Merge branch 'feature/release-links-api-job-token' into 'master'

Allow `CI_JOB_TOKEN` auth for release links API

See merge request !89958

doc/api/releases/links.md

@@ -6,21 +6,13 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 
 # Release links API **(FREE)**
 
+> Support for [GitLab CI/CD job token](../../ci/jobs/ci_job_token.md) authentication [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/250819) in GitLab 15.1.
+
 Use this API to manipulate GitLab [Release](../../user/project/releases/index.md)
 links. For manipulating other Release assets, see [Release API](index.md).
 
 GitLab supports links to `http`, `https`, and `ftp` assets.
 
-## Authentication
-
-For authentication, the Release Links API accepts:
-
-- A [Personal Access Token](../../user/profile/personal_access_tokens.md) using the
-  `PRIVATE-TOKEN` header.
-- A [Project Access Token](../../user/project/settings/project_access_tokens.md) using the `PRIVATE-TOKEN` header.
-
-The [GitLab CI/CD job token](../../ci/jobs/ci_job_token.md) `$CI_JOB_TOKEN` is not supported. See [GitLab issue #50819](https://gitlab.com/gitlab-org/gitlab/-/issues/250819) for more details.
-
 ## Get links
 
 Get assets as links from a Release.

doc/ci/jobs/ci_job_token.md

@@ -20,7 +20,7 @@ You can use a GitLab CI/CD job token to authenticate with specific API endpoints
 - [Get job artifacts](../../api/job_artifacts.md#get-job-artifacts).
 - [Get job token's job](../../api/jobs.md#get-job-tokens-job).
 - [Pipeline triggers](../../api/pipeline_triggers.md), using the `token=` parameter.
-- [Releases](../../api/releases/index.md).
+- [Releases](../../api/releases/index.md) and [Release links](../../api/releases/links.md).
 - [Terraform plan](../../user/infrastructure/index.md).
 
 NOTE:

lib/api/release/links.rb

@@ -29,6 +29,7 @@ class Links < ::API::Base
             params do
               use :pagination
             end
+            route_setting :authentication, job_token_allowed: true
             get 'links' do
               authorize! :read_release, release
 
@@ -45,6 +46,7 @@ class Links < ::API::Base
               optional :filepath, type: String, desc: 'The filepath of the link'
               optional :link_type, type: String, desc: 'The link type, one of: "runbook", "image", "package" or "other"'
             end
+            route_setting :authentication, job_token_allowed: true
             post 'links' do
               authorize! :create_release, release
 
@@ -65,6 +67,7 @@ class Links < ::API::Base
                 detail 'This feature was introduced in GitLab 11.7.'
                 success Entities::Releases::Link
               end
+              route_setting :authentication, job_token_allowed: true
               get do
                 authorize! :read_release, release
 
@@ -82,6 +85,7 @@ class Links < ::API::Base
                 optional :link_type, type: String, desc: 'The link type'
                 at_least_one_of :name, :url
               end
+              route_setting :authentication, job_token_allowed: true
               put do
                 authorize! :update_release, release
 
@@ -96,6 +100,7 @@ class Links < ::API::Base
                 detail 'This feature was introduced in GitLab 11.7.'
                 success Entities::Releases::Link
               end
+              route_setting :authentication, job_token_allowed: true
               delete do
                 authorize! :destroy_release, release
 

spec/requests/api/release/links_spec.rb

@@ -49,6 +49,20 @@
 
         expect(response).to match_response_schema('release/links')
       end
+
+      context 'when using JOB-TOKEN auth' do
+        let(:job) { create(:ci_build, :running, user: maintainer) }
+
+        it 'returns releases links' do
+          get api("/projects/#{project.id}/releases/v0.1/assets/links", job_token: job.token)
+
+          aggregate_failures "testing response" do
+            expect(response).to have_gitlab_http_status(:ok)
+            expect(response).to match_response_schema('release/links')
+            expect(json_response.count).to eq(2)
+          end
+        end
+      end
     end
 
     context 'when release does not exist' do
@@ -116,6 +130,20 @@
       expect(response).to match_response_schema('release/link')
     end
 
+    context 'when using JOB-TOKEN auth' do
+      let(:job) { create(:ci_build, :running, user: maintainer) }
+
+      it 'returns releases link' do
+        get api("/projects/#{project.id}/releases/v0.1/assets/links/#{release_link.id}", job_token: job.token)
+
+        aggregate_failures "testing response" do
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to match_response_schema('release/link')
+          expect(json_response['name']).to eq(release_link.name)
+        end
+      end
+    end
+
     context 'when specified tag is not found in the project' do
       it_behaves_like '404 response' do
         let(:request) { get api("/projects/#{project.id}/releases/non_existing_tag/assets/links/#{release_link.id}", maintainer) }
@@ -198,6 +226,25 @@
       expect(response).to match_response_schema('release/link')
     end
 
+    context 'when using JOB-TOKEN auth' do
+      let(:job) { create(:ci_build, :running, user: maintainer) }
+
+      it 'creates a new release link' do
+        expect do
+          post api("/projects/#{project.id}/releases/v0.1/assets/links"), params: params.merge(job_token: job.token)
+        end.to change { Releases::Link.count }.by(1)
+
+        release.reload
+
+        aggregate_failures "testing response" do
+          expect(response).to have_gitlab_http_status(:created)
+          expect(last_release_link.name).to eq('awesome-app.dmg')
+          expect(last_release_link.filepath).to eq('/binaries/awesome-app.dmg')
+          expect(last_release_link.url).to eq('https://example.com/download/awesome-app.dmg')
+        end
+      end
+    end
+
     context 'with protected tag' do
       context 'when user has access to the protected tag' do
         let!(:protected_tag) { create(:protected_tag, :developers_can_create, name: '*', project: project) }
@@ -314,6 +361,20 @@
       expect(response).to match_response_schema('release/link')
     end
 
+    context 'when using JOB-TOKEN auth' do
+      let(:job) { create(:ci_build, :running, user: maintainer) }
+
+      it 'updates the release link' do
+        put api("/projects/#{project.id}/releases/v0.1/assets/links/#{release_link.id}"), params: params.merge(job_token: job.token)
+
+        aggregate_failures "testing response" do
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to match_response_schema('release/link')
+          expect(json_response['name']).to eq('awesome-app.msi')
+        end
+      end
+    end
+
     context 'with protected tag' do
       context 'when user has access to the protected tag' do
         let!(:protected_tag) { create(:protected_tag, :developers_can_create, name: '*', project: project) }
@@ -411,6 +472,21 @@
       expect(response).to match_response_schema('release/link')
     end
 
+    context 'when using JOB-TOKEN auth' do
+      let(:job) { create(:ci_build, :running, user: maintainer) }
+
+      it 'deletes the release link' do
+        expect do
+          delete api("/projects/#{project.id}/releases/v0.1/assets/links/#{release_link.id}", job_token: job.token)
+        end.to change { Releases::Link.count }.by(-1)
+
+        aggregate_failures "testing response" do
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to match_response_schema('release/link')
+        end
+      end
+    end
+
     context 'with protected tag' do
       context 'when user has access to the protected tag' do
         let!(:protected_tag) { create(:protected_tag, :developers_can_create, name: '*', project: project) }