From c2283096f3769853722da3f4c3fd2cd39338fed9 Mon Sep 17 00:00:00 2001 From: Timo Furrer Date: Fri, 15 Nov 2024 14:25:59 +0100 Subject: [PATCH 1/2] Support job token auth for read-only changelog generation API This change set adds support that allows authentication via `CI_JOB_TOKEN` for the read-only (`GET`) Changelog generation API. This is super useful to generate a changelog or release notes without any additional tokens. Since this is a read-only endpoint the security impact is very low. Changelog: added --- doc/api/repositories.md | 2 ++ doc/ci/jobs/ci_job_token.md | 1 + lib/api/repositories.rb | 1 + spec/requests/api/repositories_spec.rb | 35 ++++++++++++++++++++++++++ 4 files changed, 39 insertions(+) diff --git a/doc/api/repositories.md b/doc/api/repositories.md index fa1d3884b48202..aeeb36d12d89fb 100644 --- a/doc/api/repositories.md +++ b/doc/api/repositories.md @@ -446,6 +446,8 @@ curl --request POST --header "PRIVATE-TOKEN: token" \ ## Generate changelog data +> - Authentication via [CI/CD job token](../ci/jobs/ci_job_token.md) [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/172842) in GitLab 17.7. + Generate changelog data based on commits in a repository, without committing them to a changelog file. diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md index 69b6326c7a9f1b..97be59a9019f45 100644 --- a/doc/ci/jobs/ci_job_token.md +++ b/doc/ci/jobs/ci_job_token.md @@ -47,6 +47,7 @@ The CI/CD job token can only access the following features and API endpoints: | [Update pipeline metadata API endpoint](../../api/pipelines.md#update-pipeline-metadata) | To update pipeline metadata. | | [Release links API](../../api/releases/links.md) | | | [Releases API](../../api/releases/index.md) | `GET` requests are public by default. | +| [Repositories API](../../api/repositories.md#generate-changelog-data) | `GET` API to generate Changelog is available. | | [Secure files](../secure_files/index.md#use-secure-files-in-cicd-jobs) | The `download-secure-files` tool authenticates with a CI/CD job token by default. | | [Terraform plan](../../user/infrastructure/index.md) | | diff --git a/lib/api/repositories.rb b/lib/api/repositories.rb index 2d3e13edcdffc0..e0f331d1c81c34 100644 --- a/lib/api/repositories.rb +++ b/lib/api/repositories.rb @@ -290,6 +290,7 @@ def rescue_not_found? documentation: { example: '.gitlab/changelog_config.yml' }, desc: "The file path to the configuration file as stored in the project's Git repository. Defaults to '.gitlab/changelog_config.yml'" end + route_setting :authentication, job_token_allowed: true get ':id/repository/changelog' do service = ::Repositories::ChangelogService.new( user_project, diff --git a/spec/requests/api/repositories_spec.rb b/spec/requests/api/repositories_spec.rb index 70313d83470448..eeec669ee80bc8 100644 --- a/spec/requests/api/repositories_spec.rb +++ b/spec/requests/api/repositories_spec.rb @@ -878,6 +878,41 @@ def commit_messages(response) expect(json_response['notes']).to eq(release_notes) end + it 'returns generated changelog when using JOB-TOKEN auth' do + spy = instance_spy(Repositories::ChangelogService) + release_notes = 'Release notes' + + allow(Repositories::ChangelogService) + .to receive(:new) + .with( + project, + user, + version: '1.0.0', + from: 'foo', + to: 'bar', + date: DateTime.new(2020, 1, 1), + trailer: 'Foo' + ) + .and_return(spy) + + expect(spy).to receive(:execute).with(commit_to_changelog: false).and_return(release_notes) + + job = create(:ci_build, :running, project: project, user: user) + + get api("/projects/#{project.id}/repository/changelog"), + params: { + job_token: job.token, + version: '1.0.0', + from: 'foo', + to: 'bar', + date: '2020-01-01', + trailer: 'Foo' + } + + expect(response).to have_gitlab_http_status(:ok) + expect(json_response['notes']).to eq(release_notes) + end + it 'supports leaving out the from and to attribute' do spy = instance_spy(Repositories::ChangelogService) -- GitLab From bff56b1c6e2a7818262bfe6c3c91b5d3aa50a066 Mon Sep 17 00:00:00 2001 From: Timo Furrer Date: Thu, 21 Nov 2024 07:38:45 +0000 Subject: [PATCH 2/2] Apply 2 suggestion(s) to 2 file(s) Co-authored-by: Brendan Lynch --- doc/api/repositories.md | 2 +- doc/ci/jobs/ci_job_token.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/api/repositories.md b/doc/api/repositories.md index aeeb36d12d89fb..0148971c1d7ec7 100644 --- a/doc/api/repositories.md +++ b/doc/api/repositories.md @@ -446,7 +446,7 @@ curl --request POST --header "PRIVATE-TOKEN: token" \ ## Generate changelog data -> - Authentication via [CI/CD job token](../ci/jobs/ci_job_token.md) [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/172842) in GitLab 17.7. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/172842) authentiation through [CI/CD job token](../ci/jobs/ci_job_token.md) in GitLab 17.7. Generate changelog data based on commits in a repository, without committing them to a changelog file. diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md index 97be59a9019f45..2a15e06dbd561d 100644 --- a/doc/ci/jobs/ci_job_token.md +++ b/doc/ci/jobs/ci_job_token.md @@ -47,7 +47,7 @@ The CI/CD job token can only access the following features and API endpoints: | [Update pipeline metadata API endpoint](../../api/pipelines.md#update-pipeline-metadata) | To update pipeline metadata. | | [Release links API](../../api/releases/links.md) | | | [Releases API](../../api/releases/index.md) | `GET` requests are public by default. | -| [Repositories API](../../api/repositories.md#generate-changelog-data) | `GET` API to generate Changelog is available. | +| [Repositories API](../../api/repositories.md#generate-changelog-data) | Generates changelog data based on commits in a repository. | | [Secure files](../secure_files/index.md#use-secure-files-in-cicd-jobs) | The `download-secure-files` tool authenticates with a CI/CD job token by default. | | [Terraform plan](../../user/infrastructure/index.md) | | -- GitLab