diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-06-20 13:43:29 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-06-20 13:43:29 +0300 |
commit | 3b1af5cc7ed2666ff18b718ce5d30fa5a2756674 (patch) | |
tree | 3bc4a40e0ee51ec27eabf917c537033c0c5b14d4 /lib/api/project_job_token_scope.rb | |
parent | 9bba14be3f2c211bf79e15769cd9b77bc73a13bc (diff) |
Add latest changes from gitlab-org/gitlab@16-1-stable-eev16.1.0-rc42
Diffstat (limited to 'lib/api/project_job_token_scope.rb')
-rw-r--r-- | lib/api/project_job_token_scope.rb | 130 |
1 files changed, 130 insertions, 0 deletions
diff --git a/lib/api/project_job_token_scope.rb b/lib/api/project_job_token_scope.rb index 7fd288491ef..79710bffeaf 100644 --- a/lib/api/project_job_token_scope.rb +++ b/lib/api/project_job_token_scope.rb @@ -2,6 +2,8 @@ module API class ProjectJobTokenScope < ::API::Base + include PaginationParams + before { authenticate! } feature_category :secrets_management @@ -22,6 +24,134 @@ module API present user_project, with: Entities::ProjectJobTokenScope end + + desc 'Patch CI_JOB_TOKEN access settings.' do + failure [ + { code: 400, message: 'Bad Request' }, + { code: 401, message: 'Unauthorized' }, + { code: 403, message: 'Forbidden' }, + { code: 404, message: 'Not found' } + ] + success code: 204 + tags %w[projects_job_token_scope] + end + params do + requires :enabled, + type: Boolean, + as: :ci_inbound_job_token_scope_enabled, + allow_blank: false, + desc: "Indicates CI/CD job tokens generated in other projects have restricted access to this project." + end + + patch ':id/job_token_scope' do + authorize_admin_project + + job_token_scope_params = declared_params(include_missing: false) + result = ::Projects::UpdateService.new(user_project, current_user, job_token_scope_params).execute + + break bad_request!(result[:message]) if result[:status] == :error + + no_content! + end + + desc 'Fetch project inbound allowlist for CI_JOB_TOKEN access settings.' do + failure [ + { code: 401, message: 'Unauthorized' }, + { code: 403, message: 'Forbidden' }, + { code: 404, message: 'Not found' } + ] + success status: 200, model: Entities::BasicProjectDetails + tags %w[projects_job_token_scope] + end + params do + use :pagination + end + get ':id/job_token_scope/allowlist' do + authorize_admin_project + + inbound_projects = ::Ci::JobToken::Scope.new(user_project).inbound_projects + + present paginate(inbound_projects), with: Entities::BasicProjectDetails + end + + desc 'Add target project to allowlist.' do + failure [ + { code: 400, message: 'Bad Request' }, + { code: 401, message: 'Unauthorized' }, + { code: 403, message: 'Forbidden' }, + { code: 404, message: 'Not found' }, + { code: 422, message: 'Unprocessable entity' } + ] + success status: 201, model: Entities::BasicProjectDetails + tags %w[projects_job_token_scope] + end + params do + requires :id, + allow_blank: false, + desc: 'ID of user project', + documentation: { example: 1 }, + type: Integer + + requires :target_project_id, + allow_blank: false, + desc: 'ID of target project', + documentation: { example: 2 }, + type: Integer + end + post ':id/job_token_scope/allowlist' do + authorize_admin_project + + target_project_id = declared_params(include_missing: false).fetch(:target_project_id) + target_project = Project.find_by_id(target_project_id) + break not_found!("target_project_id not found") if target_project.blank? + + result = ::Ci::JobTokenScope::AddProjectService + .new(user_project, current_user) + .execute(target_project, direction: :inbound) + + break bad_request!(result[:message]) if result.error? + + present result.payload[:project_link], with: Entities::ProjectScopeLink + end + + desc 'Delete project from allowlist.' do + failure [ + { code: 400, message: 'Bad Request' }, + { code: 401, message: 'Unauthorized' }, + { code: 403, message: 'Forbidden' }, + { code: 404, message: 'Not found' } + ] + success code: 204 + tags %w[projects_job_token_scope] + end + params do + requires :id, + allow_blank: false, + desc: 'ID of user project', + documentation: { example: 1 }, + type: Integer + + requires :target_project_id, + allow_blank: false, + desc: 'ID of the project to be removed from the allowlist', + documentation: { example: 2 }, + type: Integer + end + delete ':id/job_token_scope/allowlist/:target_project_id' do + target_project = find_project!(params[:target_project_id]) + + result = ::Ci::JobTokenScope::RemoveProjectService + .new(user_project, current_user) + .execute(target_project, :inbound) + + if result.success? + no_content! + elsif result.reason == :insufficient_permissions + forbidden!(result.message) + else + bad_request!(result.message) + end + end end end end |