1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
|
# frozen_string_literal: true
module API
class ProjectJobTokenScope < ::API::Base
include PaginationParams
before { authenticate! }
feature_category :secrets_management
urgency :low
resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
desc 'Fetch CI_JOB_TOKEN access settings.' do
failure [
{ code: 401, message: 'Unauthorized' },
{ code: 403, message: 'Forbidden' },
{ code: 404, message: 'Not found' }
]
success code: 200, model: Entities::ProjectJobTokenScope
tags %w[projects_job_token_scope]
end
get ':id/job_token_scope' do
authorize_admin_project
present user_project, with: Entities::ProjectJobTokenScope
end
desc 'Patch CI_JOB_TOKEN access settings.' do
failure [
{ code: 400, message: 'Bad Request' },
{ code: 401, message: 'Unauthorized' },
{ code: 403, message: 'Forbidden' },
{ code: 404, message: 'Not found' }
]
success code: 204
tags %w[projects_job_token_scope]
end
params do
requires :enabled,
type: Boolean,
as: :ci_inbound_job_token_scope_enabled,
allow_blank: false,
desc: "Indicates CI/CD job tokens generated in other projects have restricted access to this project."
end
patch ':id/job_token_scope' do
authorize_admin_project
job_token_scope_params = declared_params(include_missing: false)
result = ::Projects::UpdateService.new(user_project, current_user, job_token_scope_params).execute
break bad_request!(result[:message]) if result[:status] == :error
no_content!
end
desc 'Fetch project inbound allowlist for CI_JOB_TOKEN access settings.' do
failure [
{ code: 401, message: 'Unauthorized' },
{ code: 403, message: 'Forbidden' },
{ code: 404, message: 'Not found' }
]
success status: 200, model: Entities::BasicProjectDetails
tags %w[projects_job_token_scope]
end
params do
use :pagination
end
get ':id/job_token_scope/allowlist' do
authorize_admin_project
inbound_projects = ::Ci::JobToken::Scope.new(user_project).inbound_projects
present paginate(inbound_projects), with: Entities::BasicProjectDetails
end
desc 'Add target project to allowlist.' do
failure [
{ code: 400, message: 'Bad Request' },
{ code: 401, message: 'Unauthorized' },
{ code: 403, message: 'Forbidden' },
{ code: 404, message: 'Not found' },
{ code: 422, message: 'Unprocessable entity' }
]
success status: 201, model: Entities::BasicProjectDetails
tags %w[projects_job_token_scope]
end
params do
requires :id,
allow_blank: false,
desc: 'ID of user project',
documentation: { example: 1 },
type: Integer
requires :target_project_id,
allow_blank: false,
desc: 'ID of target project',
documentation: { example: 2 },
type: Integer
end
post ':id/job_token_scope/allowlist' do
authorize_admin_project
target_project_id = declared_params(include_missing: false).fetch(:target_project_id)
target_project = Project.find_by_id(target_project_id)
break not_found!("target_project_id not found") if target_project.blank?
result = ::Ci::JobTokenScope::AddProjectService
.new(user_project, current_user)
.execute(target_project, direction: :inbound)
break bad_request!(result[:message]) if result.error?
present result.payload[:project_link], with: Entities::ProjectScopeLink
end
desc 'Delete project from allowlist.' do
failure [
{ code: 400, message: 'Bad Request' },
{ code: 401, message: 'Unauthorized' },
{ code: 403, message: 'Forbidden' },
{ code: 404, message: 'Not found' }
]
success code: 204
tags %w[projects_job_token_scope]
end
params do
requires :id,
allow_blank: false,
desc: 'ID of user project',
documentation: { example: 1 },
type: Integer
requires :target_project_id,
allow_blank: false,
desc: 'ID of the project to be removed from the allowlist',
documentation: { example: 2 },
type: Integer
end
delete ':id/job_token_scope/allowlist/:target_project_id' do
target_project = find_project!(params[:target_project_id])
result = ::Ci::JobTokenScope::RemoveProjectService
.new(user_project, current_user)
.execute(target_project, :inbound)
if result.success?
no_content!
elsif result.reason == :insufficient_permissions
forbidden!(result.message)
else
bad_request!(result.message)
end
end
end
end
end
|