lib/api/project_job_token_scope.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157

# frozen_string_literal: true

module API
  class ProjectJobTokenScope < ::API::Base
    include PaginationParams

    before { authenticate! }

    feature_category :secrets_management
    urgency :low

    resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
      desc 'Fetch CI_JOB_TOKEN access settings.' do
        failure [
          { code: 401, message: 'Unauthorized' },
          { code: 403, message: 'Forbidden' },
          { code: 404, message: 'Not found' }
        ]
        success code: 200, model: Entities::ProjectJobTokenScope
        tags %w[projects_job_token_scope]
      end
      get ':id/job_token_scope' do
        authorize_admin_project

        present user_project, with: Entities::ProjectJobTokenScope
      end

      desc 'Patch CI_JOB_TOKEN access settings.' do
        failure [
          { code: 400, message: 'Bad Request' },
          { code: 401, message: 'Unauthorized' },
          { code: 403, message: 'Forbidden' },
          { code: 404, message: 'Not found' }
        ]
        success code: 204
        tags %w[projects_job_token_scope]
      end
      params do
        requires :enabled,
          type: Boolean,
          as: :ci_inbound_job_token_scope_enabled,
          allow_blank: false,
          desc: "Indicates CI/CD job tokens generated in other projects have restricted access to this project."
      end

      patch ':id/job_token_scope' do
        authorize_admin_project

        job_token_scope_params = declared_params(include_missing: false)
        result = ::Projects::UpdateService.new(user_project, current_user, job_token_scope_params).execute

        break bad_request!(result[:message]) if result[:status] == :error

        no_content!
      end

      desc 'Fetch project inbound allowlist for CI_JOB_TOKEN access settings.' do
        failure [
          { code: 401, message: 'Unauthorized' },
          { code: 403, message: 'Forbidden' },
          { code: 404, message: 'Not found' }
        ]
        success status: 200, model: Entities::BasicProjectDetails
        tags %w[projects_job_token_scope]
      end
      params do
        use :pagination
      end
      get ':id/job_token_scope/allowlist' do
        authorize_admin_project

        inbound_projects = ::Ci::JobToken::Scope.new(user_project).inbound_projects

        present paginate(inbound_projects), with: Entities::BasicProjectDetails
      end

      desc 'Add target project to allowlist.' do
        failure [
          { code: 400, message: 'Bad Request' },
          { code: 401, message: 'Unauthorized' },
          { code: 403, message: 'Forbidden' },
          { code: 404, message: 'Not found' },
          { code: 422, message: 'Unprocessable entity' }
        ]
        success status: 201, model: Entities::BasicProjectDetails
        tags %w[projects_job_token_scope]
      end
      params do
        requires :id,
          allow_blank: false,
          desc: 'ID of user project',
          documentation: { example: 1 },
          type: Integer

        requires :target_project_id,
          allow_blank: false,
          desc: 'ID of target project',
          documentation: { example: 2 },
          type: Integer
      end
      post ':id/job_token_scope/allowlist' do
        authorize_admin_project

        target_project_id = declared_params(include_missing: false).fetch(:target_project_id)
        target_project = Project.find_by_id(target_project_id)
        break not_found!("target_project_id not found") if target_project.blank?

        result = ::Ci::JobTokenScope::AddProjectService
            .new(user_project, current_user)
            .execute(target_project, direction: :inbound)

        break bad_request!(result[:message]) if result.error?

        present result.payload[:project_link], with: Entities::ProjectScopeLink
      end

      desc 'Delete project from allowlist.' do
        failure [
          { code: 400, message: 'Bad Request' },
          { code: 401, message: 'Unauthorized' },
          { code: 403, message: 'Forbidden' },
          { code: 404, message: 'Not found' }
        ]
        success code: 204
        tags %w[projects_job_token_scope]
      end
      params do
        requires :id,
          allow_blank: false,
          desc: 'ID of user project',
          documentation: { example: 1 },
          type: Integer

        requires :target_project_id,
          allow_blank: false,
          desc: 'ID of the project to be removed from the allowlist',
          documentation: { example: 2 },
          type: Integer
      end
      delete ':id/job_token_scope/allowlist/:target_project_id' do
        target_project = find_project!(params[:target_project_id])

        result = ::Ci::JobTokenScope::RemoveProjectService
          .new(user_project, current_user)
          .execute(target_project, :inbound)

        if result.success?
          no_content!
        elsif result.reason == :insufficient_permissions
          forbidden!(result.message)
        else
          bad_request!(result.message)
        end
      end
    end
  end
end