token_api_management: false)
-      end
-
-      it 'responds with unauthorized' do
-        delete api(path, current_user)
+    context 'when current_user is an administrator', :enable_admin_mode do
+      let_it_be(:admin_user) { create(:admin) }
+      let_it_be(:admin_token) { create(:personal_access_token, user: admin_user) }
+      let_it_be(:admin_path) { "/personal_access_tokens/#{admin_token.id}" }
 
-        expect(response).to have_gitlab_http_status(:unauthorized)
-      end
-    end
+      it 'revokes a different users token' do
+        delete api(path, admin_user)
 
-    context 'when licensed' do
-      before do
-        stub_licensed_features(personal_access_token_api_management: true)
+        expect(response).to have_gitlab_http_status(:no_content)
+        expect(token1.reload.revoked?).to be true
       end
 
-      context 'when current_user is an administrator', :enable_admin_mode do
-        let_it_be(:admin_user) { create(:admin) }
-        let_it_be(:admin_token) { create(:personal_access_token, user: admin_user) }
-        let_it_be(:admin_path) { "/personal_access_tokens/#{admin_token.id}" }
-
-        it 'revokes a different users token' do
-          delete api(path, admin_user)
-
-          expect(response).to have_gitlab_http_status(:no_content)
-          expect(token1.reload.revoked?).to be true
-        end
-
-        it 'revokes their own token' do
-          delete api(admin_path, admin_user)
+      it 'revokes their own token' do
+        delete api(admin_path, admin_user)
 
-          expect(response).to have_gitlab_http_status(:no_content)
-        end
+        expect(response).to have_gitlab_http_status(:no_content)
       end
+    end
 
-      context 'when current_user is not an administrator' do
-        let_it_be(:user_token) { create(:personal_access_token, user: current_user) }
-        let_it_be(:user_token_path) { "/personal_access_tokens/#{user_token.id}" }
+    context 'when current_user is not an administrator' do
+      let_it_be(:user_token) { create(:personal_access_token, user: current_user) }
+      let_it_be(:user_token_path) { "/personal_access_tokens/#{user_token.id}" }
 
-        it 'fails revokes a different users token' do
-          delete api(path, current_user)
+      it 'fails revokes a different users token' do
+        delete api(path, current_user)
 
-          expect(response).to have_gitlab_http_status(:bad_request)
-        end
+        expect(response).to have_gitlab_http_status(:bad_request)
+      end
 
-        it 'revokes their own token' do
-          delete api(user_token_path, current_user)
+      it 'revokes their own token' do
+        delete api(user_token_path, current_user)
 
-          expect(response).to have_gitlab_http_status(:no_content)
-        end
+        expect(response).to have_gitlab_http_status(:no_content)
       end
     end
   end