Create barebones for Deploytoken

Includes:
- Model, factories, create service and controller actions
- As usual, includes specs for everything
- Builds UI (copy from PAT)
- Add revoke action

Closes #31591

16 files changed, 261 insertions, 1 deletions

diff --git a/app/assets/javascripts/pages/projects/settings/repository/show/index.js b/app/assets/javascripts/pages/projects/settings/repository/show/index.js
index 788d86d1192..5bcdfc26a4b 100644
--- a/app/assets/javascripts/pages/projects/settings/repository/show/index.js
+++ b/app/assets/javascripts/pages/projects/settings/repository/show/index.js
@@ -6,6 +6,7 @@ import initSettingsPanels from '~/settings_panels';
 import initDeployKeys from '~/deploy_keys';
 import ProtectedBranchCreate from '~/protected_branches/protected_branch_create';
 import ProtectedBranchEditList from '~/protected_branches/protected_branch_edit_list';
+import DueDateSelectors from '~/due_date_select';
 
 document.addEventListener('DOMContentLoaded', () => {
   new ProtectedTagCreate();
@@ -14,4 +15,5 @@ document.addEventListener('DOMContentLoaded', () => {
   initSettingsPanels();
   new ProtectedBranchCreate(); // eslint-disable-line no-new
   new ProtectedBranchEditList(); // eslint-disable-line no-new
+  new DueDateSelectors();
 });
diff --git a/app/assets/stylesheets/pages/settings.scss b/app/assets/stylesheets/pages/settings.scss
index a6ca8ed5016..9db6386b86a 100644
--- a/app/assets/stylesheets/pages/settings.scss
+++ b/app/assets/stylesheets/pages/settings.scss
@@ -284,3 +284,22 @@
 .deprecated-service {
   cursor: default;
 }
+
+.personal-access-tokens-never-expires-label {
+  color: $note-disabled-comment-color;
+}
+
+.created-deploy-token-container {
+  .deploy-token-field {
+    width: 90%;
+    display: inline;
+  }
+
+  .btn-clipboard {
+    margin-left: 5px;
+  }
+
+  .help-block {
+    margin-top: 4px;
+  }
+}
diff --git a/app/controllers/projects/deploy_tokens_controller.rb b/app/controllers/projects/deploy_tokens_controller.rb
new file mode 100644
index 00000000000..ecc6db50f2f
--- /dev/null
+++ b/app/controllers/projects/deploy_tokens_controller.rb
@@ -0,0 +1,34 @@
+class Projects::DeployTokensController < Projects::ApplicationController
+  before_action :authorize_admin_project!
+
+  def create
+    @token = DeployTokens::CreateService.new(@project, current_user, deploy_token_params).execute
+    token_params = {}
+
+    if @token.valid?
+      flash[:notice] = 'Your new project deploy token has been created.'
+    else
+      token_params = @token.attributes.slice("name", "scopes", "expires_at")
+      flash[:alert] = @token.errors.full_messages.join(', ').html_safe
+    end
+
+    redirect_to project_settings_repository_path(project, deploy_token: token_params)
+  end
+
+  def revoke
+    @token = @project.deploy_tokens.find(params[:id])
+    @token.revoke!
+
+    redirect_to project_settings_repository_path(project)
+  end
+
+  private
+
+  def deploy_token_params
+    params.require(:deploy_token).permit(:name, :expires_at, scopes: [])
+  end
+
+  def authorize_admin_project!
+    return render_404 unless can?(current_user, :admin_project, @project)
+  end
+end
diff --git a/app/controllers/projects/settings/repository_controller.rb b/app/controllers/projects/settings/repository_controller.rb
index dd9e4a2af3e..28897cc5946 100644
--- a/app/controllers/projects/settings/repository_controller.rb
+++ b/app/controllers/projects/settings/repository_controller.rb
@@ -5,7 +5,9 @@ module Projects
 
       def show
         @deploy_keys = DeployKeysPresenter.new(@project, current_user: current_user)
+        @deploy_tokens = DeployTokensPresenter.new(@project.deploy_tokens.active, current_user: current_user, project: project)
 
+        define_deploy_token
         define_protected_refs
       end
 
@@ -51,6 +53,14 @@ module Projects
         gon.push(protectable_branches_for_dropdown)
         gon.push(access_levels_options)
       end
+
+      def define_deploy_token
+        @deploy_token = @project.deploy_tokens.build(deploy_token_attributes)
+      end
+
+      def deploy_token_attributes
+        params.fetch(:deploy_token, {}).permit(:name, :expires_at, scopes: [])
+      end
     end
   end
 end
diff --git a/app/models/deploy_token.rb b/app/models/deploy_token.rb
new file mode 100644
index 00000000000..185bd806b18
--- /dev/null
+++ b/app/models/deploy_token.rb
@@ -0,0 +1,25 @@
+class DeployToken < ActiveRecord::Base
+  include Expirable
+  include TokenAuthenticatable
+  add_authentication_token_field :token
+
+  AVAILABLE_SCOPES = %w(read_repo read_registry).freeze
+
+  serialize :scopes, Array # rubocop:disable Cop/ActiveRecordSerialize
+
+  validates :scopes, presence: true
+
+  belongs_to :project
+
+  before_save :ensure_token
+
+  scope :active, -> { where("revoked = false AND (expires_at >= NOW() OR expires_at IS NULL)") }
+
+  def revoke!
+    update!(revoked: true)
+  end
+
+  def self.redis_shared_state_key(user_id)
+    "gitlab:personal_access_token:#{user_id}"
+  end
+end
diff --git a/app/models/project.rb b/app/models/project.rb
index 96907f3b23d..3cfb163abf4 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -222,6 +222,7 @@ class Project < ActiveRecord::Base
   has_many :environments
   has_many :deployments
   has_many :pipeline_schedules, class_name: 'Ci::PipelineSchedule'
+  has_many :deploy_tokens
 
   has_many :active_runners, -> { active }, through: :runner_projects, source: :runner, class_name: 'Ci::Runner'
 
diff --git a/app/presenters/projects/settings/deploy_tokens_presenter.rb b/app/presenters/projects/settings/deploy_tokens_presenter.rb
new file mode 100644
index 00000000000..cbad35431b3
--- /dev/null
+++ b/app/presenters/projects/settings/deploy_tokens_presenter.rb
@@ -0,0 +1,48 @@
+module Projects
+  module Settings
+    class DeployTokensPresenter < Gitlab::View::Presenter::Simple
+      include Enumerable
+
+      presents :deploy_tokens
+
+      def available_scopes
+        DeployToken::AVAILABLE_SCOPES
+      end
+
+      def length
+        deploy_tokens.length
+      end
+
+      def scope_description(scope)
+        scope_descriptions[scope]
+      end
+
+      def each
+        deploy_tokens.each do |deploy_token|
+          yield deploy_token
+        end
+      end
+
+      def new_deploy_token
+        @new_deploy_token ||= Gitlab::Redis::SharedState.with do |redis|
+          token = redis.get(deploy_token_key)
+          redis.del(deploy_token_key)
+          token
+        end
+      end
+
+      private
+
+      def scope_descriptions
+        {
+          'read_repo' => 'Allows read-only access to the repository',
+          'read_registry' => 'Allows read-only access to the registry images'
+        }
+      end
+
+      def deploy_token_key
+        DeployToken.redis_shared_state_key(current_user.id)
+      end
+    end
+  end
+end
diff --git a/app/services/deploy_tokens/create_service.rb b/app/services/deploy_tokens/create_service.rb
new file mode 100644
index 00000000000..e93c021557e
--- /dev/null
+++ b/app/services/deploy_tokens/create_service.rb
@@ -0,0 +1,24 @@
+module DeployTokens
+  class CreateService < BaseService
+    REDIS_EXPIRY_TIME = 3.minutes
+
+    def execute
+      @deploy_token = @project.deploy_tokens.create(params)
+      store_in_redis if @deploy_token.persisted?
+
+      @deploy_token
+    end
+
+    private
+
+    def store_in_redis
+      Gitlab::Redis::SharedState.with do |redis|
+        redis.set(deploy_token_key, @deploy_token.token, ex: REDIS_EXPIRY_TIME)
+      end
+    end
+
+    def deploy_token_key
+      DeployToken.redis_shared_state_key(current_user.id)
+    end
+  end
+end
diff --git a/app/views/profiles/personal_access_tokens/index.html.haml b/app/views/profiles/personal_access_tokens/index.html.haml
index b96251cd982..9b87a7aaca8 100644
--- a/app/views/profiles/personal_access_tokens/index.html.haml
+++ b/app/views/profiles/personal_access_tokens/index.html.haml
@@ -2,7 +2,6 @@
 - page_title "Personal Access Tokens"
 - @content_class = "limit-container-width" unless fluid_layout
 
-
 .row.prepend-top-default
   .col-lg-4.profile-settings-sidebar
     %h4.prepend-top-0
diff --git a/app/views/projects/deploy_tokens/_form.html.haml b/app/views/projects/deploy_tokens/_form.html.haml
new file mode 100644
index 00000000000..6f1c892bce0
--- /dev/null
+++ b/app/views/projects/deploy_tokens/_form.html.haml
@@ -0,0 +1,21 @@
+%p.profile-settings-content
+  Pick a name for the application, and we'll give you a unique deploy token.
+
+= form_for token, url: project_deploy_tokens_path(project), method: :post do |f|
+  = form_errors(token)
+
+  .form-group
+    = f.label :name, class: 'label-light'
+    = f.text_field :name, class: "form-control", required: true
+
+  .form-group
+    = f.label :expires_at, class: 'label-light'
+    = f.text_field :expires_at, class: "datepicker form-control"
+
+  .form-group
+    = f.label :scopes, class: 'label-light'
+    - presenter.available_scopes.each do |scope|
+      = render 'projects/deploy_tokens/scope_form', token: token, scope: scope, presenter: presenter
+
+  .prepend-top-default
+    = f.submit "Create deploy token", class: "btn btn-create"
diff --git a/app/views/projects/deploy_tokens/_index.html.haml b/app/views/projects/deploy_tokens/_index.html.haml
new file mode 100644
index 00000000000..7d2bfe291c3
--- /dev/null
+++ b/app/views/projects/deploy_tokens/_index.html.haml
@@ -0,0 +1,19 @@
+- expanded = Rails.env.test?
+
+%section.settings.no-animate{ class: ('expanded' if expanded) }
+  .settings-header
+    %h4
+      Deploy Tokens
+    %button.btn.js-settings-toggle.qa-expand-deploy-keys
+      = expanded ? 'Collapse' : 'Expand'
+    %p
+      Deploy tokens allow read-only access to your repository and registry images.
+  .settings-content
+    - if @deploy_tokens.new_deploy_token
+      = render 'projects/deploy_tokens/new_deploy_token', new_token: @deploy_tokens.new_deploy_token
+
+    %h5.prepend-top-0
+      Add a deploy token
+    = render 'projects/deploy_tokens/form', project: @project, token: @deploy_token, presenter: @deploy_tokens
+    %hr
+    = render 'projects/deploy_tokens/table', project: @project, active_tokens: @deploy_tokens
diff --git a/app/views/projects/deploy_tokens/_new_deploy_token.html.haml b/app/views/projects/deploy_tokens/_new_deploy_token.html.haml
new file mode 100644
index 00000000000..8f5e669c815
--- /dev/null
+++ b/app/views/projects/deploy_tokens/_new_deploy_token.html.haml
@@ -0,0 +1,9 @@
+.created-deploy-token-container
+  %h5.prepend-top-0
+    Your New Deploy Token
+  .form-group
+    = text_field_tag 'deploy-token', new_token, readonly: true, class: "deploy-token-field form-control js-select-on-focus", 'aria-describedby' => "deploy-token-help-block"
+    = clipboard_button(text: new_token, title: "Copy deploy token to clipboard", placement: "left")
+    %span.deploy-token.help-block.text-danger Make sure you save it - you won't be able to access it again.
+
+%hr
diff --git a/app/views/projects/deploy_tokens/_revoke_modal.html.haml b/app/views/projects/deploy_tokens/_revoke_modal.html.haml
new file mode 100644
index 00000000000..a859aac015d
--- /dev/null
+++ b/app/views/projects/deploy_tokens/_revoke_modal.html.haml
@@ -0,0 +1,15 @@
+.modal{ id: "revoke-modal-#{token.id}" }
+  .modal-dialog
+    .modal-content
+      .modal-header
+        %h4.modal-title.pull-left
+          Revoke
+          %b #{token.name}?
+        %button.close.pull-right{ "aria-label" => "Close", data: { dismiss: "modal"} }
+          %span{ "aria-hidden" => "true" } ×
+      .modal-body
+        %p
+          Are you sure you want to revoke this Deploy Token? This action cannot be undone
+      .modal-footer
+        %a{ href: '#', data: { dismiss: 'modal' }, class: 'btn btn-default' } Cancel
+        = link_to "Revoke #{token.name}", revoke_project_deploy_token_path(project, token), method: :put, class: 'btn btn-danger'
diff --git a/app/views/projects/deploy_tokens/_scope_form.html.haml b/app/views/projects/deploy_tokens/_scope_form.html.haml
new file mode 100644
index 00000000000..f67701c8ee1
--- /dev/null
+++ b/app/views/projects/deploy_tokens/_scope_form.html.haml
@@ -0,0 +1,4 @@
+%fieldset
+  = check_box_tag "deploy_token[scopes][]", scope, token.scopes.include?(scope), id: "deploy_token_scopes_#{scope}"
+  = label_tag ("deploy_token_scopes_#{scope}"), scope
+  %span= presenter.scope_description(scope)
diff --git a/app/views/projects/deploy_tokens/_table.html.haml b/app/views/projects/deploy_tokens/_table.html.haml
new file mode 100644
index 00000000000..5ea9e86020f
--- /dev/null
+++ b/app/views/projects/deploy_tokens/_table.html.haml
@@ -0,0 +1,29 @@
+%h5 Active Deploy Tokens (#{active_tokens.length})
+
+- if active_tokens.present?
+  .table-responsive.deploy-tokens
+    %table.table
+      %thead
+        %tr
+          %th Name
+          %th Created
+          %th Expires
+          %th Scopes
+          %th
+      %tbody
+        - active_tokens.each do |token|
+          %tr
+            %td= token.name
+            %td= token.created_at.to_date.to_s(:medium)
+            %td
+              - if token.expires?
+                %span{ class: ('text-warning' if token.expires_soon?) }
+                  In #{distance_of_time_in_words_to_now(token.expires_at)}
+              - else
+                %span.token-never-expires-label Never
+            %td= token.scopes.present? ? token.scopes.join(", ") : "<no scopes selected>"
+            %td= link_to "Revoke", "#", class: "btn btn-danger pull-right", data: { toggle: "modal", target: "#revoke-modal-#{token.id}"}
+            = render 'projects/deploy_tokens/revoke_modal', token: token, project: project
+- else
+  .settings-message.text-center
+    This project has no active Deploy Tokens.
diff --git a/app/views/projects/settings/repository/show.html.haml b/app/views/projects/settings/repository/show.html.haml
index 6bef4d19434..f57590a908f 100644
--- a/app/views/projects/settings/repository/show.html.haml
+++ b/app/views/projects/settings/repository/show.html.haml
@@ -9,3 +9,4 @@
 = render "projects/protected_branches/index"
 = render "projects/protected_tags/index"
 = render @deploy_keys
+= render "projects/deploy_tokens/index"