Skip to content
Snippets Groups Projects
Commit c752c774 authored by Gerardo Navarro's avatar Gerardo Navarro :speech_balloon: Committed by Fabio Pitino
Browse files

New REST endpoint for allowlist of CI_JOB_TOKEN access settings

- GET "api/v4/projects/:id/job_token_scope/allowlist/inbound"

Further Notes:
- The response is paginated
- The response contains a list of projects (basic project object)

Changelog: added
parent 0ba5e520
No related branches found
No related tags found
1 merge request!118495New REST endpoint GET allowlist of CI_JOB_TOKEN access settings
......@@ -56,6 +56,7 @@ The following API resources are available in the project context:
| [Issues Statistics](issues_statistics.md) | `/projects/:id/issues_statistics` (also available for groups and standalone) |
| [Issues](issues.md) | `/projects/:id/issues` (also available for groups and standalone) |
| [Iterations](iterations.md) **(PREMIUM)** | `/projects/:id/iterations` (also available for groups) |
| [Project CI/CD job token scope](project_job_token_scopes.md) | `/projects/:id/job_token_scope` |
| [Jobs](jobs.md) | `/projects/:id/jobs`, `/projects/:id/pipelines/.../jobs` |
| [Jobs Artifacts](job_artifacts.md) | `/projects/:id/jobs/:job_id/artifacts` |
| [Labels](labels.md) | `/projects/:id/labels` |
......
......@@ -4,35 +4,42 @@ group: Pipeline Security
info: "To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments"
---
# Project job token scope API **(FREE)**
# Project CI/CD job token scope API **(FREE)**
You can read more about the [CI/CD job token](../ci/jobs/ci_job_token.md)
NOTE:
- Every calls to the project token scope API must be authenticated, for example, with a personal access token.
- The authenticated user (personal access token) needs to have at least Maintainer role for the project.
- Depending on the usage, the personal access token requires read access (scope `read_api`) or read/write access (scope `api`) to the API.
All requests to the CI/CD job token scope API endpoint must be [authenticated](rest/index.md#authentication), and the authenticated user must have at least the Maintainer role for the project.
## Get a project job token scope
## Get a project's CI/CD job token access settings
Fetch CI_JOB_TOKEN access settings (job token scope) of a project.
Fetch the [CI/CD job token access settings](../ci/jobs/ci_job_token.md#configure-cicd-job-token-access) (job token scope) of a project.
```plaintext
GET /projects/:id/job_token_scope
```
Parameters
Supported attributes:
| Attribute | Type | Required | Description |
|-----------|----------------|------------------------|-------------|
| `id` | integer/string | **{check-circle}** Yes | ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding) owned by the authenticated user. |
Example of request
If successful, returns [`200`](rest/index.md#status-codes) and the following response attributes:
| Attribute | Type | Description |
|:-------------------|:---------|:----------------------|
| `inbound_enabled` | boolean | Indicates if the CI/CD job token generated in other projects has access to this project. |
| `outbound_enabled` | boolean | Indicates if the CI/CD job token generated in this project has access to other projects. [Deprecated and planned for removal in GitLab 17.0 .](../update/removals.md#limit-ci_job_token-scope-is-disabled) |
Example request:
```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/1/job_token_scope"
```
Example of response
Example response:
```json
{
......@@ -41,22 +48,24 @@ Example of response
}
```
## Patch a project job token scope
## Patch a project's CI/CD job token access settings
Patch CI_JOB_TOKEN access settings of a project.
Patch the [**Allow access to this project with a CI_JOB_TOKEN** setting](../ci/jobs/ci_job_token.md#disable-the-job-token-scope-allowlist) (job token scope) of a project.
```plaintext
PATCH /projects/:id/job_token_scope
```
Parameters
Supported attributes:
| Attribute | Type | Required | Description |
|-----------|----------------|-------------------------|-------------|
| `id` | integer/string | **{check-circle}** Yes | ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding) owned by the authenticated user. |
| `enabled` | boolean | **{dotted-circle}** Yes | Indicates CI/CD job tokens generated in other projects have restricted access to this project. |
| `enabled` | boolean | **{check-circle}** Yes | Indicates CI/CD job tokens generated in other projects have restricted access to this project. |
Example of request
If successful, returns [`204`](rest/index.md#status-codes) and no response body.
Example request:
```shell
curl --request PATCH \
......@@ -66,6 +75,69 @@ curl --request PATCH \
--data '{ "enabled": false }'
```
Example of response
## Get a project's CI/CD job token inbound allowlist
Fetch the [CI/CD job token inbound allowlist](../ci/jobs/ci_job_token.md#allow-access-to-your-project-with-a-job-token) (job token scope) of a project.
```plaintext
GET /projects/:id/job_token_scope/allowlist
```
Supported attributes:
| Attribute | Type | Required | Description |
|-----------|----------------|------------------------|-------------|
| `id` | integer/string | **{check-circle}** Yes | ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding) owned by the authenticated user. |
This endpoint supports [offset-based pagination](rest/index.md#offset-based-pagination).
If successful, returns [`200`](rest/index.md#status-codes) and a list of project with limited fields for each project.
Example request:
```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/1/job_token_scope/allowlist"
```
Example response:
There is no response body.
```json
[
{
"id": 4,
"description": null,
"name": "Diaspora Client",
"name_with_namespace": "Diaspora / Diaspora Client",
"path": "diaspora-client",
"path_with_namespace": "diaspora/diaspora-client",
"created_at": "2013-09-30T13:46:02Z",
"default_branch": "main",
"tag_list": [
"example",
"disapora client"
],
"topics": [
"example",
"disapora client"
],
"ssh_url_to_repo": "git@gitlab.example.com:diaspora/diaspora-client.git",
"http_url_to_repo": "https://gitlab.example.com/diaspora/diaspora-client.git",
"web_url": "https://gitlab.example.com/diaspora/diaspora-client",
"avatar_url": "https://gitlab.example.com/uploads/project/avatar/4/uploads/avatar.png",
"star_count": 0,
"last_activity_at": "2013-09-30T13:46:02Z",
"namespace": {
"id": 2,
"name": "Diaspora",
"path": "diaspora",
"kind": "group",
"full_path": "diaspora",
"parent_id": null,
"avatar_url": null,
"web_url": "https://gitlab.example.com/diaspora"
}
},
{
...
}
```
......@@ -2,6 +2,8 @@
module API
class ProjectJobTokenScope < ::API::Base
include PaginationParams
before { authenticate! }
feature_category :secrets_management
......@@ -51,6 +53,26 @@ class ProjectJobTokenScope < ::API::Base
no_content!
end
desc 'Fetch project inbound allowlist for CI_JOB_TOKEN access settings.' do
failure [
{ code: 401, message: 'Unauthorized' },
{ code: 403, message: 'Forbidden' },
{ code: 404, message: 'Not found' }
]
success status: 200, model: Entities::BasicProjectDetails
tags %w[projects_job_token_scope]
end
params do
use :pagination
end
get ':id/job_token_scope/allowlist' do
authorize_admin_project
inbound_projects = ::Ci::JobToken::Scope.new(user_project).inbound_projects
present paginate(inbound_projects), with: Entities::BasicProjectDetails
end
end
end
end
......@@ -193,4 +193,74 @@
end
end
end
describe "GET /projects/:id/job_token_scope/allowlist" do
let_it_be(:project) { create(:project, :public) }
let_it_be(:user) { create(:user) }
let(:get_job_token_scope_allowlist_path) { "/projects/#{project.id}/job_token_scope/allowlist" }
subject { get api(get_job_token_scope_allowlist_path, user) }
context 'when unauthenticated user (missing user)' do
context 'for public project' do
it 'does not return ci cd settings of job token' do
project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
get api(get_job_token_scope_allowlist_path)
expect(response).to have_gitlab_http_status(:unauthorized)
end
end
end
context 'when authenticated user as maintainer' do
before_all { project.add_maintainer(user) }
it 'returns allowlist containing only the source projects' do
subject
expect(response).to have_gitlab_http_status(:ok)
expect(response).to include_pagination_headers
expect(json_response).to be_present
expect(json_response).to include hash_including("id" => project.id)
end
it 'returns allowlist of project' do
create(:ci_job_token_project_scope_link, source_project: project, direction: :inbound)
create(:ci_job_token_project_scope_link, source_project: project, direction: :outbound)
ci_job_token_project_scope_link =
create(
:ci_job_token_project_scope_link,
source_project: project,
direction: :inbound
)
subject
expect(response).to have_gitlab_http_status(:ok)
expect(json_response.count).to eq 3
expect(json_response).to include(
hash_including("id" => project.id),
hash_including("id" => ci_job_token_project_scope_link.target_project.id)
)
end
context 'when authenticated user as developer' do
before do
project.add_developer(user)
end
it 'returns forbidden and no ci cd settings for public project' do
project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
subject
expect(response).to have_gitlab_http_status(:forbidden)
end
end
end
end
end
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment