Project access token API
What does this MR do?
Relates to: #238991 (closed)
This MR provides an API endpoint to manage (create, list, revoke) Project Access Tokens.
Additionally, it denies the ability for project access tokens to create other project access tokens by modifying the :admin_resource_access_tokens
rule to block project bots from satisfying the policy. A prior MR introduced audit event logging for creating/revoking project access tokens, which will help admins track down misuse of tokens. More discussion on this security risk in the issue.
GET:
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/<project_id>/access_tokens"
POST:
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" \
--header "Content-Type:application/json" \
--data '{ "name":"test_token", "scopes":["api", "read_repository"], "expires_at":"2021-01-31" }' \
"http://127.0.0.1:3000/api/v4/projects/20/access_tokens"
DELETE:
curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/<project_id>/access_tokens/<user_id>"
Sample output for GET, POST, and DELETE requests in doc/api/resource_access_tokens.md
(in this MR's diffs)
Project access tokens cannot create other project access tokens.
Screenshots (strongly suggested)
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team