Skip to content

Implement Admin Mode for API

Jonas Wälter requested to merge siemens/gitlab:admin-mode-for-api into master

What does this MR do and why?

This MR is based on !107875 (merged).

This MR is part of the implementation plan in #42692 (comment 1222832412) to extend the Admin Mode feature to the API access using a personal access token (PAT).

This MR:

  • adds a new :admin_mode_for_api feature flag.
  • implements Admin Mode for API:
    • If the feature flag is enabled:
      • Users can select the admin_mode scope when creating a personal access token (UI & API).
      • If the Admin Mode setting is enabled, all API endpoints for admins require the admin_mode scope in the PAT.
      • If the Admin Mode setting is disabled, the API endpoints for admins don't require the admin_mode scope in the PAT.
    • If the feature flag is disabled:
      • Users can't select the admin_mode scope when creating a personal access token (UI & API).
      • The API endpoints for admins don't require the admin_mode scope in the PAT (regardless of the Admin Mode setting).
  • disables the feature flag for all API specs at the moment. (All API specs will be adapted continuously in separate MRs. The feature flag is disabled for these specs as long as they are not yet adapted.)

Further information:

🛠 with at Siemens

/cc @bufferoverflow

Screenshots

image

How to set up and validate locally

  1. Enable feature flag
Feature.enable(:admin_mode_for_api)
  1. Sign in as administrator
  2. Create a personal access token (PAT_with) with the admin_mode scope.
  3. Create a personal access token (PAT_without) without the admin_mode scope.
  4. Call an API endpoint for admins with PAT_with and PAT_without:
$ curl --header "PRIVATE-TOKEN: <PAT_with>" "http://localhost:3000/api/v4/application/appearance"
{"title":"","short_title":"","description":"","logo":null,"header_logo":null,"favicon":null,"new_project_guidelines":"","profile_image_guidelines":"","header_message":"","footer_message":"","message_background_color":"#E75E40","message_font_color":"#FFFFFF","email_header_and_footer_enabled":false}
$ curl --header "PRIVATE-TOKEN: <PAT_without>" "http://localhost:3000/api/v4/application/appearance"
{"title":"","short_title":"","description":"","logo":null,"header_logo":null,"favicon":null,"new_project_guidelines":"","profile_image_guidelines":"","header_message":"","footer_message":"","message_background_color":"#E75E40","message_font_color":"#FFFFFF","email_header_and_footer_enabled":false}
  1. Navigate to to the Admin Area and enabled Admin Mode.
  2. Call an API endpoint for admins with PAT_with and PAT_without:
$ curl --header "PRIVATE-TOKEN: <PAT_with>" "http://localhost:3000/api/v4/application/appearance"
{"title":"","short_title":"","description":"","logo":null,"header_logo":null,"favicon":null,"new_project_guidelines":"","profile_image_guidelines":"","header_message":"","footer_message":"","message_background_color":"#E75E40","message_font_color":"#FFFFFF","email_header_and_footer_enabled":false}
$ curl --header "PRIVATE-TOKEN: <PAT_without>" "http://localhost:3000/api/v4/application/appearance"
{"message":"403 Forbidden"}

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Jonas Wälter

Merge request reports