Add project level access tokens
What does this MR do?
See #210181 (closed) and &2587
Adds the ability to add access tokens scoped to a project (PrAT). Adding PrAT also creates a "Project Bot User" that holds the access token. Revoking an access token removes the "Project Bot User" from the project and deletes the user making it a "Ghost User". This feature will be for self-managed instances only.
Other related changes
- Moves shared access token partials to
views/shared/access_tokens - Refactors access token partials to be more flexible
- Upgrades datepicker (used by PrAT, PAT, and impersonation tokens) to GitLab UI datepicker
- Grays out past dates in datepicker so an already expired token can't be created
- Improves consistency of capitalization across PAT and impersonation tokens
- Based on capitalization guidelines and how it is currently in the docs
- Improves consistency of single quotes/double quotes in access token partials
Steps to setup a PrAT
- Enable the
:resource_access_tokenfeature flagbin/rails console- `Feature.enable(:resource_access_token)
- Create a project
- Create a new PrAT in "Settings" -> "Access Tokens"
- Copy your PrAT and save it.
- A "Project Bot User" will show in "Settings" -> "Members", but you can't edit the user (#215297 (closed))
- Revoke the PrAT in "Settings" -> "Access Tokens", the "Project Bot User" will also be removed from the project.
Followup Issues
Screenshots
Review App: https://gitlab-review-210181-pro-umzb60.gitlab-review.app/root/test-project/-/settings/access_tokens
| Page | Before | After |
|---|---|---|
| Project Access Tokens | N/A |  |
| PAT |  |
 |
| Impersonation tokens |  |
 |
| Datepicker |  |
 |
Does this MR meet the acceptance criteria?
Conformity
- [-] Changelog entry - Behind
resource_access_tokenfeature flag -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides - [-] Database guides
- [-] Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers - [-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec -
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Edited by Peter Hegman