From b256b5affa5577f96715154777e08935274bdd0f Mon Sep 17 00:00:00 2001 From: Mayra Cabrera Date: Wed, 6 Jun 2018 16:42:52 -0500 Subject: [PATCH 1/4] Automatize the Deploy Token creation When AutoDevops is enabled in a project, a gitlab deploy token is automatically created (just for private or internal repos) --- app/models/project_auto_devops.rb | 19 +++++ ...eploy-token-when-autodevops-is-enabled.yml | 5 ++ doc/topics/autodevops/index.md | 5 ++ spec/factories/project_auto_devops.rb | 4 + spec/models/project_auto_devops_spec.rb | 81 +++++++++++++++++++ 5 files changed, 114 insertions(+) create mode 100644 changelogs/unreleased/46075-automatically-provide-deploy-token-when-autodevops-is-enabled.yml diff --git a/app/models/project_auto_devops.rb b/app/models/project_auto_devops.rb index ed6c1eddbc1..a326dae790b 100644 --- a/app/models/project_auto_devops.rb +++ b/app/models/project_auto_devops.rb @@ -6,6 +6,8 @@ class ProjectAutoDevops < ActiveRecord::Base validates :domain, allow_blank: true, hostname: { allow_numeric_hostname: true } + after_save :set_gitlab_deploy_token, if: :auto_devops_enabled? + def instance_domain Gitlab::CurrentSettings.auto_devops_domain end @@ -22,4 +24,21 @@ class ProjectAutoDevops < ActiveRecord::Base end end end + + def auto_devops_enabled? + Gitlab::CurrentSettings.auto_devops_enabled? || enabled? + end + + private + + def set_gitlab_deploy_token + return if project.public? || project.gitlab_deploy_token + + attributes = { + name: DeployToken::GITLAB_DEPLOY_TOKEN_NAME, + read_registry: true + } + + project.deploy_tokens.create(attributes) + end end diff --git a/changelogs/unreleased/46075-automatically-provide-deploy-token-when-autodevops-is-enabled.yml b/changelogs/unreleased/46075-automatically-provide-deploy-token-when-autodevops-is-enabled.yml new file mode 100644 index 00000000000..6974be07716 --- /dev/null +++ b/changelogs/unreleased/46075-automatically-provide-deploy-token-when-autodevops-is-enabled.yml @@ -0,0 +1,5 @@ +--- +title: Automatize Deploy Token creation for Auto Devops +merge_request: 19507 +author: +type: added diff --git a/doc/topics/autodevops/index.md b/doc/topics/autodevops/index.md index fec575f263f..cf69aa79000 100644 --- a/doc/topics/autodevops/index.md +++ b/doc/topics/autodevops/index.md @@ -360,6 +360,10 @@ no longer be valid as soon as the deployment job finishes. This means that Kubernetes can run the application, but in case it should be restarted or executed somewhere else, it cannot be accessed again. +> [Introduced][ce-19507] in GitLab 11.0. + +When Auto Devops is enabled by default at instance level or specifically for the project, a [GitLab Deploy Token](../../user/project/deploy_tokens/index.md###gitlab-deploy-token) is automatically created, this one can be used for permanent access to the registry. + ### Auto Monitoring NOTE: **Note:** @@ -741,3 +745,4 @@ curl --data "value=true" --header "PRIVATE-TOKEN: personal_access_token" https:/ [Auto DevOps template]: https://gitlab.com/gitlab-org/gitlab-ci-yml/blob/master/Auto-DevOps.gitlab-ci.yml [GitLab Omnibus Helm Chart]: ../../install/kubernetes/gitlab_omnibus.md [ee]: https://about.gitlab.com/products/ +[ce-19507]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/19507 diff --git a/spec/factories/project_auto_devops.rb b/spec/factories/project_auto_devops.rb index 5ce1988c76f..0e8b507f9ce 100644 --- a/spec/factories/project_auto_devops.rb +++ b/spec/factories/project_auto_devops.rb @@ -3,5 +3,9 @@ FactoryBot.define do project enabled true domain "example.com" + + trait :disabled do + enabled false + end end end diff --git a/spec/models/project_auto_devops_spec.rb b/spec/models/project_auto_devops_spec.rb index 7545c0797e9..bc66cb32c1b 100644 --- a/spec/models/project_auto_devops_spec.rb +++ b/spec/models/project_auto_devops_spec.rb @@ -71,4 +71,85 @@ describe ProjectAutoDevops do { key: 'AUTO_DEVOPS_DOMAIN', value: 'example.com', public: true } end end + + describe '#set_gitlab_deploy_token' do + let(:auto_devops) { build(:project_auto_devops, project: project) } + + context 'when the project is public' do + let(:project) { create(:project, :repository, :public) } + + it 'should not create a gitlab deploy token' do + expect do + auto_devops.save + end.not_to change { DeployToken.count } + end + end + + context 'when the project is internal' do + let(:project) { create(:project, :repository, :internal) } + + it 'should create a gitlab deploy token' do + expect do + auto_devops.save + end.to change { DeployToken.count }.by(1) + end + end + + context 'when the project is private' do + let(:project) { create(:project, :repository, :private) } + + it 'should create a gitlab deploy token' do + expect do + auto_devops.save + end.to change { DeployToken.count }.by(1) + end + end + + context 'when autodevops is enabled at project level' do + let(:project) { create(:project, :repository, :internal) } + let(:auto_devops) { build(:project_auto_devops, project: project) } + + it 'should create a deploy token' do + expect do + auto_devops.save + end.to change { DeployToken.count }.by(1) + end + end + + context 'when autodevops is enabled at instancel level' do + let(:project) { create(:project, :repository, :internal) } + let(:auto_devops) { build(:project_auto_devops, :disabled, project: project) } + + it 'should create a deploy token' do + allow(Gitlab::CurrentSettings).to receive(:auto_devops_enabled?).and_return(true) + + expect do + auto_devops.save + end.to change { DeployToken.count }.by(1) + end + end + + context 'when autodevops is disabled' do + let(:project) { create(:project, :repository, :internal) } + let(:auto_devops) { build(:project_auto_devops, :disabled, project: project) } + + it 'should not create a deploy token' do + expect do + auto_devops.save + end.not_to change { DeployToken.count } + end + end + + context 'when the project already has a gitlab-deploy-token' do + let(:project) { create(:project, :repository, :internal) } + let!(:deploy_token) { create(:deploy_token, :gitlab_deploy_token, projects: [project]) } + let(:auto_devops) { build(:project_auto_devops, project: project) } + + it 'should not create a deploy token' do + expect do + auto_devops.save + end.not_to change { DeployToken.count } + end + end + end end -- 2.24.1 From b4794d82fcb4092395c8d0c3a682caedc125d49a Mon Sep 17 00:00:00 2001 From: Mayra Cabrera Date: Thu, 7 Jun 2018 09:21:09 -0500 Subject: [PATCH 2/4] Rewords deploy token on AutoDevops section Also uses create! instead of create --- app/models/project_auto_devops.rb | 2 +- doc/topics/autodevops/index.md | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/app/models/project_auto_devops.rb b/app/models/project_auto_devops.rb index a326dae790b..43fece2d89c 100644 --- a/app/models/project_auto_devops.rb +++ b/app/models/project_auto_devops.rb @@ -39,6 +39,6 @@ class ProjectAutoDevops < ActiveRecord::Base read_registry: true } - project.deploy_tokens.create(attributes) + project.deploy_tokens.create!(attributes) end end diff --git a/doc/topics/autodevops/index.md b/doc/topics/autodevops/index.md index cf69aa79000..29e697896ee 100644 --- a/doc/topics/autodevops/index.md +++ b/doc/topics/autodevops/index.md @@ -362,7 +362,9 @@ executed somewhere else, it cannot be accessed again. > [Introduced][ce-19507] in GitLab 11.0. -When Auto Devops is enabled by default at instance level or specifically for the project, a [GitLab Deploy Token](../../user/project/deploy_tokens/index.md###gitlab-deploy-token) is automatically created, this one can be used for permanent access to the registry. +For internal and private projects a [GitLab Deploy Token](../../user/project/deploy_tokens/index.md###gitlab-deploy-token) +will be automatically created, when Auto DevOps is enabled and the Auto DevOps settings are saved. This Deploy Token +can be used for permanent access to the registry. ### Auto Monitoring -- 2.24.1 From 194979fc179d24602fa1505597ebf52e21009aea Mon Sep 17 00:00:00 2001 From: Mayra Cabrera Date: Thu, 7 Jun 2018 10:51:27 -0500 Subject: [PATCH 3/4] Avoid creating deploy token if it has been revoked Add a note in the documentation about it --- app/models/project_auto_devops.rb | 12 +++++++----- doc/topics/autodevops/index.md | 3 +++ spec/models/project_auto_devops_spec.rb | 14 +++++++++++++- 3 files changed, 23 insertions(+), 6 deletions(-) diff --git a/app/models/project_auto_devops.rb b/app/models/project_auto_devops.rb index 43fece2d89c..ff169f88322 100644 --- a/app/models/project_auto_devops.rb +++ b/app/models/project_auto_devops.rb @@ -32,13 +32,15 @@ class ProjectAutoDevops < ActiveRecord::Base private def set_gitlab_deploy_token - return if project.public? || project.gitlab_deploy_token + return if gitlab_deploy_token? - attributes = { - name: DeployToken::GITLAB_DEPLOY_TOKEN_NAME, + project.deploy_tokens.create!( + name: DeployToken::GITLAB_DEPLOY_TOKEN_NAME, read_registry: true - } + ) + end - project.deploy_tokens.create!(attributes) + def gitlab_deploy_token? + project.public? || project.deploy_tokens.find_by(name: DeployToken::GITLAB_DEPLOY_TOKEN_NAME) end end diff --git a/doc/topics/autodevops/index.md b/doc/topics/autodevops/index.md index 29e697896ee..54d46fbcfaf 100644 --- a/doc/topics/autodevops/index.md +++ b/doc/topics/autodevops/index.md @@ -366,6 +366,9 @@ For internal and private projects a [GitLab Deploy Token](../../user/project/dep will be automatically created, when Auto DevOps is enabled and the Auto DevOps settings are saved. This Deploy Token can be used for permanent access to the registry. +Note: **Note** +When the GitLab Deploy Token has been manually revoked, it won't be automatically created. + ### Auto Monitoring NOTE: **Note:** diff --git a/spec/models/project_auto_devops_spec.rb b/spec/models/project_auto_devops_spec.rb index bc66cb32c1b..4778bf4052b 100644 --- a/spec/models/project_auto_devops_spec.rb +++ b/spec/models/project_auto_devops_spec.rb @@ -140,7 +140,7 @@ describe ProjectAutoDevops do end end - context 'when the project already has a gitlab-deploy-token' do + context 'when the project already has an active gitlab-deploy-token' do let(:project) { create(:project, :repository, :internal) } let!(:deploy_token) { create(:deploy_token, :gitlab_deploy_token, projects: [project]) } let(:auto_devops) { build(:project_auto_devops, project: project) } @@ -151,5 +151,17 @@ describe ProjectAutoDevops do end.not_to change { DeployToken.count } end end + + context 'when the project already has a revoked gitlab-deploy-token' do + let(:project) { create(:project, :repository, :internal) } + let!(:deploy_token) { create(:deploy_token, :gitlab_deploy_token, :expired, projects: [project]) } + let(:auto_devops) { build(:project_auto_devops, project: project) } + + it 'should not create a deploy token' do + expect do + auto_devops.save + end.not_to change { DeployToken.count } + end + end end end -- 2.24.1 From 7088ef75116874f5ed4f80d734afdb47e2d43975 Mon Sep 17 00:00:00 2001 From: Mayra Cabrera Date: Thu, 7 Jun 2018 11:50:30 -0500 Subject: [PATCH 4/4] Changes methods on AutoDevops to make them more explicit --- app/models/project_auto_devops.rb | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/app/models/project_auto_devops.rb b/app/models/project_auto_devops.rb index ff169f88322..c6c990dfa00 100644 --- a/app/models/project_auto_devops.rb +++ b/app/models/project_auto_devops.rb @@ -6,7 +6,7 @@ class ProjectAutoDevops < ActiveRecord::Base validates :domain, allow_blank: true, hostname: { allow_numeric_hostname: true } - after_save :set_gitlab_deploy_token, if: :auto_devops_enabled? + after_save :create_gitlab_deploy_token, if: :needs_to_create_deploy_token? def instance_domain Gitlab::CurrentSettings.auto_devops_domain @@ -25,22 +25,22 @@ class ProjectAutoDevops < ActiveRecord::Base end end - def auto_devops_enabled? - Gitlab::CurrentSettings.auto_devops_enabled? || enabled? - end - private - def set_gitlab_deploy_token - return if gitlab_deploy_token? - + def create_gitlab_deploy_token project.deploy_tokens.create!( name: DeployToken::GITLAB_DEPLOY_TOKEN_NAME, read_registry: true ) end - def gitlab_deploy_token? - project.public? || project.deploy_tokens.find_by(name: DeployToken::GITLAB_DEPLOY_TOKEN_NAME) + def needs_to_create_deploy_token? + auto_devops_enabled? && + !project.public? && + !project.deploy_tokens.find_by(name: DeployToken::GITLAB_DEPLOY_TOKEN_NAME).present? + end + + def auto_devops_enabled? + Gitlab::CurrentSettings.auto_devops_enabled? || enabled? end end -- 2.24.1