Granular PAT demo
What does this MR do and why?
This is an MR to demo granular PATs.
How to set up and validate locally
- In Rails console, create a granular PAT for a user:
user = User.human.last token = PersonalAccessTokens::CreateService.new( current_user: user, target_user: user, organization_id: user.organization.id, params: { expires_at: 1.month.from_now, scopes: ['granular'], name: 'gPAT' } ).execute[:personal_access_token] project = user.projects.first scope = Authz::GranularScope.new(namespace: project.project_namespace, permissions: [:create_issue]) Authz::GranularScopeService.new(token).add_granular_scopes(scope) puts "curl http://#{Gitlab.host_with_port}/api/v4/projects/#{project.id}/issues\?title\=My%20New%20Issue%20Title -X POST -H \"PRIVATE-TOKEN: #{token.token}\"" - Copy the URL and execute it in another terminal instance. It should succeed and create an issue.
- Run in console:
puts "curl http://#{Gitlab.host_with_port}/api/v4/projects/#{project.id}/issues/#{project.issues.last.iid}\?title\=My%20Updated%20Issue%20Title -X PUT -H \"PRIVATE-TOKEN: #{token.token}\"" - Copy the URL and execute it in another terminal instance. It should not succeed and output an error like:
{"error":"granular_permissions_error","error_description":"Access denied: Your Personal Access Token lacks the required permissions: [update_issue] for \"alexbuijs/xxx\"."} - Try to access an as-of-yet unsupported API endpoint and it should return something like:
{"error":"granular_permissions_error","error_description":"Unable to determine permissions for authorization"}
Edited by Alex Buijs