Add write_registry scope to deploy tokens

Merged Steve Abrams requested to merge 22743-deploy-token-write-registry into master

What does this MR do?

This MR adds a new scope to deploy tokens: write_registry, which allows the deploy token to have :create_container_image permissions. The token allows users to push images to the container registry (where read_registry only allowed for pulling images).

Database

deploy_tokens has less than 160000 records.

Up migration

== 20200406192059 AddWriteRegistryToDeployTokens: migrating ===================
-- transaction_open?()
   -> 0.0000s
-- execute("SET statement_timeout TO 0")
   -> 0.0004s
-- transaction()
-- add_column(:deploy_tokens, :write_registry, :boolean, {:default=>nil})
   -> 0.0023s
-- change_column_default(:deploy_tokens, :write_registry, false)
   -> 0.0038s
   -> 0.0070s
-- columns(:deploy_tokens)
   -> 0.0015s
-- transaction_open?()
   -> 0.0000s
-- exec_query("SELECT COUNT(*) AS count FROM \"deploy_tokens\"")
   -> 0.0048s
-- exec_query("SELECT \"deploy_tokens\".\"id\" FROM \"deploy_tokens\" ORDER BY \"deploy_tokens\".\"id\" ASC LIMIT 1")
   -> 0.0005s
-- exec_query("SELECT \"deploy_tokens\".\"id\" FROM \"deploy_tokens\" WHERE \"deploy_tokens\".\"id\" >= 1 ORDER BY \"deploy_tokens\".\"id\" ASC LIMIT 1 OFFSET 1")
   -> 0.0004s
-- execute("UPDATE \"deploy_tokens\" SET \"write_registry\" = FALSE WHERE \"deploy_tokens\".\"id\" >= 1 AND \"deploy_tokens\".\"id\" < 2")
   -> 0.0007s
-- exec_query("SELECT \"deploy_tokens\".\"id\" FROM \"deploy_tokens\" WHERE \"deploy_tokens\".\"id\" >= 2 ORDER BY \"deploy_tokens\".\"id\" ASC LIMIT 1 OFFSET 1")
   -> 0.0003s
-- execute("UPDATE \"deploy_tokens\" SET \"write_registry\" = FALSE WHERE \"deploy_tokens\".\"id\" >= 2 AND \"deploy_tokens\".\"id\" < 3")
   -> 0.0005s
-- exec_query("SELECT \"deploy_tokens\".\"id\" FROM \"deploy_tokens\" WHERE \"deploy_tokens\".\"id\" >= 3 ORDER BY \"deploy_tokens\".\"id\" ASC LIMIT 1 OFFSET 1")
   -> 0.0004s
-- execute("UPDATE \"deploy_tokens\" SET \"write_registry\" = FALSE WHERE \"deploy_tokens\".\"id\" >= 3")
   -> 0.0004s
-- change_column_null(:deploy_tokens, :write_registry, false)
   -> 0.0005s
-- execute("RESET ALL")
   -> 0.0002s
== 20200406192059 AddWriteRegistryToDeployTokens: migrated (0.0195s) ==========

Down migration

== 20200406192059 AddWriteRegistryToDeployTokens: reverting ===================
-- remove_column(:deploy_tokens, :write_registry)
   -> 0.0014s
== 20200406192059 AddWriteRegistryToDeployTokens: reverted (0.0015s) ==========

Screenshots

Blank deploy token form with new option:

Screen_Shot_2020-04-06_at_2.14.42_PM

Form after successful token creation:

Screen_Shot_2020-04-06_at_2.19.33_PM

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team

Related #22743 (closed)

Edited by Craig Norris