- Notifications
You must be signed in to change notification settings - Fork676
feat(job_token_scope): support Groups in job token allowlist API#2816
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Merged
JohnVillalovos merged 8 commits intopython-gitlab:mainfromTimKnight-DWP:feat/group-allowlistMay 13, 2024
Uh oh!
There was an error while loading.Please reload this page.
Merged
Changes fromall commits
Commits
Show all changes
8 commits Select commitHold shift + click to select a range
b9d705a feat(job_token_scope): support job token access allowlist API
nejch2fb53e4 test: add api integration test for ci_cd_token allowlist
TimKnight-DWP09aed71 feat: add support for groups_allowlist in job_token_scope
TimKnight-DWP3cc75e2 feat: add support for groups_allowlist in job_token_scope
TimKnight-DWP3bfc726 test: add unit tests for job_token_scope
TimKnight-DWPb6e4d01 chore: update job_token docs and object names
TimKnight-DWPc6a1fc6 refactor: use super().get_id()
TimKnight-DWP4aab77f test: cover .get_id() paths
TimKnight-DWPFile filter
Filter by extension
Conversations
Failed to load comments.
Loading
Uh oh!
There was an error while loading.Please reload this page.
Jump to
Jump to file
Failed to load files.
Loading
Uh oh!
There was an error while loading.Please reload this page.
Diff view
Diff view
There are no files selected for viewing
50 changes: 50 additions & 0 deletionsdocs/gl_objects/job_token_scope.rst
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -49,3 +49,53 @@ Refresh the current state of job token scope:: | ||
| scope.refresh() | ||
| print(scope.inbound_enabled) | ||
| # False | ||
| Get a project's CI/CD job token inbound allowlist:: | ||
| allowlist = scope.allowlist.list() | ||
| Add a project to the project's inbound allowlist:: | ||
| allowed_project = scope.allowlist.create({"target_project_id": 42}) | ||
| Remove a project from the project's inbound allowlist:: | ||
| allowed_project.delete() | ||
| # or directly using a project ID | ||
| scope.allowlist.delete(42) | ||
| .. warning:: | ||
| Similar to above, the ID attributes you receive from the create and list | ||
| APIs are not consistent (in create() the id is returned as ``source_project_id`` whereas list() returns as ``id``). To safely retrieve the ID of the allowlisted project | ||
| regardless of how the object was created, always use its ``.get_id()`` method. | ||
TimKnight-DWP marked this conversation as resolved. Show resolvedHide resolvedUh oh!There was an error while loading.Please reload this page. | ||
| Using ``.get_id()``:: | ||
| resp = allowlist.create({"target_project_id": 2}) | ||
| allowlist_id = resp.get_id() | ||
| allowlists = project.allowlist.list() | ||
| for allowlist in allowlists: | ||
| allowlist_id == allowlist.get_id() | ||
| Get a project's CI/CD job token inbound groups allowlist:: | ||
| allowlist = scope.groups_allowlist.list() | ||
| Add a project to the project's inbound groups allowlist:: | ||
| allowed_project = scope.groups_allowlist.create({"target_project_id": 42}) | ||
| Remove a project from the project's inbound agroups llowlist:: | ||
| allowed_project.delete() | ||
| # or directly using a Group ID | ||
| scope.groups_allowlist.delete(42) | ||
| .. warning:: | ||
| Similar to above, the ID attributes you receive from the create and list | ||
| APIs are not consistent. To safely retrieve the ID of the allowlisted group | ||
| regardless of how the object was created, always use its ``.get_id()`` method. | ||
48 changes: 48 additions & 0 deletionsgitlab/v4/objects/job_token_scope.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -2,12 +2,17 @@ | ||
| from gitlab.base import RESTManager, RESTObject | ||
| from gitlab.mixins import ( | ||
| CreateMixin, | ||
| DeleteMixin, | ||
| GetWithoutIdMixin, | ||
| ListMixin, | ||
| ObjectDeleteMixin, | ||
| RefreshMixin, | ||
| SaveMixin, | ||
| UpdateMethod, | ||
| UpdateMixin, | ||
| ) | ||
| from gitlab.types import RequiredOptional | ||
| __all__ = [ | ||
| "ProjectJobTokenScope", | ||
| @@ -18,6 +23,9 @@ | ||
| class ProjectJobTokenScope(RefreshMixin, SaveMixin, RESTObject): | ||
| _id_attr = None | ||
| allowlist: "AllowlistProjectManager" | ||
| groups_allowlist: "AllowlistGroupManager" | ||
| class ProjectJobTokenScopeManager(GetWithoutIdMixin, UpdateMixin, RESTManager): | ||
| _path = "/projects/{project_id}/job_token_scope" | ||
| @@ -27,3 +35,43 @@ class ProjectJobTokenScopeManager(GetWithoutIdMixin, UpdateMixin, RESTManager): | ||
| def get(self, **kwargs: Any) -> ProjectJobTokenScope: | ||
| return cast(ProjectJobTokenScope, super().get(**kwargs)) | ||
| class AllowlistProject(ObjectDeleteMixin, RESTObject): | ||
| _id_attr = "target_project_id" # note: only true for create endpoint | ||
| def get_id(self) -> int: | ||
| """Returns the id of the resource. This override deals with | ||
| the fact that either an `id` or a `target_project_id` attribute | ||
| is returned by the server depending on the endpoint called.""" | ||
| target_project_id = cast(int, super().get_id()) | ||
| if target_project_id is not None: | ||
| return target_project_id | ||
| return cast(int, self.id) | ||
TimKnight-DWP marked this conversation as resolved. Show resolvedHide resolvedUh oh!There was an error while loading.Please reload this page. | ||
| class AllowlistProjectManager(ListMixin, CreateMixin, DeleteMixin, RESTManager): | ||
| _path = "/projects/{project_id}/job_token_scope/allowlist" | ||
| _obj_cls = AllowlistProject | ||
| _from_parent_attrs = {"project_id": "project_id"} | ||
| _create_attrs = RequiredOptional(required=("target_project_id",)) | ||
| class AllowlistGroup(ObjectDeleteMixin, RESTObject): | ||
| _id_attr = "target_group_id" # note: only true for create endpoint | ||
| def get_id(self) -> int: | ||
| """Returns the id of the resource. This override deals with | ||
| the fact that either an `id` or a `target_group_id` attribute | ||
| is returned by the server depending on the endpoint called.""" | ||
| target_group_id = cast(int, super().get_id()) | ||
| if target_group_id is not None: | ||
| return target_group_id | ||
| return cast(int, self.id) | ||
TimKnight-DWP marked this conversation as resolved. Show resolvedHide resolvedUh oh!There was an error while loading.Please reload this page. | ||
| class AllowlistGroupManager(ListMixin, CreateMixin, DeleteMixin, RESTManager): | ||
| _path = "/projects/{project_id}/job_token_scope/groups_allowlist" | ||
| _obj_cls = AllowlistGroup | ||
| _from_parent_attrs = {"project_id": "project_id"} | ||
| _create_attrs = RequiredOptional(required=("target_group_id",)) | ||
116 changes: 116 additions & 0 deletionstests/functional/api/test_project_job_token_scope.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,116 @@ | ||
| # https://docs.gitlab.com/ee/ci/jobs/ci_job_token.html#allow-any-project-to-access-your-project | ||
| def test_enable_limit_access_to_this_project(gl, project): | ||
| scope = project.job_token_scope.get() | ||
| scope.enabled = True | ||
| scope.save() | ||
| scope.refresh() | ||
| assert scope.inbound_enabled | ||
| def test_disable_limit_access_to_this_project(gl, project): | ||
| scope = project.job_token_scope.get() | ||
| scope.enabled = False | ||
| scope.save() | ||
| scope.refresh() | ||
| assert not scope.inbound_enabled | ||
| def test_add_project_to_job_token_scope_allowlist(gl, project): | ||
| project_to_add = gl.projects.create({"name": "Ci_Cd_token_add_proj"}) | ||
| scope = project.job_token_scope.get() | ||
| resp = scope.allowlist.create({"target_project_id": project_to_add.id}) | ||
| assert resp.source_project_id == project.id | ||
| assert resp.target_project_id == project_to_add.id | ||
| project_to_add.delete() | ||
| def test_projects_job_token_scope_allowlist_contains_added_project_name(gl, project): | ||
| scope = project.job_token_scope.get() | ||
| project_name = "Ci_Cd_token_named_proj" | ||
| project_to_add = gl.projects.create({"name": project_name}) | ||
| scope.allowlist.create({"target_project_id": project_to_add.id}) | ||
| scope.refresh() | ||
| assert any(allowed.name == project_name for allowed in scope.allowlist.list()) | ||
| project_to_add.delete() | ||
| def test_remove_project_by_id_from_projects_job_token_scope_allowlist(gl, project): | ||
| scope = project.job_token_scope.get() | ||
| project_to_add = gl.projects.create({"name": "Ci_Cd_token_remove_proj"}) | ||
| scope.allowlist.create({"target_project_id": project_to_add.id}) | ||
| scope.refresh() | ||
| scope.allowlist.delete(project_to_add.id) | ||
| scope.refresh() | ||
| assert not any( | ||
| allowed.id == project_to_add.id for allowed in scope.allowlist.list() | ||
| ) | ||
| project_to_add.delete() | ||
| def test_add_group_to_job_token_scope_allowlist(gl, project): | ||
| group_to_add = gl.groups.create( | ||
| {"name": "add_group", "path": "allowlisted-add-test"} | ||
| ) | ||
| scope = project.job_token_scope.get() | ||
| resp = scope.groups_allowlist.create({"target_group_id": group_to_add.id}) | ||
| assert resp.source_project_id == project.id | ||
| assert resp.target_group_id == group_to_add.id | ||
| group_to_add.delete() | ||
| def test_projects_job_token_scope_groups_allowlist_contains_added_group_name( | ||
| gl, project | ||
| ): | ||
| scope = project.job_token_scope.get() | ||
| group_name = "list_group" | ||
| group_to_add = gl.groups.create( | ||
| {"name": group_name, "path": "allowlisted-add-and-list-test"} | ||
| ) | ||
| scope.groups_allowlist.create({"target_group_id": group_to_add.id}) | ||
| scope.refresh() | ||
| assert any(allowed.name == group_name for allowed in scope.groups_allowlist.list()) | ||
| group_to_add.delete() | ||
| def test_remove_group_by_id_from_projects_job_token_scope_groups_allowlist(gl, project): | ||
| scope = project.job_token_scope.get() | ||
| group_to_add = gl.groups.create( | ||
| {"name": "delete_group", "path": "allowlisted-delete-test"} | ||
| ) | ||
| scope.groups_allowlist.create({"target_group_id": group_to_add.id}) | ||
| scope.refresh() | ||
| scope.groups_allowlist.delete(group_to_add.id) | ||
| scope.refresh() | ||
| assert not any( | ||
| allowed.name == group_to_add.name for allowed in scope.groups_allowlist.list() | ||
| ) | ||
| group_to_add.delete() |
Oops, something went wrong.
Uh oh!
There was an error while loading.Please reload this page.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.