From 35c4ed59c04ae6f3162bcdc738007a3c6b80614f Mon Sep 17 00:00:00 2001 From: Stephane Talbot Date: Thu, 25 Jan 2024 00:03:42 +0100 Subject: [PATCH 01/17] Add self_rotate scope for access token self rotate endpoint Add a new scope which allows personal access tokens to rotate themselves without the `api` scope. The following endpoint can now be accessed with `self_rotate` scope: - POST /personal_access_tokens/self/rotate Changelog: added --- .../concerns/oauth_applications.rb | 6 +++++- config/locales/doorkeeper.en.yml | 4 ++++ lib/gitlab/auth.rb | 6 +++++- spec/lib/gitlab/auth_spec.rb | 21 ++++++++++++------- .../settings/access_tokens_controller_spec.rb | 1 + spec/requests/openid_connect_spec.rb | 3 ++- .../settings/access_tokens_controller_spec.rb | 1 + 7 files changed, 32 insertions(+), 10 deletions(-) diff --git a/app/controllers/concerns/oauth_applications.rb b/app/controllers/concerns/oauth_applications.rb index 42d0948adf808d..ab3bef8ae0bd83 100644 --- a/app/controllers/concerns/oauth_applications.rb +++ b/app/controllers/concerns/oauth_applications.rb @@ -25,7 +25,11 @@ def get_created_session def load_scopes @scopes ||= Doorkeeper::OAuth::Scopes.from_array( - Doorkeeper.configuration.scopes.to_a - [::Gitlab::Auth::AI_WORKFLOW.to_s] - [::Gitlab::Auth::DYNAMIC_USER.to_s] + Doorkeeper.configuration.scopes.to_a - [ + ::Gitlab::Auth::AI_WORKFLOW.to_s, + ::Gitlab::Auth::DYNAMIC_USER.to_s, + ::Gitlab::Auth::ROTATE_SELF_SCOPE.to_s + ] ) end diff --git a/config/locales/doorkeeper.en.yml b/config/locales/doorkeeper.en.yml index 624955ed912926..8e824d10a14451 100644 --- a/config/locales/doorkeeper.en.yml +++ b/config/locales/doorkeeper.en.yml @@ -81,6 +81,7 @@ en: k8s_proxy: Grants permission to perform Kubernetes API calls using the agent for Kubernetes. ai_features: Access to API endpoints needed for GitLab Duo features read_service_ping: Grant access to download Service Ping payload via API when authenticated as an admin user + self_rotate: Grant token to rotate itself user:*: Grants access only if both the token owner and user: has access to the resource. scope_desc: api: Grants complete read/write access to the API, including all groups and projects, the container registry, the dependency proxy, and the package registry. @@ -102,6 +103,7 @@ en: manage_runner: Grants access to manage the runners. k8s_proxy: Grants permission to perform Kubernetes API calls using the agent for Kubernetes. read_service_ping: Grant access to download Service Ping payload via API when authenticated as an admin user + self_rotate: Grants token to rotate itself. group_access_token_scope_desc: api: Grants complete read and write access to the scoped group and related project API, including the container registry, the dependency proxy, and the package registry. read_api: Grants read access to the scoped group and related project API, including the package registry. @@ -121,6 +123,7 @@ en: create_runner: Grants permission to create runners in a group. manage_runner: Grants access to manage the runners in a group. k8s_proxy: Grants permission to perform Kubernetes API calls using the agent for Kubernetes in a group. + self_rotate: Grants token to rotate itself. project_access_token_scope_desc: api: Grants complete read and write access to the scoped project API, including the container registry, the dependency proxy, and the package registry. read_api: Grants read access to the scoped project API, including the Package Registry. @@ -134,6 +137,7 @@ en: manage_runner: Grants access to manage the runners. k8s_proxy: Grants permission to perform Kubernetes API calls using the agent for Kubernetes. ai_features: Grants access to GitLab Duo related API endpoints. + self_rotate: Grants token to rotate itself. flash: applications: create: diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb index b7dec9bce85fcb..d4f81c392b9abe 100644 --- a/lib/gitlab/auth.rb +++ b/lib/gitlab/auth.rb @@ -7,6 +7,9 @@ module Auth # Scopes used for GitLab internal API (Kubernetes cluster access) K8S_PROXY_SCOPE = :k8s_proxy + # Scopes used for token allowed to rotate themselves + ROTATE_SELF_SCOPE = :self_rotate + # Scopes used for GitLab API access API_SCOPE = :api READ_API_SCOPE = :read_api @@ -17,7 +20,8 @@ module Auth API_SCOPE, READ_API_SCOPE, READ_USER_SCOPE, CREATE_RUNNER_SCOPE, MANAGE_RUNNER_SCOPE, - K8S_PROXY_SCOPE + K8S_PROXY_SCOPE, + ROTATE_SELF_SCOPE ].freeze # Scopes for Duo diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb index 06b33d5e9cb50e..1747a04c643a9f 100644 --- a/spec/lib/gitlab/auth_spec.rb +++ b/spec/lib/gitlab/auth_spec.rb @@ -15,7 +15,7 @@ describe 'constants' do it 'API_SCOPES contains all scopes for API access' do - expect(subject::API_SCOPES).to match_array %i[api read_user read_api create_runner manage_runner k8s_proxy] + expect(subject::API_SCOPES).to match_array %i[api read_user read_api create_runner manage_runner k8s_proxy self_rotate] end it 'ADMIN_SCOPES contains all scopes for ADMIN access' do @@ -52,6 +52,7 @@ expect(subject.all_available_scopes).to match_array %i[ api read_user read_api read_repository read_service_ping write_repository read_registry write_registry sudo admin_mode read_observability write_observability create_runner manage_runner k8s_proxy ai_features + self_rotate ] end @@ -60,7 +61,7 @@ expect(subject.available_scopes_for(user)).to match_array %i[ api read_user read_api read_repository write_repository read_registry write_registry - create_runner manage_runner k8s_proxy ai_features + create_runner manage_runner k8s_proxy ai_features self_rotate ] end @@ -69,7 +70,7 @@ expect(subject.available_scopes_for(user)).to match_array %i[ api read_user read_api read_repository read_service_ping write_repository read_registry write_registry - sudo admin_mode create_runner manage_runner k8s_proxy ai_features + sudo admin_mode create_runner manage_runner k8s_proxy ai_features self_rotate ] end @@ -77,6 +78,7 @@ expect(subject.available_scopes_for(project)).to match_array %i[ api read_api read_repository write_repository read_registry write_registry read_observability write_observability create_runner manage_runner k8s_proxy ai_features + self_rotate ] end @@ -86,6 +88,7 @@ expect(subject.available_scopes_for(group)).to match_array %i[ api read_api read_repository write_repository read_registry write_registry read_observability write_observability create_runner manage_runner k8s_proxy ai_features + self_rotate ] end @@ -110,6 +113,7 @@ read_repository read_service_ping read_user + self_rotate sudo user:* write_observability @@ -131,7 +135,7 @@ expect(subject.available_scopes_for(group)).to match_array %i[ api read_api read_repository write_repository read_registry write_registry create_runner manage_runner - k8s_proxy ai_features + k8s_proxy ai_features self_rotate ] end @@ -143,7 +147,7 @@ expect(subject.available_scopes_for(project)).to match_array %i[ api read_api read_repository write_repository read_registry write_registry create_runner manage_runner - k8s_proxy ai_features + k8s_proxy ai_features self_rotate ] end end @@ -164,6 +168,7 @@ expect(subject.available_scopes_for(group)).to match_array %i[ api read_api read_repository write_repository read_registry write_registry read_observability write_observability create_runner manage_runner k8s_proxy ai_features + self_rotate ] end @@ -172,7 +177,7 @@ expect(subject.available_scopes_for(user)).to match_array %i[ api read_user read_api read_repository write_repository read_registry write_registry read_service_ping - sudo admin_mode create_runner manage_runner k8s_proxy ai_features + sudo admin_mode create_runner manage_runner k8s_proxy ai_features self_rotate ] end @@ -180,6 +185,7 @@ expect(subject.available_scopes_for(project)).to match_array %i[ api read_api read_repository write_repository read_registry write_registry read_observability write_observability create_runner manage_runner k8s_proxy ai_features + self_rotate ] end @@ -192,6 +198,7 @@ expect(subject.available_scopes_for(other_group)).to match_array %i[ api read_api read_repository write_repository read_registry write_registry create_runner manage_runner k8s_proxy ai_features + self_rotate ] end @@ -204,7 +211,7 @@ expect(subject.available_scopes_for(other_project)).to match_array %i[ api read_api read_repository write_repository read_registry write_registry - create_runner manage_runner k8s_proxy ai_features + create_runner manage_runner k8s_proxy ai_features self_rotate ] end end diff --git a/spec/requests/groups/settings/access_tokens_controller_spec.rb b/spec/requests/groups/settings/access_tokens_controller_spec.rb index ecccbc7f9e0867..f0537fbcb53752 100644 --- a/spec/requests/groups/settings/access_tokens_controller_spec.rb +++ b/spec/requests/groups/settings/access_tokens_controller_spec.rb @@ -120,6 +120,7 @@ it 'sets available scopes' do expect(assigns(:scopes)).to include(Gitlab::Auth::K8S_PROXY_SCOPE) + expect(assigns(:scopes)).to include(Gitlab::Auth::ROTATE_SELF_SCOPE) end end end diff --git a/spec/requests/openid_connect_spec.rb b/spec/requests/openid_connect_spec.rb index 561a3154ae6e59..70f846a5b65a95 100644 --- a/spec/requests/openid_connect_spec.rb +++ b/spec/requests/openid_connect_spec.rb @@ -274,7 +274,8 @@ def request_user_info! let(:expected_scopes) do %w[ admin_mode api read_user read_api read_repository write_repository sudo openid profile email - read_observability write_observability create_runner manage_runner k8s_proxy ai_features read_service_ping ai_workflows user:* + read_observability write_observability create_runner manage_runner k8s_proxy ai_features read_service_ping ai_workflows + user:* self_rotate ] end diff --git a/spec/requests/projects/settings/access_tokens_controller_spec.rb b/spec/requests/projects/settings/access_tokens_controller_spec.rb index 62855e9a7e47e3..382be2976f9f98 100644 --- a/spec/requests/projects/settings/access_tokens_controller_spec.rb +++ b/spec/requests/projects/settings/access_tokens_controller_spec.rb @@ -121,6 +121,7 @@ it 'sets available scopes' do expect(assigns(:scopes)).to include(Gitlab::Auth::K8S_PROXY_SCOPE) + expect(assigns(:scopes)).to include(Gitlab::Auth::ROTATE_SELF_SCOPE) end end end -- GitLab From 5399ba375c1d9de15e72d6a857aad88a288afc44 Mon Sep 17 00:00:00 2001 From: Stephane Talbot Date: Thu, 25 Jan 2024 01:49:08 +0100 Subject: [PATCH 02/17] Allow `self_rotate' scoped token to self rotate --- lib/api/personal_access_tokens/self_rotation.rb | 1 + .../api/personal_access_tokens/self_rotation_spec.rb | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/api/personal_access_tokens/self_rotation.rb b/lib/api/personal_access_tokens/self_rotation.rb index da21fca8b554be..3cdc7690e82917 100644 --- a/lib/api/personal_access_tokens/self_rotation.rb +++ b/lib/api/personal_access_tokens/self_rotation.rb @@ -10,6 +10,7 @@ class SelfRotation < ::API::Base helpers ::API::Helpers::PersonalAccessTokensHelpers allow_access_with_scope :api + allow_access_with_scope :self_rotate before { authenticate! } diff --git a/spec/requests/api/personal_access_tokens/self_rotation_spec.rb b/spec/requests/api/personal_access_tokens/self_rotation_spec.rb index 697f8f3a07fb79..5e0e6af6a5e4ed 100644 --- a/spec/requests/api/personal_access_tokens/self_rotation_spec.rb +++ b/spec/requests/api/personal_access_tokens/self_rotation_spec.rb @@ -55,7 +55,7 @@ let(:current_user) { create(:admin) } let(:token) { create(:personal_access_token, scopes: [scope], user: current_user) } - if [Gitlab::Auth::API_SCOPE].include? scope + if [Gitlab::Auth::API_SCOPE, Gitlab::Auth::ROTATE_SELF_SCOPE].include? scope it_behaves_like 'rotating token succeeds' else it_behaves_like 'rotating token denied', :forbidden @@ -87,7 +87,7 @@ let(:current_user) { create(:user) } let(:token) { create(:personal_access_token, scopes: [scope], user: current_user) } - if [Gitlab::Auth::API_SCOPE].include? scope + if [Gitlab::Auth::API_SCOPE, Gitlab::Auth::ROTATE_SELF_SCOPE].include? scope it_behaves_like 'rotating token succeeds' else it_behaves_like 'rotating token denied', :forbidden @@ -141,7 +141,7 @@ context "with a '#{scope}' scoped token" do let(:token) { create(:oauth_access_token, scopes: [scope]) } - if [Gitlab::Auth::API_SCOPE].include? scope + if [Gitlab::Auth::API_SCOPE, Gitlab::Auth::ROTATE_SELF_SCOPE].include? scope it_behaves_like 'rotating token denied', :method_not_allowed else it_behaves_like 'rotating token denied', :forbidden -- GitLab From 289556c0a703915757475f8a6b1c23924cb350dd Mon Sep 17 00:00:00 2001 From: Stephane Talbot Date: Fri, 26 Jan 2024 22:30:15 +0100 Subject: [PATCH 03/17] Allow GrAT and PrAT to use the self-rotation API Group access tokens and project access token, having `api` or `self_rotate` scope can now be rotated using the POST /personal_access_tokens/self/rotate endpoint. Changelog: changed --- .../personal_access_tokens/self_rotation.rb | 1 - .../self_rotation_spec.rb | 29 ++++++++++++++++--- 2 files changed, 25 insertions(+), 5 deletions(-) diff --git a/lib/api/personal_access_tokens/self_rotation.rb b/lib/api/personal_access_tokens/self_rotation.rb index 3cdc7690e82917..320af5f1a314ad 100644 --- a/lib/api/personal_access_tokens/self_rotation.rb +++ b/lib/api/personal_access_tokens/self_rotation.rb @@ -34,7 +34,6 @@ class SelfRotation < ::API::Base end post 'self/rotate' do not_allowed! unless access_token.is_a? PersonalAccessToken - forbidden! if current_user.project_bot? new_token = rotate_token(access_token, declared_params) diff --git a/spec/requests/api/personal_access_tokens/self_rotation_spec.rb b/spec/requests/api/personal_access_tokens/self_rotation_spec.rb index 5e0e6af6a5e4ed..e14a4bfb98a66b 100644 --- a/spec/requests/api/personal_access_tokens/self_rotation_spec.rb +++ b/spec/requests/api/personal_access_tokens/self_rotation_spec.rb @@ -93,6 +93,15 @@ it_behaves_like 'rotating token denied', :forbidden end end + + context "with '#{scope}' and 'self_rotate' scoped token" do + let(:current_user) { create(:user) } + let(:token) do + create(:personal_access_token, scopes: [scope, Gitlab::Auth::ROTATE_SELF_SCOPE], user: current_user) + end + + it_behaves_like 'rotating token succeeds' + end end end @@ -170,26 +179,38 @@ context 'when current_user is a project bot' do let(:current_user) { create(:user, :project_bot) } - it_behaves_like 'rotating token denied', :forbidden + it_behaves_like 'rotating token succeeds' context 'when expiry is defined' do let(:expiry_date) { Date.today + 1.month } let(:params) { { expires_at: expiry_date } } - it_behaves_like 'rotating token denied', :forbidden + it_behaves_like 'rotating token succeeds' end context 'with impersonated token' do let(:token) { create(:personal_access_token, :impersonation, user: current_user) } - it_behaves_like 'rotating token denied', :forbidden + it_behaves_like 'rotating token succeeds' end Gitlab::Auth.resource_bot_scopes.each do |scope| context "with a '#{scope}' scoped token" do let(:token) { create(:personal_access_token, scopes: [scope], user: current_user) } - it_behaves_like 'rotating token denied', :forbidden + if [Gitlab::Auth::API_SCOPE, Gitlab::Auth::ROTATE_SELF_SCOPE].include? scope + it_behaves_like 'rotating token succeeds' + else + it_behaves_like 'rotating token denied', :forbidden + end + end + + context "with '#{scope}' and 'self_rotate' scoped token" do + let(:token) do + create(:personal_access_token, scopes: [scope, Gitlab::Auth::ROTATE_SELF_SCOPE], user: current_user) + end + + it_behaves_like 'rotating token succeeds' end end end -- GitLab From 3060f7ee6aa50d7f9a58a0752dfed0f7ec9a001b Mon Sep 17 00:00:00 2001 From: Stephane Talbot Date: Fri, 26 Jan 2024 22:30:46 +0100 Subject: [PATCH 04/17] Update API documentation --- doc/api/personal_access_tokens.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/api/personal_access_tokens.md b/doc/api/personal_access_tokens.md index c5fdfd89d76a74..929cd6f0ed49ea 100644 --- a/doc/api/personal_access_tokens.md +++ b/doc/api/personal_access_tokens.md @@ -275,7 +275,7 @@ Example response: Requires: -- `api` scope. +- `api` or `self_rotate` scope. In GitLab 16.6 and later, you can use the `expires_at` parameter to set a different expiry date. This non-default expiry date is subject to the [maximum allowable lifetime limits](../user/profile/personal_access_tokens.md#access-token-expiration). -- GitLab From 90d8982ee1caf5f8c2efb117389a7886dacc7fb5 Mon Sep 17 00:00:00 2001 From: Stephane Talbot Date: Tue, 13 Feb 2024 20:48:17 +0100 Subject: [PATCH 05/17] Add self_rotate scope in project/group/personal token documentation --- doc/user/group/settings/group_access_tokens.md | 1 + doc/user/profile/personal_access_tokens.md | 1 + doc/user/project/settings/project_access_tokens.md | 1 + 3 files changed, 3 insertions(+) diff --git a/doc/user/group/settings/group_access_tokens.md b/doc/user/group/settings/group_access_tokens.md index 3b19d21dcc7b05..b4f3b05dc9192f 100644 --- a/doc/user/group/settings/group_access_tokens.md +++ b/doc/user/group/settings/group_access_tokens.md @@ -162,6 +162,7 @@ The scope determines the actions you can perform when you authenticate with a gr | `manage_runner` | Grants permission to manage runners in a group. | | `ai_features` | Grants permission to perform API actions for GitLab Duo. This scope is designed to work with the GitLab Duo Plugin for JetBrains. For all other extensions, see scope requirements. | | `k8s_proxy` | Grants permission to perform Kubernetes API calls using the agent for Kubernetes in a group. | +| `self_rotate` | Grants permission to use the [personal access token API](../../../api/personal_access_tokens.md#use-a-request-header) to rotate the token with itself. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/142995) in GitLab 16.10.) | ## Restrict the creation of group access tokens diff --git a/doc/user/profile/personal_access_tokens.md b/doc/user/profile/personal_access_tokens.md index 4db5d9d8e8d898..98aadb13cfca75 100644 --- a/doc/user/profile/personal_access_tokens.md +++ b/doc/user/profile/personal_access_tokens.md @@ -205,6 +205,7 @@ A personal access token can perform actions based on the assigned scopes. | `manage_runner` | Grants permission to manage runners. | | `ai_features` | This scope:
- Grants permission to perform API actions for features like GitLab Duo, Code Suggestions API and Duo Chat API.
- Does not work for GitLab Self-Managed versions 16.5, 16.6, and 16.7.
For GitLab Duo plugin for JetBrains, this scope:
- Supports users with AI features enabled in the GitLab Duo plugin for JetBrains.
- Addresses a security vulnerability in JetBrains IDE plugins that could expose personal access tokens.
- Is designed to minimize potential risks for GitLab Duo plugin users by limiting the impact of compromised tokens.
For all other extensions, see the individual scope requirements in their documentation. | | `k8s_proxy` | Grants permission to perform Kubernetes API calls using the agent for Kubernetes. | +| `self_rotate` | Grants permission to use the [personal access token API](../../api/personal_access_tokens.md#use-a-request-header) to rotate the token with itself. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/142995) in GitLab 16.10.) | | `read_service_ping`| Grant access to download Service Ping payload through the API when authenticated as an admin use. | WARNING: diff --git a/doc/user/project/settings/project_access_tokens.md b/doc/user/project/settings/project_access_tokens.md index d80d793510e456..6ec8af710b56a5 100644 --- a/doc/user/project/settings/project_access_tokens.md +++ b/doc/user/project/settings/project_access_tokens.md @@ -118,6 +118,7 @@ See the warning in [create a project access token](#create-a-project-access-toke | `manage_runner` | Grants permission to manage runners in the project. | | `ai_features` | Grants permission to perform API actions for GitLab Duo. This scope is designed to work with the GitLab Duo Plugin for JetBrains. For all other extensions, see scope requirements. | | `k8s_proxy` | Grants permission to perform Kubernetes API calls using the agent for Kubernetes in the project. | +| `self_rotate` | Grants permission to use the [personal access token API](../../../api/personal_access_tokens.md#use-a-request-header) to rotate the token with itself. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/142995) in GitLab 16.10.) | ## Restrict the creation of project access tokens -- GitLab From 4212346b6406bf3cf294a15ee66bc6d4b04dcf69 Mon Sep 17 00:00:00 2001 From: Jon Glassman Date: Wed, 14 Feb 2024 12:36:15 +0000 Subject: [PATCH 06/17] Move history items in documentation --- doc/user/group/settings/group_access_tokens.md | 3 ++- doc/user/profile/personal_access_tokens.md | 3 ++- doc/user/project/settings/project_access_tokens.md | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/doc/user/group/settings/group_access_tokens.md b/doc/user/group/settings/group_access_tokens.md index b4f3b05dc9192f..ed26bbdefeef0d 100644 --- a/doc/user/group/settings/group_access_tokens.md +++ b/doc/user/group/settings/group_access_tokens.md @@ -147,6 +147,7 @@ To revoke or rotate a group access token: > - `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../../../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default. > - Feature flag `k8s_proxy_pat` [removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131518) in GitLab 16.5. +> - `self_rotate` [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/142995) in GitLab 16.10. Enabled by default. The scope determines the actions you can perform when you authenticate with a group access token. @@ -162,7 +163,7 @@ The scope determines the actions you can perform when you authenticate with a gr | `manage_runner` | Grants permission to manage runners in a group. | | `ai_features` | Grants permission to perform API actions for GitLab Duo. This scope is designed to work with the GitLab Duo Plugin for JetBrains. For all other extensions, see scope requirements. | | `k8s_proxy` | Grants permission to perform Kubernetes API calls using the agent for Kubernetes in a group. | -| `self_rotate` | Grants permission to use the [personal access token API](../../../api/personal_access_tokens.md#use-a-request-header) to rotate the token with itself. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/142995) in GitLab 16.10.) | +| `self_rotate` | Grants permission to use the [personal access token API](../../../api/personal_access_tokens.md#use-a-request-header) to rotate the token with itself. | ## Restrict the creation of group access tokens diff --git a/doc/user/profile/personal_access_tokens.md b/doc/user/profile/personal_access_tokens.md index 98aadb13cfca75..ec428a1e3553cc 100644 --- a/doc/user/profile/personal_access_tokens.md +++ b/doc/user/profile/personal_access_tokens.md @@ -187,6 +187,7 @@ To view the last time a token was used, and the IP addresses from where the toke > - Feature flag `k8s_proxy_pat` [removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131518) in GitLab 16.5. > - `read_service_ping` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/42692#note_1222832412) in GitLab 17.1. > - `manage_runner` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/460721) in GitLab 17.1. +> - `self_rotate` [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/142995) in GitLab 16.10. Enabled by default. A personal access token can perform actions based on the assigned scopes. @@ -205,7 +206,7 @@ A personal access token can perform actions based on the assigned scopes. | `manage_runner` | Grants permission to manage runners. | | `ai_features` | This scope:
- Grants permission to perform API actions for features like GitLab Duo, Code Suggestions API and Duo Chat API.
- Does not work for GitLab Self-Managed versions 16.5, 16.6, and 16.7.
For GitLab Duo plugin for JetBrains, this scope:
- Supports users with AI features enabled in the GitLab Duo plugin for JetBrains.
- Addresses a security vulnerability in JetBrains IDE plugins that could expose personal access tokens.
- Is designed to minimize potential risks for GitLab Duo plugin users by limiting the impact of compromised tokens.
For all other extensions, see the individual scope requirements in their documentation. | | `k8s_proxy` | Grants permission to perform Kubernetes API calls using the agent for Kubernetes. | -| `self_rotate` | Grants permission to use the [personal access token API](../../api/personal_access_tokens.md#use-a-request-header) to rotate the token with itself. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/142995) in GitLab 16.10.) | +| `self_rotate` | Grants permission to use the [personal access token API](../../api/personal_access_tokens.md#use-a-request-header) to rotate the token with itself. | | `read_service_ping`| Grant access to download Service Ping payload through the API when authenticated as an admin use. | WARNING: diff --git a/doc/user/project/settings/project_access_tokens.md b/doc/user/project/settings/project_access_tokens.md index 6ec8af710b56a5..cf4cbe67941961 100644 --- a/doc/user/project/settings/project_access_tokens.md +++ b/doc/user/project/settings/project_access_tokens.md @@ -100,6 +100,7 @@ To revoke or rotate a project access token: > - `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../../../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default. > - Feature flag `k8s_proxy_pat` [removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131518) in GitLab 16.5. +> - `self_rotate` [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/142995) in GitLab 16.10. Enabled by default. The scope determines the actions you can perform when you authenticate with a project access token. @@ -118,7 +119,7 @@ See the warning in [create a project access token](#create-a-project-access-toke | `manage_runner` | Grants permission to manage runners in the project. | | `ai_features` | Grants permission to perform API actions for GitLab Duo. This scope is designed to work with the GitLab Duo Plugin for JetBrains. For all other extensions, see scope requirements. | | `k8s_proxy` | Grants permission to perform Kubernetes API calls using the agent for Kubernetes in the project. | -| `self_rotate` | Grants permission to use the [personal access token API](../../../api/personal_access_tokens.md#use-a-request-header) to rotate the token with itself. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/142995) in GitLab 16.10.) | +| `self_rotate` | Grants permission to use the [personal access token API](../../../api/personal_access_tokens.md#use-a-request-header) to rotate the token with itself. | ## Restrict the creation of project access tokens -- GitLab From 41649b2869f384e7d613f95e13b0faf67fbf882c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Talbot?= Date: Wed, 14 Feb 2024 13:03:00 +0000 Subject: [PATCH 07/17] Apply 4 suggestion(s) to 1 file(s) --- config/locales/doorkeeper.en.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/config/locales/doorkeeper.en.yml b/config/locales/doorkeeper.en.yml index 8e824d10a14451..201da8bd9fcd77 100644 --- a/config/locales/doorkeeper.en.yml +++ b/config/locales/doorkeeper.en.yml @@ -81,7 +81,7 @@ en: k8s_proxy: Grants permission to perform Kubernetes API calls using the agent for Kubernetes. ai_features: Access to API endpoints needed for GitLab Duo features read_service_ping: Grant access to download Service Ping payload via API when authenticated as an admin user - self_rotate: Grant token to rotate itself + self_rotate: Grants permission for token to rotate itself user:*: Grants access only if both the token owner and user: has access to the resource. scope_desc: api: Grants complete read/write access to the API, including all groups and projects, the container registry, the dependency proxy, and the package registry. @@ -103,7 +103,7 @@ en: manage_runner: Grants access to manage the runners. k8s_proxy: Grants permission to perform Kubernetes API calls using the agent for Kubernetes. read_service_ping: Grant access to download Service Ping payload via API when authenticated as an admin user - self_rotate: Grants token to rotate itself. + self_rotate: Grants permission for token to rotate itself. group_access_token_scope_desc: api: Grants complete read and write access to the scoped group and related project API, including the container registry, the dependency proxy, and the package registry. read_api: Grants read access to the scoped group and related project API, including the package registry. @@ -123,7 +123,7 @@ en: create_runner: Grants permission to create runners in a group. manage_runner: Grants access to manage the runners in a group. k8s_proxy: Grants permission to perform Kubernetes API calls using the agent for Kubernetes in a group. - self_rotate: Grants token to rotate itself. + self_rotate: Grants permission for token to rotate itself. project_access_token_scope_desc: api: Grants complete read and write access to the scoped project API, including the container registry, the dependency proxy, and the package registry. read_api: Grants read access to the scoped project API, including the Package Registry. @@ -137,7 +137,7 @@ en: manage_runner: Grants access to manage the runners. k8s_proxy: Grants permission to perform Kubernetes API calls using the agent for Kubernetes. ai_features: Grants access to GitLab Duo related API endpoints. - self_rotate: Grants token to rotate itself. + self_rotate: Grants permission for token to rotate itself. flash: applications: create: -- GitLab From 955f4edd3ae4d896009633f0e631678d9cac3b93 Mon Sep 17 00:00:00 2001 From: Anthony Juckel Date: Fri, 17 Jan 2025 16:27:40 -0600 Subject: [PATCH 08/17] Applied suggested documentation updates --- doc/user/group/settings/group_access_tokens.md | 4 ++-- doc/user/profile/personal_access_tokens.md | 4 ++-- doc/user/project/settings/project_access_tokens.md | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/user/group/settings/group_access_tokens.md b/doc/user/group/settings/group_access_tokens.md index ed26bbdefeef0d..b924d77747306b 100644 --- a/doc/user/group/settings/group_access_tokens.md +++ b/doc/user/group/settings/group_access_tokens.md @@ -147,7 +147,7 @@ To revoke or rotate a group access token: > - `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../../../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default. > - Feature flag `k8s_proxy_pat` [removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131518) in GitLab 16.5. -> - `self_rotate` [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/142995) in GitLab 16.10. Enabled by default. +> - `self_rotate` [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/178111) in GitLab 17.9. Enabled by default. The scope determines the actions you can perform when you authenticate with a group access token. @@ -163,7 +163,7 @@ The scope determines the actions you can perform when you authenticate with a gr | `manage_runner` | Grants permission to manage runners in a group. | | `ai_features` | Grants permission to perform API actions for GitLab Duo. This scope is designed to work with the GitLab Duo Plugin for JetBrains. For all other extensions, see scope requirements. | | `k8s_proxy` | Grants permission to perform Kubernetes API calls using the agent for Kubernetes in a group. | -| `self_rotate` | Grants permission to use the [personal access token API](../../../api/personal_access_tokens.md#use-a-request-header) to rotate the token with itself. | +| `self_rotate` | Grants permission to rotate this token using the [personal access token API](../../../api/personal_access_tokens.md#use-a-request-header). Does not allow rotation of other tokens. | ## Restrict the creation of group access tokens diff --git a/doc/user/profile/personal_access_tokens.md b/doc/user/profile/personal_access_tokens.md index ec428a1e3553cc..e6f8b9a15a2f47 100644 --- a/doc/user/profile/personal_access_tokens.md +++ b/doc/user/profile/personal_access_tokens.md @@ -187,7 +187,7 @@ To view the last time a token was used, and the IP addresses from where the toke > - Feature flag `k8s_proxy_pat` [removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131518) in GitLab 16.5. > - `read_service_ping` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/42692#note_1222832412) in GitLab 17.1. > - `manage_runner` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/460721) in GitLab 17.1. -> - `self_rotate` [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/142995) in GitLab 16.10. Enabled by default. +> - `self_rotate` [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/178111) in GitLab 17.9. Enabled by default. A personal access token can perform actions based on the assigned scopes. @@ -206,7 +206,7 @@ A personal access token can perform actions based on the assigned scopes. | `manage_runner` | Grants permission to manage runners. | | `ai_features` | This scope:
- Grants permission to perform API actions for features like GitLab Duo, Code Suggestions API and Duo Chat API.
- Does not work for GitLab Self-Managed versions 16.5, 16.6, and 16.7.
For GitLab Duo plugin for JetBrains, this scope:
- Supports users with AI features enabled in the GitLab Duo plugin for JetBrains.
- Addresses a security vulnerability in JetBrains IDE plugins that could expose personal access tokens.
- Is designed to minimize potential risks for GitLab Duo plugin users by limiting the impact of compromised tokens.
For all other extensions, see the individual scope requirements in their documentation. | | `k8s_proxy` | Grants permission to perform Kubernetes API calls using the agent for Kubernetes. | -| `self_rotate` | Grants permission to use the [personal access token API](../../api/personal_access_tokens.md#use-a-request-header) to rotate the token with itself. | +| `self_rotate` | Grants permission to rotate this token using the [personal access token API](../../api/personal_access_tokens.md#use-a-request-header). Does not allow rotation of other tokens. | | `read_service_ping`| Grant access to download Service Ping payload through the API when authenticated as an admin use. | WARNING: diff --git a/doc/user/project/settings/project_access_tokens.md b/doc/user/project/settings/project_access_tokens.md index cf4cbe67941961..50fa9911075082 100644 --- a/doc/user/project/settings/project_access_tokens.md +++ b/doc/user/project/settings/project_access_tokens.md @@ -100,7 +100,7 @@ To revoke or rotate a project access token: > - `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../../../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default. > - Feature flag `k8s_proxy_pat` [removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131518) in GitLab 16.5. -> - `self_rotate` [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/142995) in GitLab 16.10. Enabled by default. +> - `self_rotate` [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/178111) in GitLab 17.9. Enabled by default. The scope determines the actions you can perform when you authenticate with a project access token. @@ -119,7 +119,7 @@ See the warning in [create a project access token](#create-a-project-access-toke | `manage_runner` | Grants permission to manage runners in the project. | | `ai_features` | Grants permission to perform API actions for GitLab Duo. This scope is designed to work with the GitLab Duo Plugin for JetBrains. For all other extensions, see scope requirements. | | `k8s_proxy` | Grants permission to perform Kubernetes API calls using the agent for Kubernetes in the project. | -| `self_rotate` | Grants permission to use the [personal access token API](../../../api/personal_access_tokens.md#use-a-request-header) to rotate the token with itself. | +| `self_rotate` | Grants permission to rotate this token using the [personal access token API](../../../api/personal_access_tokens.md#use-a-request-header). Does not allow rotation of other tokens. | ## Restrict the creation of project access tokens -- GitLab From 4c9c8cab3cfb289d9946bca86cb1d9768e0749ff Mon Sep 17 00:00:00 2001 From: Stephane Talbot Date: Sat, 17 Feb 2024 20:30:06 +0100 Subject: [PATCH 09/17] Add tests for resource token self rotate APIs --- .../self_rotation_spec.rb | 189 ++++++++++++++++++ 1 file changed, 189 insertions(+) create mode 100644 spec/requests/api/resource_access_tokens/self_rotation_spec.rb diff --git a/spec/requests/api/resource_access_tokens/self_rotation_spec.rb b/spec/requests/api/resource_access_tokens/self_rotation_spec.rb new file mode 100644 index 00000000000000..e527886c5b4e9b --- /dev/null +++ b/spec/requests/api/resource_access_tokens/self_rotation_spec.rb @@ -0,0 +1,189 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe API::ResourceAccessTokens::SelfRotation, feature_category: :system_access do + let(:token) { create(:personal_access_token, user: current_user) } + let(:expiry_date) { Date.today + 1.week } + let(:params) { {} } + + let_it_be(:current_user) { create(:user, :project_bot) } + let_it_be(:other_user) { create(:user, :project_bot) } + + subject(:rotate_token) { post(api(path, personal_access_token: token), params: params) } + + shared_examples 'rotating token succeeds' do + it 'rotate token', :aggregate_failures do + rotate_token + + expect(response).to have_gitlab_http_status(:ok) + expect(json_response['token']).not_to eq(token.token) + expect(json_response['expires_at']).to eq(expiry_date.to_s) + expect(token.reload).to be_revoked + end + end + + shared_examples 'rotating token denied' do |status| + it 'cannot rotate token' do + rotate_token + + expect(response).to have_gitlab_http_status(status) + end + end + + shared_examples 'rotating resource access token' do |source_type| + let(:resource_id) { resource.id } + let(:path) { "/#{source_type}s/#{resource_id}/access_tokens/self/rotate" } + + describe "POST #{source_type}s/:id/access_tokens/self/rotate" do + context 'when token is not a valid resource token' do + context 'when token is a personal access token' do + before do + resource.add_guest(current_user) + end + + context 'when current_user is an administrator', :enable_admin_mode do + let_it_be(:current_user) { create(:admin) } + + it_behaves_like 'rotating token denied', :method_not_allowed + end + + context 'when current_user is not an administrator' do + let_it_be(:current_user) { create(:user) } + + it_behaves_like 'rotating token denied', :method_not_allowed + end + end + + context 'when token is invalid' do + let(:token) { instance_double(PersonalAccessToken, token: 'invalidtoken') } + + it_behaves_like 'rotating token denied', :unauthorized + end + + context 'with a revoked token' do + let(:token) { create(:personal_access_token, :revoked, user: current_user) } + + it_behaves_like 'rotating token denied', :unauthorized + end + + context 'with an expired token' do + let(:token) { create(:personal_access_token, expires_at: 1.day.ago, user: current_user) } + + it_behaves_like 'rotating token denied', :unauthorized + end + + context 'with a rotated token' do + let(:token) { create(:personal_access_token, :revoked, user: current_user) } + let!(:child_token) { create(:personal_access_token, previous_personal_access_token_id: token.id) } + + it_behaves_like 'rotating token denied', :unauthorized + + it 'revokes token family' do + rotate_token + + expect(child_token.reload).to be_revoked + end + end + + context 'with an OAuth token' do + subject(:rotate_token) { post(api(path, oauth_access_token: token), params: params) } + + context 'with default scope' do + let(:token) { create(:oauth_access_token) } + + it_behaves_like 'rotating token denied', :forbidden + end + + context 'with api or self_rotate scope' do + let(:token) do + create(:oauth_access_token, scopes: [Gitlab::Auth::API_SCOPE, Gitlab::Auth::ROTATE_SELF_SCOPE]) + end + + it_behaves_like 'rotating token denied', :method_not_allowed + end + end + + context 'with a deploy token' do + let(:token) { create(:deploy_token) } + let(:headers) { { Gitlab::Auth::AuthFinders::DEPLOY_TOKEN_HEADER => token.token } } + + subject(:rotate_token) { post(api(path), params: params, headers: headers) } + + it_behaves_like 'rotating token denied', :unauthorized + end + + context 'with a job token' do + let(:job) { create(:ci_build, :running, user: current_user) } + + subject(:rotate_token) { post(api(path, job_token: job.token), params: params) } + + it_behaves_like 'rotating token denied', :unauthorized + end + end + + context "when token is a valid #{source_type} token" do + it_behaves_like 'rotating token succeeds' + + context 'when expiry is defined' do + let(:expiry_date) { Date.today + 1.month } + let(:params) { { expires_at: expiry_date } } + + it_behaves_like 'rotating token succeeds' + end + + Gitlab::Auth.resource_bot_scopes.each do |scope| + context "with a '#{scope}' scoped token" do + let(:token) { create(:personal_access_token, scopes: [scope], user: current_user) } + + if [Gitlab::Auth::API_SCOPE, Gitlab::Auth::ROTATE_SELF_SCOPE].include? scope + it_behaves_like 'rotating token succeeds' + else + it_behaves_like 'rotating token denied', :forbidden + end + end + + context "with '#{scope}' and 'self_rotate' scoped token" do + let(:token) do + create(:personal_access_token, scopes: [scope, Gitlab::Auth::ROTATE_SELF_SCOPE], user: current_user) + end + + it_behaves_like 'rotating token succeeds' + end + end + end + + context "when token does not belong to the resource" do + Gitlab::VisibilityLevel.string_values.each do |visibility| + context "when resource visibility is '#{visibility}'" do + let_it_be(:resource) { create(source_type, visibility) } + + let(:token) { create(:personal_access_token, user: other_user) } + + if Gitlab::VisibilityLevel.level_value(visibility) != Gitlab::VisibilityLevel::PRIVATE + it_behaves_like 'rotating token denied', :unauthorized + else + it_behaves_like 'rotating token denied', :not_found + end + end + end + end + end + end + + context 'when the resource is a project' do + let_it_be(:resource) { create(:project) } + + before_all { resource.add_guest(current_user) } + + it_behaves_like 'rotating resource access token', 'project' + end + + context 'when the resource is a group' do + let_it_be(:resource) { create(:group) } + + before_all { resource.add_guest(current_user) } + + it_behaves_like 'rotating resource access token', 'group' + end +end -- GitLab From 3b53644c30bbf8859a781d5f46e0c8f5a54d550a Mon Sep 17 00:00:00 2001 From: Stephane Talbot Date: Sat, 17 Feb 2024 20:31:16 +0100 Subject: [PATCH 10/17] Add token self rotate API for projects and groups --- lib/api/api.rb | 1 + .../resource_access_tokens/self_rotation.rb | 55 +++++++++++++++++++ .../self_rotation_spec.rb | 4 +- 3 files changed, 58 insertions(+), 2 deletions(-) create mode 100644 lib/api/resource_access_tokens/self_rotation.rb diff --git a/lib/api/api.rb b/lib/api/api.rb index aed3a2befd7c72..e15eaf166c2c74 100644 --- a/lib/api/api.rb +++ b/lib/api/api.rb @@ -332,6 +332,7 @@ def initialize(location_url) mount ::API::Release::Links mount ::API::RemoteMirrors mount ::API::Repositories + mount ::API::ResourceAccessTokens::SelfRotation mount ::API::ResourceAccessTokens mount ::API::ResourceMilestoneEvents mount ::API::RpmProjectPackages diff --git a/lib/api/resource_access_tokens/self_rotation.rb b/lib/api/resource_access_tokens/self_rotation.rb new file mode 100644 index 00000000000000..a2ec067bd1e9e8 --- /dev/null +++ b/lib/api/resource_access_tokens/self_rotation.rb @@ -0,0 +1,55 @@ +# frozen_string_literal: true + +module API + class ResourceAccessTokens + class SelfRotation < ::API::Base + include APIGuard + + feature_category :system_access + + helpers ::API::Helpers::PersonalAccessTokensHelpers + helpers ::API::ResourceAccessTokens.helpers + + allow_access_with_scope :api + allow_access_with_scope :self_rotate + + before { authenticate! } + + %w[project group].each do |source_type| + resource source_type.pluralize, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do + desc 'Rotate a resource access token' do + detail 'Rotates a resource access token by passing it to the API in a header' + success code: 200, model: Entities::ResourceAccessTokenWithToken + failure [ + { code: 400, message: 'Bad Request' }, + { code: 401, message: 'Unauthorized' }, + { code: 403, message: 'Forbidden' }, + { code: 405, message: 'Method not allowed' } + ] + tags %w[personal_access_tokens] + end + params do + requires :id, type: String, desc: "The #{source_type} ID" + optional :expires_at, + type: Date, + desc: "The expiration date of the token", + documentation: { example: '2021-01-31' } + end + post ':id/access_tokens/self/rotate' do + not_allowed! unless access_token.is_a? PersonalAccessToken + not_allowed! unless current_user.project_bot? + + resource = find_source(source_type, params[:id]) + token = find_token(resource, access_token.id) + + unauthorized! unless token + + new_token = rotate_token(token, declared_params) + + present new_token, with: Entities::ResourceAccessTokenWithToken, resource: resource + end + end + end + end + end +end diff --git a/spec/requests/api/resource_access_tokens/self_rotation_spec.rb b/spec/requests/api/resource_access_tokens/self_rotation_spec.rb index e527886c5b4e9b..f126835402685f 100644 --- a/spec/requests/api/resource_access_tokens/self_rotation_spec.rb +++ b/spec/requests/api/resource_access_tokens/self_rotation_spec.rb @@ -4,7 +4,7 @@ RSpec.describe API::ResourceAccessTokens::SelfRotation, feature_category: :system_access do let(:token) { create(:personal_access_token, user: current_user) } - let(:expiry_date) { Date.today + 1.week } + let(:expiry_date) { Time.zone.today + 1.week } let(:params) { {} } let_it_be(:current_user) { create(:user, :project_bot) } @@ -126,7 +126,7 @@ it_behaves_like 'rotating token succeeds' context 'when expiry is defined' do - let(:expiry_date) { Date.today + 1.month } + let(:expiry_date) { Time.zone.today + 1.month } let(:params) { { expires_at: expiry_date } } it_behaves_like 'rotating token succeeds' -- GitLab From d954ad92b2844b9088fc4dc0fa44b2d76d31c019 Mon Sep 17 00:00:00 2001 From: Stephane Talbot Date: Sun, 18 Feb 2024 17:07:12 +0100 Subject: [PATCH 11/17] Add automatic reuse detection for group and project /self/rotate endpoint --- lib/gitlab/auth/auth_finders.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/gitlab/auth/auth_finders.rb b/lib/gitlab/auth/auth_finders.rb index be3dbb507e5839..beb13c7e981114 100644 --- a/lib/gitlab/auth/auth_finders.rb +++ b/lib/gitlab/auth/auth_finders.rb @@ -480,8 +480,7 @@ def revoke_token_family(token) end def access_token_rotation_request? - current_request.path.match(%r{access_tokens/\d+/rotate$}) || - current_request.path.match(%r{/personal_access_tokens/self/rotate$}) + current_request.path.match(%r{access_tokens/(\d+|self)/rotate$}) end # To prevent Rack Attack from incorrectly rate limiting -- GitLab From 410e0084462f9b148ae2aca65b02eb5905871848 Mon Sep 17 00:00:00 2001 From: Anthony Juckel Date: Mon, 20 Jan 2025 20:36:00 -0600 Subject: [PATCH 12/17] Add documentation for project/group token self/refresh New endpoints added to documentation: - POST /groups/:id/access_tokens/self/rotate - POST /projects/:id/access_tokens/self/rotate --- doc/api/group_access_tokens.md | 66 ++++++++++++++++++++++++++++++-- doc/api/project_access_tokens.md | 66 ++++++++++++++++++++++++++++++-- 2 files changed, 126 insertions(+), 6 deletions(-) diff --git a/doc/api/group_access_tokens.md b/doc/api/group_access_tokens.md index d1a2ce430e7715..a5e2d64d664bb1 100644 --- a/doc/api/group_access_tokens.md +++ b/doc/api/group_access_tokens.md @@ -146,14 +146,21 @@ curl --request POST --header "PRIVATE-TOKEN: " \ ## Rotate a group access token +Rotate a group access token. Revokes the previous token and creates a new token that expires in one week. + +You can either: + +- Use the group access token ID. +- In GitLab 17.9 and later, pass the group access token to the API in a request header. + +### Use a group access token ID + > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/403042) in GitLab 16.0 Prerequisites: - You must have a [personal access token with the `api` scope](../user/profile/personal_access_tokens.md#personal-access-token-scopes). -Rotate a group access token. Revokes the previous token and creates a new token that expires in one week. - In GitLab 16.6 and later, you can use the `expires_at` parameter to set a different expiry date. This non-default expiry date can be up to a maximum of one year from the rotation date. ```plaintext @@ -167,7 +174,8 @@ POST /groups/:id/access_tokens/:token_id/rotate | `expires_at` | date | no | Expiration date of the access token in ISO format (`YYYY-MM-DD`). [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/416795) in GitLab 16.6. If undefined, the token expires after one week. | ```shell -curl --request POST --header "PRIVATE-TOKEN: " "https://gitlab.example.com/api/v4/groups//access_tokens//rotate" +curl --request POST --header "PRIVATE-TOKEN: " \ +"https://gitlab.example.com/api/v4/groups//access_tokens//rotate" ``` Example response: @@ -178,6 +186,7 @@ Example response: "name": "Rotated Token", "revoked": false, "created_at": "2023-08-01T15:00:00.000Z", + "description": "Test group access token", "scopes": ["api"], "user_id": 1337, "last_used_at": null, @@ -195,8 +204,59 @@ Example response: - `401: Unauthorized` if either the: - User does not have access to the token with the specified ID. - Token with the specified ID does not exist. + - The authenticating token is a group access token, even if it's the token to rotate. See [self/rotate](#use-a-request-header). - `404: Not Found` if the user is an administrator but the token with the specified ID does not exist. +### Use a request header + +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/178111) in GitLab 17.9 + +Requires: + +- `api` or `self_rotate` scope. + +In GitLab 16.6 and later, you can use the `expires_at` parameter to set a different expiry date. This non-default expiry date is subject to the [maximum allowable lifetime limits](../user/profile/personal_access_tokens.md#access-token-expiration). + +```plaintext +POST /groups/:group_id/access_tokens/self/rotate +``` + +```shell +curl --request POST --header "PRIVATE-TOKEN: " \ +"https://gitlab.example.com/api/v4/groups//access_tokens/self/rotate" +``` + +Example response: + +```json +{ + "id": 42, + "name": "Rotated Token", + "revoked": false, + "created_at": "2025-01-19T15:00:00.000Z", + "description": "Test group access token", + "scopes": ["read_api","self_rotate"], + "user_id": 1337, + "last_used_at": null, + "active": true, + "expires_at": "2023-08-15", + "access_level": 30, + "token": "s3cr3t" +} +``` + +### Responses + +- `200: OK` if the existing token is successfully revoked and the new token successfully created. +- `400: Bad Request` if not rotated successfully. +- `401: Unauthorized` if either: + - The token does not exist. + - The token has expired. + - The token has been revoked. + - The token is not a group access token associated with this `:group_id` +- `403: Forbidden` if the token is not allowed to rotate itself. +- `405: Method Not Allowed` if the token is not an access token. + ### Automatic reuse detection Refer to [automatic reuse detection for personal access tokens](personal_access_tokens.md#automatic-reuse-detection) diff --git a/doc/api/project_access_tokens.md b/doc/api/project_access_tokens.md index 85c67846822b42..d8f6f8fa721d7e 100644 --- a/doc/api/project_access_tokens.md +++ b/doc/api/project_access_tokens.md @@ -152,14 +152,21 @@ curl --request POST --header "PRIVATE-TOKEN: " \ ## Rotate a project access token +Rotate a project access token. Revokes the previous token and creates a new token that expires in one week. + +You can either: + +- Use a project access token ID. +- In GitLab 17.9 and later, pass the project access token to the API in a request header. + +### Use a project access token ID + > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/403042) in GitLab 16.0 Prerequisites: - You must have a [personal access token with the `api` scope](../user/profile/personal_access_tokens.md#personal-access-token-scopes). -Rotate a project access token. Revokes the previous token and creates a new token that expires in one week. - In GitLab 16.6 and later, you can use the `expires_at` parameter to set a different expiry date. This non-default expiry date can be up to a maximum of one year from the rotation date. ```plaintext @@ -173,7 +180,8 @@ POST /projects/:id/access_tokens/:token_id/rotate | `expires_at` | date | no | Expiration date of the access token in ISO format (`YYYY-MM-DD`). [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/416795) in GitLab 16.6. If undefined, the token expires after one week. | ```shell -curl --request POST --header "PRIVATE-TOKEN: " "https://gitlab.example.com/api/v4/projects//access_tokens//rotate" +curl --request POST --header "PRIVATE-TOKEN: " \ +"https://gitlab.example.com/api/v4/projects//access_tokens//rotate" ``` Example response: @@ -184,6 +192,7 @@ Example response: "name": "Rotated Token", "revoked": false, "created_at": "2023-08-01T15:00:00.000Z", + "description": "Test project access token", "scopes": ["api"], "user_id": 1337, "last_used_at": null, @@ -201,8 +210,59 @@ Example response: - `401: Unauthorized` if either the: - User does not have access to the token with the specified ID. - Token with the specified ID does not exist. + - The authenticating token is a project access token, even if it's the token to rotate. See [self/rotate](#use-a-request-header). - `404: Not Found` if the user is an administrator but the token with the specified ID does not exist. +### Use a request header + +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/178111) in GitLab 17.9 + +Requires: + +- `api` or `self_rotate` scope. + +In GitLab 16.6 and later, you can use the `expires_at` parameter to set a different expiry date. This non-default expiry date is subject to the [maximum allowable lifetime limits](../user/profile/personal_access_tokens.md#access-token-expiration). + +```plaintext +POST /projects/:project_id/access_tokens/self/rotate +``` + +```shell +curl --request POST --header "PRIVATE-TOKEN: " \ +"https://gitlab.example.com/api/v4/projects//access_tokens/self/rotate" +``` + +Example response: + +```json +{ + "id": 42, + "name": "Rotated Token", + "revoked": false, + "created_at": "2025-01-19T15:00:00.000Z", + "description": "Test project access token", + "scopes": ["read_api","self_rotate"], + "user_id": 1337, + "last_used_at": null, + "active": true, + "expires_at": "2023-08-15", + "access_level": 30, + "token": "s3cr3t" +} +``` + +### Responses + +- `200: OK` if the existing token is successfully revoked and the new token successfully created. +- `400: Bad Request` if not rotated successfully. +- `401: Unauthorized` if either: + - The token does not exist. + - The token has expired. + - The token has been revoked. + - The token is not a project access token associated with this `:project_id` +- `403: Forbidden` if the token is not allowed to rotate itself. +- `405: Method Not Allowed` if the token is not a project access token. + ### Automatic reuse detection Refer to [automatic reuse detection for personal access tokens](personal_access_tokens.md#automatic-reuse-detection) -- GitLab From c650f2fda50062720b0815d01d9b0136794eeed1 Mon Sep 17 00:00:00 2001 From: Anthony Juckel Date: Tue, 21 Jan 2025 05:09:21 +0000 Subject: [PATCH 13/17] Fix markdownlint errors --- doc/api/group_access_tokens.md | 8 ++++---- doc/api/project_access_tokens.md | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/doc/api/group_access_tokens.md b/doc/api/group_access_tokens.md index a5e2d64d664bb1..c8cae2bc5122f6 100644 --- a/doc/api/group_access_tokens.md +++ b/doc/api/group_access_tokens.md @@ -197,7 +197,7 @@ Example response: } ``` -### Responses +#### Responses - `200: OK` if existing token is successfully revoked and the new token is created. - `400: Bad Request` if not rotated successfully. @@ -245,15 +245,15 @@ Example response: } ``` -### Responses +#### Responses -- `200: OK` if the existing token is successfully revoked and the new token successfully created. +- `200: OK` if the existing group access token is successfully revoked and the new token successfully created. - `400: Bad Request` if not rotated successfully. - `401: Unauthorized` if either: - The token does not exist. - The token has expired. - The token has been revoked. - - The token is not a group access token associated with this `:group_id` + - The token is not a group access token associated with this `:group_id`. - `403: Forbidden` if the token is not allowed to rotate itself. - `405: Method Not Allowed` if the token is not an access token. diff --git a/doc/api/project_access_tokens.md b/doc/api/project_access_tokens.md index d8f6f8fa721d7e..80ade6cf0f52f8 100644 --- a/doc/api/project_access_tokens.md +++ b/doc/api/project_access_tokens.md @@ -203,7 +203,7 @@ Example response: } ``` -### Responses +#### Responses - `200: OK` if the existing token is successfully revoked and the new token is successfully created. - `400: Bad Request` if not rotated successfully. @@ -251,15 +251,15 @@ Example response: } ``` -### Responses +#### Responses -- `200: OK` if the existing token is successfully revoked and the new token successfully created. +- `200: OK` if the existing project access token is successfully revoked and the new token successfully created. - `400: Bad Request` if not rotated successfully. - `401: Unauthorized` if either: - The token does not exist. - The token has expired. - The token has been revoked. - - The token is not a project access token associated with this `:project_id` + - The token is not a project access token associated with this `:project_id`. - `403: Forbidden` if the token is not allowed to rotate itself. - `405: Method Not Allowed` if the token is not a project access token. -- GitLab From 07d54b513e7117ec845d5d0caf2d3dcbb807fcf8 Mon Sep 17 00:00:00 2001 From: Anthony Juckel Date: Wed, 22 Jan 2025 00:47:59 +0000 Subject: [PATCH 14/17] Applied suggested documentation edits. Co-authored-by: Isaac Durham --- doc/api/group_access_tokens.md | 15 +++++++++------ doc/api/project_access_tokens.md | 15 +++++++++------ 2 files changed, 18 insertions(+), 12 deletions(-) diff --git a/doc/api/group_access_tokens.md b/doc/api/group_access_tokens.md index c8cae2bc5122f6..6d07de9569f157 100644 --- a/doc/api/group_access_tokens.md +++ b/doc/api/group_access_tokens.md @@ -204,12 +204,15 @@ Example response: - `401: Unauthorized` if either the: - User does not have access to the token with the specified ID. - Token with the specified ID does not exist. - - The authenticating token is a group access token, even if it's the token to rotate. See [self/rotate](#use-a-request-header). +- `401: Unauthorized` if any of the following conditions are true: + - You do not have access to the specified token. + - The specified token does not exist. + - You're authenticating with a group access token. Use [`/groups/:id/access_tokens/self/rotate`](#use-a-request-header). instead. - `404: Not Found` if the user is an administrator but the token with the specified ID does not exist. ### Use a request header -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/178111) in GitLab 17.9 +> - Added [`self_rotate` scope](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/178111) in GitLab 17.9 Requires: @@ -218,7 +221,7 @@ Requires: In GitLab 16.6 and later, you can use the `expires_at` parameter to set a different expiry date. This non-default expiry date is subject to the [maximum allowable lifetime limits](../user/profile/personal_access_tokens.md#access-token-expiration). ```plaintext -POST /groups/:group_id/access_tokens/self/rotate +POST /groups/:id/access_tokens/self/rotate ``` ```shell @@ -249,11 +252,11 @@ Example response: - `200: OK` if the existing group access token is successfully revoked and the new token successfully created. - `400: Bad Request` if not rotated successfully. -- `401: Unauthorized` if either: +- `401: Unauthorized` if any of the following conditions are true: - The token does not exist. - The token has expired. - - The token has been revoked. - - The token is not a group access token associated with this `:group_id`. + - The token was revoked. + - The token is not a group access token associated with the specified group. - `403: Forbidden` if the token is not allowed to rotate itself. - `405: Method Not Allowed` if the token is not an access token. diff --git a/doc/api/project_access_tokens.md b/doc/api/project_access_tokens.md index 80ade6cf0f52f8..0f7ce009e00daa 100644 --- a/doc/api/project_access_tokens.md +++ b/doc/api/project_access_tokens.md @@ -210,12 +210,15 @@ Example response: - `401: Unauthorized` if either the: - User does not have access to the token with the specified ID. - Token with the specified ID does not exist. - - The authenticating token is a project access token, even if it's the token to rotate. See [self/rotate](#use-a-request-header). +- `401: Unauthorized` if any of the following conditions are true: + - You do not have access to the specified token. + - The specified token does not exist. + - You're authenticating with a project access token. Use [`/projects/:id/access_tokens/self/rotate`](#use-a-request-header). instead. - `404: Not Found` if the user is an administrator but the token with the specified ID does not exist. ### Use a request header -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/178111) in GitLab 17.9 +> - Added [`self_rotate` scope](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/178111) in GitLab 17.9 Requires: @@ -224,7 +227,7 @@ Requires: In GitLab 16.6 and later, you can use the `expires_at` parameter to set a different expiry date. This non-default expiry date is subject to the [maximum allowable lifetime limits](../user/profile/personal_access_tokens.md#access-token-expiration). ```plaintext -POST /projects/:project_id/access_tokens/self/rotate +POST /projects/:id/access_tokens/self/rotate ``` ```shell @@ -255,11 +258,11 @@ Example response: - `200: OK` if the existing project access token is successfully revoked and the new token successfully created. - `400: Bad Request` if not rotated successfully. -- `401: Unauthorized` if either: +- `401: Unauthorized` if any of the following conditions are true: - The token does not exist. - The token has expired. - - The token has been revoked. - - The token is not a project access token associated with this `:project_id`. + - The token was revoked. + - The token is not a project access token associated with the specified project. - `403: Forbidden` if the token is not allowed to rotate itself. - `405: Method Not Allowed` if the token is not a project access token. -- GitLab From 22b26254afe51290121d9512e1bc2da28dc3d365 Mon Sep 17 00:00:00 2001 From: Anthony Juckel Date: Wed, 22 Jan 2025 13:33:34 -0600 Subject: [PATCH 15/17] Settle on 'Introduced' wording for new self/rotate endpoints Co-authored-by: Isaac Durham --- doc/api/group_access_tokens.md | 2 +- doc/api/project_access_tokens.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/api/group_access_tokens.md b/doc/api/group_access_tokens.md index 6d07de9569f157..c6aa38ef46fffd 100644 --- a/doc/api/group_access_tokens.md +++ b/doc/api/group_access_tokens.md @@ -212,7 +212,7 @@ Example response: ### Use a request header -> - Added [`self_rotate` scope](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/178111) in GitLab 17.9 +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/178111) in GitLab 17.9 Requires: diff --git a/doc/api/project_access_tokens.md b/doc/api/project_access_tokens.md index 0f7ce009e00daa..2b2d0ae7e130ea 100644 --- a/doc/api/project_access_tokens.md +++ b/doc/api/project_access_tokens.md @@ -218,7 +218,7 @@ Example response: ### Use a request header -> - Added [`self_rotate` scope](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/178111) in GitLab 17.9 +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/178111) in GitLab 17.9 Requires: -- GitLab From 9b760843cf9214806e22747509ad33cd0c3cd73b Mon Sep 17 00:00:00 2001 From: Anthony Juckel Date: Wed, 22 Jan 2025 13:45:44 -0600 Subject: [PATCH 16/17] Fix 'expires_at' in sample responses for self/rotate --- doc/api/group_access_tokens.md | 2 +- doc/api/personal_access_tokens.md | 2 +- doc/api/project_access_tokens.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/api/group_access_tokens.md b/doc/api/group_access_tokens.md index c6aa38ef46fffd..971928f0d6476a 100644 --- a/doc/api/group_access_tokens.md +++ b/doc/api/group_access_tokens.md @@ -242,7 +242,7 @@ Example response: "user_id": 1337, "last_used_at": null, "active": true, - "expires_at": "2023-08-15", + "expires_at": "2025-01-26", "access_level": 30, "token": "s3cr3t" } diff --git a/doc/api/personal_access_tokens.md b/doc/api/personal_access_tokens.md index 929cd6f0ed49ea..df5bcc40ff0c8b 100644 --- a/doc/api/personal_access_tokens.md +++ b/doc/api/personal_access_tokens.md @@ -300,7 +300,7 @@ Example response: "user_id": 1337, "last_used_at": null, "active": true, - "expires_at": "2023-08-15", + "expires_at": "2023-08-08", "token": "s3cr3t" } ``` diff --git a/doc/api/project_access_tokens.md b/doc/api/project_access_tokens.md index 2b2d0ae7e130ea..7f2c5dd1cb780f 100644 --- a/doc/api/project_access_tokens.md +++ b/doc/api/project_access_tokens.md @@ -248,7 +248,7 @@ Example response: "user_id": 1337, "last_used_at": null, "active": true, - "expires_at": "2023-08-15", + "expires_at": "2025-01-26", "access_level": 30, "token": "s3cr3t" } -- GitLab From 27b2fd3ec5fbae393a624ff36faed400ea045281 Mon Sep 17 00:00:00 2001 From: Anthony Juckel Date: Fri, 24 Jan 2025 14:53:58 +0000 Subject: [PATCH 17/17] Rename ROTATE_SELF_SPEC to SELF_ROTATE_SPEC for consistency --- app/controllers/concerns/oauth_applications.rb | 2 +- lib/gitlab/auth.rb | 4 ++-- .../api/personal_access_tokens/self_rotation_spec.rb | 12 ++++++------ .../api/resource_access_tokens/self_rotation_spec.rb | 6 +++--- .../groups/settings/access_tokens_controller_spec.rb | 2 +- .../settings/access_tokens_controller_spec.rb | 2 +- 6 files changed, 14 insertions(+), 14 deletions(-) diff --git a/app/controllers/concerns/oauth_applications.rb b/app/controllers/concerns/oauth_applications.rb index ab3bef8ae0bd83..5a78deecfea918 100644 --- a/app/controllers/concerns/oauth_applications.rb +++ b/app/controllers/concerns/oauth_applications.rb @@ -28,7 +28,7 @@ def load_scopes Doorkeeper.configuration.scopes.to_a - [ ::Gitlab::Auth::AI_WORKFLOW.to_s, ::Gitlab::Auth::DYNAMIC_USER.to_s, - ::Gitlab::Auth::ROTATE_SELF_SCOPE.to_s + ::Gitlab::Auth::SELF_ROTATE_SCOPE.to_s ] ) end diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb index d4f81c392b9abe..d16ee796bea041 100644 --- a/lib/gitlab/auth.rb +++ b/lib/gitlab/auth.rb @@ -8,7 +8,7 @@ module Auth K8S_PROXY_SCOPE = :k8s_proxy # Scopes used for token allowed to rotate themselves - ROTATE_SELF_SCOPE = :self_rotate + SELF_ROTATE_SCOPE = :self_rotate # Scopes used for GitLab API access API_SCOPE = :api @@ -21,7 +21,7 @@ module Auth READ_USER_SCOPE, CREATE_RUNNER_SCOPE, MANAGE_RUNNER_SCOPE, K8S_PROXY_SCOPE, - ROTATE_SELF_SCOPE + SELF_ROTATE_SCOPE ].freeze # Scopes for Duo diff --git a/spec/requests/api/personal_access_tokens/self_rotation_spec.rb b/spec/requests/api/personal_access_tokens/self_rotation_spec.rb index e14a4bfb98a66b..a162bfb1ff78a5 100644 --- a/spec/requests/api/personal_access_tokens/self_rotation_spec.rb +++ b/spec/requests/api/personal_access_tokens/self_rotation_spec.rb @@ -55,7 +55,7 @@ let(:current_user) { create(:admin) } let(:token) { create(:personal_access_token, scopes: [scope], user: current_user) } - if [Gitlab::Auth::API_SCOPE, Gitlab::Auth::ROTATE_SELF_SCOPE].include? scope + if [Gitlab::Auth::API_SCOPE, Gitlab::Auth::SELF_ROTATE_SCOPE].include? scope it_behaves_like 'rotating token succeeds' else it_behaves_like 'rotating token denied', :forbidden @@ -87,7 +87,7 @@ let(:current_user) { create(:user) } let(:token) { create(:personal_access_token, scopes: [scope], user: current_user) } - if [Gitlab::Auth::API_SCOPE, Gitlab::Auth::ROTATE_SELF_SCOPE].include? scope + if [Gitlab::Auth::API_SCOPE, Gitlab::Auth::SELF_ROTATE_SCOPE].include? scope it_behaves_like 'rotating token succeeds' else it_behaves_like 'rotating token denied', :forbidden @@ -97,7 +97,7 @@ context "with '#{scope}' and 'self_rotate' scoped token" do let(:current_user) { create(:user) } let(:token) do - create(:personal_access_token, scopes: [scope, Gitlab::Auth::ROTATE_SELF_SCOPE], user: current_user) + create(:personal_access_token, scopes: [scope, Gitlab::Auth::SELF_ROTATE_SCOPE], user: current_user) end it_behaves_like 'rotating token succeeds' @@ -150,7 +150,7 @@ context "with a '#{scope}' scoped token" do let(:token) { create(:oauth_access_token, scopes: [scope]) } - if [Gitlab::Auth::API_SCOPE, Gitlab::Auth::ROTATE_SELF_SCOPE].include? scope + if [Gitlab::Auth::API_SCOPE, Gitlab::Auth::SELF_ROTATE_SCOPE].include? scope it_behaves_like 'rotating token denied', :method_not_allowed else it_behaves_like 'rotating token denied', :forbidden @@ -198,7 +198,7 @@ context "with a '#{scope}' scoped token" do let(:token) { create(:personal_access_token, scopes: [scope], user: current_user) } - if [Gitlab::Auth::API_SCOPE, Gitlab::Auth::ROTATE_SELF_SCOPE].include? scope + if [Gitlab::Auth::API_SCOPE, Gitlab::Auth::SELF_ROTATE_SCOPE].include? scope it_behaves_like 'rotating token succeeds' else it_behaves_like 'rotating token denied', :forbidden @@ -207,7 +207,7 @@ context "with '#{scope}' and 'self_rotate' scoped token" do let(:token) do - create(:personal_access_token, scopes: [scope, Gitlab::Auth::ROTATE_SELF_SCOPE], user: current_user) + create(:personal_access_token, scopes: [scope, Gitlab::Auth::SELF_ROTATE_SCOPE], user: current_user) end it_behaves_like 'rotating token succeeds' diff --git a/spec/requests/api/resource_access_tokens/self_rotation_spec.rb b/spec/requests/api/resource_access_tokens/self_rotation_spec.rb index f126835402685f..62f3dadb679ff3 100644 --- a/spec/requests/api/resource_access_tokens/self_rotation_spec.rb +++ b/spec/requests/api/resource_access_tokens/self_rotation_spec.rb @@ -97,7 +97,7 @@ context 'with api or self_rotate scope' do let(:token) do - create(:oauth_access_token, scopes: [Gitlab::Auth::API_SCOPE, Gitlab::Auth::ROTATE_SELF_SCOPE]) + create(:oauth_access_token, scopes: [Gitlab::Auth::API_SCOPE, Gitlab::Auth::SELF_ROTATE_SCOPE]) end it_behaves_like 'rotating token denied', :method_not_allowed @@ -136,7 +136,7 @@ context "with a '#{scope}' scoped token" do let(:token) { create(:personal_access_token, scopes: [scope], user: current_user) } - if [Gitlab::Auth::API_SCOPE, Gitlab::Auth::ROTATE_SELF_SCOPE].include? scope + if [Gitlab::Auth::API_SCOPE, Gitlab::Auth::SELF_ROTATE_SCOPE].include? scope it_behaves_like 'rotating token succeeds' else it_behaves_like 'rotating token denied', :forbidden @@ -145,7 +145,7 @@ context "with '#{scope}' and 'self_rotate' scoped token" do let(:token) do - create(:personal_access_token, scopes: [scope, Gitlab::Auth::ROTATE_SELF_SCOPE], user: current_user) + create(:personal_access_token, scopes: [scope, Gitlab::Auth::SELF_ROTATE_SCOPE], user: current_user) end it_behaves_like 'rotating token succeeds' diff --git a/spec/requests/groups/settings/access_tokens_controller_spec.rb b/spec/requests/groups/settings/access_tokens_controller_spec.rb index f0537fbcb53752..af93e4a6519ed8 100644 --- a/spec/requests/groups/settings/access_tokens_controller_spec.rb +++ b/spec/requests/groups/settings/access_tokens_controller_spec.rb @@ -120,7 +120,7 @@ it 'sets available scopes' do expect(assigns(:scopes)).to include(Gitlab::Auth::K8S_PROXY_SCOPE) - expect(assigns(:scopes)).to include(Gitlab::Auth::ROTATE_SELF_SCOPE) + expect(assigns(:scopes)).to include(Gitlab::Auth::SELF_ROTATE_SCOPE) end end end diff --git a/spec/requests/projects/settings/access_tokens_controller_spec.rb b/spec/requests/projects/settings/access_tokens_controller_spec.rb index 382be2976f9f98..d91e356167cbaf 100644 --- a/spec/requests/projects/settings/access_tokens_controller_spec.rb +++ b/spec/requests/projects/settings/access_tokens_controller_spec.rb @@ -121,7 +121,7 @@ it 'sets available scopes' do expect(assigns(:scopes)).to include(Gitlab::Auth::K8S_PROXY_SCOPE) - expect(assigns(:scopes)).to include(Gitlab::Auth::ROTATE_SELF_SCOPE) + expect(assigns(:scopes)).to include(Gitlab::Auth::SELF_ROTATE_SCOPE) end end end -- GitLab