Package registry deploy tokens

Add read_package_registry and write_package_registry
scopes to deploy tokens.

Add deploy token access to NPM.

app/models/deploy_token.rb

@@ -7,7 +7,8 @@ class DeployToken < ApplicationRecord
   include Gitlab::Utils::StrongMemoize
   add_authentication_token_field :token, encrypted: :optional
 
-  AVAILABLE_SCOPES = %i(read_repository read_registry write_registry).freeze
+  AVAILABLE_SCOPES = %i(read_repository read_registry write_registry
+                        read_package_registry write_package_registry).freeze
   GITLAB_DEPLOY_TOKEN_NAME = 'gitlab-deploy-token'
 
   default_value_for(:expires_at) { Forever.date }
@@ -105,7 +106,7 @@ class DeployToken < ApplicationRecord
   end
 
   def ensure_at_least_one_scope
-    errors.add(:base, _("Scopes can't be blank")) unless read_repository || read_registry || write_registry
+    errors.add(:base, _("Scopes can't be blank")) unless scopes.any?
   end
 
   def default_username

changelogs/unreleased/213566-package-deploy-tokens.yml

+---
+title: Add read/write_package_registry to deploy_tokens
+merge_request: 29383
+author:
+type: added

db/migrate/20200411125656_add_package_scopes_to_deploy_tokens.rb

+# frozen_string_literal: true
+
+class AddPackageScopesToDeployTokens < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_column_with_default(:deploy_tokens, :read_package_registry, :boolean, default: false, allow_null: false)
+    add_column_with_default(:deploy_tokens, :write_package_registry, :boolean, default: false, allow_null: false)
+  end
+
+  def down
+    remove_column(:deploy_tokens, :read_package_registry)
+    remove_column(:deploy_tokens, :write_package_registry)
+  end
+end

db/structure.sql

@@ -2003,7 +2003,9 @@ CREATE TABLE public.deploy_tokens (
     username character varying,
     token_encrypted character varying(255),
     deploy_token_type smallint DEFAULT 2 NOT NULL,
-    write_registry boolean DEFAULT false NOT NULL
+    write_registry boolean DEFAULT false NOT NULL,
+    read_package_registry boolean DEFAULT false NOT NULL,
+    write_package_registry boolean DEFAULT false NOT NULL
 );
 
 CREATE SEQUENCE public.deploy_tokens_id_seq
@@ -13242,6 +13244,7 @@ COPY "schema_migrations" (version) FROM STDIN;
 20200409085956
 20200409211607
 20200410232012
+20200411125656
 20200413072059
 20200414144547
 20200415160722

spec/factories/deploy_tokens.rb

@@ -8,6 +8,8 @@ FactoryBot.define do
     read_repository { true }
     read_registry { true }
     write_registry { false }
+    read_package_registry { false }
+    write_package_registry { false }
     revoked { false }
     expires_at { 5.days.from_now }
     deploy_token_type { DeployToken.deploy_token_types[:project_type] }
@@ -31,5 +33,11 @@ FactoryBot.define do
     trait :project do
       deploy_token_type { DeployToken.deploy_token_types[:project_type] }
     end
+
+    trait :all_scopes do
+      write_registry { true}
+      read_package_registry { true }
+      write_package_registry { true }
+    end
   end
 end

spec/models/deploy_token_spec.rb

@@ -72,8 +72,10 @@ describe DeployToken do
 
   describe '#scopes' do
     context 'with all the scopes' do
+      let_it_be(:deploy_token) { create(:deploy_token, :all_scopes) }
+
       it 'returns scopes assigned to DeployToken' do
-        expect(deploy_token.scopes).to eq([:read_repository, :read_registry])
+        expect(deploy_token.scopes).to eq(DeployToken::AVAILABLE_SCOPES)
       end
     end