Skip to content

Add internal API to create access token

Tan Le requested to merge 379635-internal-suggested-reviewers-api-take-3 into master

What does this MR do and why?

This MR adds a new internal endpoint for suggested reviewers to get short-lived access tokens and query merge requests via the public API (GraphQL).

  • This API is gated behind a feature flag suggested_reviewers_control.
  • Documentation change to the Internal API page will be in a separate MR.

This is the third attempt to merge this change.

  • The first MR was merged but then reverted due to a permission error when running the DB migration.
  • The second MR was !105975 (merged) but then reverted due to missing dependencies in Omnibus and Charts.
  • change in this MR is highlighted in #f97f71

Implementations

POST /internal/suggested_reviewers/tokens

Attribute Type Required Description
project_id Interger Yes The ID of the project

The access token is:

  • Generated under suggested_reviewers_bot user
  • Valid for 1 day (we can't go any lower than that given the expires_at only support date granularity)
  • With access level Reporter
  • With scope read_api

Example request:

curl --request POST "https://gitlab.example.com/api/v4/internal/suggested_reviewers/tokens" \
  --header "Gitlab-Suggested-Reviewers-Api-Request: <jwt_token>" \
  --header "Content-type: application/json" \
  --data '{ "project_id": <project_id> }'

Example response:

{
  "id": 74,
  "name": "Suggested reviewers token",
  "revoked": false,
  "created_at": "2022-11-15T10:11:56.258Z",
  "scopes": [
    "read_api"
  ],
  "user_id": 129,
  "last_used_at": null,
  "active": false,
  "expires_at": "2022-11-15",
  "access_level": 20,
  "token": "glpat-<enacted>"
}

How to set up and validate locally

  1. Ensure a SaaS (Gitlab.com) environment
    1. One way of doing this is to add a env.runit file to the root GDK folder with the following snippet 
      export GITLAB_SIMULATE_SAAS=1
  2. Set ultimate license on a group http://gdk.test:3000/admin/groups
  3. Create a project in the ultimate group or use an existing one, e.g. http://gdk.test:3000/gitlab-org/gitlab-test
  4. Set the feature flag on rails console bundle exec rails c 
    project = Project.find(2)
Feature.enable(:suggested_reviewers_control, project)
  5. Enable suggested_reviewers_enabled project settings 
    project.project_setting.update!(suggested_reviewers_enabled: true)
  6. Get the secret from the console 
    secret = Gitlab::AppliedMl::SuggestedReviewers.secret
  7. Generate a JWT Token 
    jwt_token = JWT.encode(
  { 'iss' => Gitlab::AppliedMl::SuggestedReviewers::JWT_ISSUER, 'iat' => 1.minute.ago.to_i },
  secret, 'HS256'
)
  8. Execute a cURL request to create a new access token for the above project 
    curl --request POST \
  --url http://gdk.test:3000/api/v4/internal/suggested_reviewers/tokens \
  --header 'Content-Type: application/json' \
  --header 'Gitlab-Suggested-Reviewers-Api-Request: <jwt_token>' \
  --data '{ "project_id": 1 }'

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #379635

Edited by Tan Le

Merge request reports