Fixed group deploy token API authorizations

Updated authorizations for group deploy tokens API.
Updated rspec accordingly.

app/controllers/groups/application_controller.rb

@@ -34,6 +34,18 @@ class Groups::ApplicationController < ApplicationController
     end
   end
 
+  def authorize_create_deploy_token!
+    unless can?(current_user, :create_deploy_token, group)
+      return render_404
+    end
+  end
+
+  def authorize_destroy_deploy_token!
+    unless can?(current_user, :destroy_deploy_token, group)
+      return render_404
+    end
+  end
+
   def authorize_admin_group_member!
     unless can?(current_user, :admin_group_member, group)
       return render_403

app/controllers/groups/deploy_tokens_controller.rb

 # frozen_string_literal: true
 
 class Groups::DeployTokensController < Groups::ApplicationController
-  before_action :authorize_admin_group!
+  before_action :authorize_destroy_deploy_token!
 
   def revoke
     @token = @group.deploy_tokens.find(params[:id])

app/controllers/groups/settings/repository_controller.rb

@@ -4,7 +4,7 @@ module Groups
   module Settings
     class RepositoryController < Groups::ApplicationController
       skip_cross_project_access_check :show
-      before_action :authorize_admin_group!
+      before_action :authorize_create_deploy_token!
       before_action :define_deploy_token_variables
       before_action do
         push_frontend_feature_flag(:ajax_new_deploy_token, @group)

app/policies/group_policy.rb

@@ -110,9 +110,7 @@ class GroupPolicy < BasePolicy
     enable :create_cluster
     enable :update_cluster
     enable :admin_cluster
-    enable :destroy_deploy_token
     enable :read_deploy_token
-    enable :create_deploy_token
   end
 
   rule { owner }.policy do
@@ -124,6 +122,8 @@ class GroupPolicy < BasePolicy
     enable :set_note_created_at
     enable :set_emails_disabled
     enable :update_default_branch_protection
+    enable :create_deploy_token
+    enable :destroy_deploy_token
   end
 
   rule { can?(:read_nested_project_resources) }.policy do

changelogs/unreleased/security-212469-fix-deploy-token-api.yml

+---
+title: Fix group deploy token API authorizations
+merge_request:
+author:
+type: security

doc/api/deploy_tokens.md

@@ -136,7 +136,8 @@ curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" "https://git
 
 ## Group deploy tokens
 
-These endpoints require group maintainer access or higher.
+Group maintainers and owners can list group deploy
+tokens. Only group owners can create and delete group deploy tokens.
 
 ### List group deploy tokens
 

doc/user/permissions.md

@@ -255,6 +255,8 @@ group.
 | Edit epic comments (posted by any user) **(ULTIMATE)** |       |          |           | ✓ (2)      | ✓ (2) |
 | Edit group settings                                    |       |          |           |            | ✓     |
 | Manage group level CI/CD variables                     |       |          |           |            | ✓     |
+| List group deploy tokens                               |       |          |           | ✓          | ✓     |
+| Create/Delete group deploy tokens                      |       |          |           |            | ✓     |
 | Manage group members                                   |       |          |           |            | ✓     |
 | Delete group                                           |       |          |           |            | ✓     |
 | Delete group epic **(ULTIMATE)**                       |       |          |           |            | ✓     |

spec/requests/api/deploy_tokens_spec.rb

@@ -204,7 +204,7 @@ describe API::DeployTokens do
   end
 
   context 'deploy token creation' do
-    shared_examples 'creating a deploy token' do |entity, unauthenticated_response|
+    shared_examples 'creating a deploy token' do |entity, unauthenticated_response, authorized_role|
       let(:expires_time) { 1.year.from_now }
       let(:params) do
         {
@@ -231,9 +231,9 @@ describe API::DeployTokens do
         it { is_expected.to have_gitlab_http_status(:forbidden) }
       end
 
-      context 'when authenticated as maintainer' do
+      context "when authenticated as #{authorized_role}" do
         before do
-          send(entity).add_maintainer(user)
+          send(entity).send("add_#{authorized_role}", user)
         end
 
         it 'creates the deploy token' do
@@ -282,7 +282,7 @@ describe API::DeployTokens do
         response
       end
 
-      it_behaves_like 'creating a deploy token', :project, :not_found
+      it_behaves_like 'creating a deploy token', :project, :not_found, :maintainer
     end
 
     describe 'POST /groups/:id/deploy_tokens' do
@@ -291,7 +291,17 @@ describe API::DeployTokens do
         response
       end
 
-      it_behaves_like 'creating a deploy token', :group, :forbidden
+      it_behaves_like 'creating a deploy token', :group, :forbidden, :owner
+
+      context 'when authenticated as maintainer' do
+        before do
+          group.add_maintainer(user)
+        end
+
+        let(:params) { { name: 'test', scopes: ['read_repository'] } }
+
+        it { is_expected.to have_gitlab_http_status(:forbidden) }
+      end
     end
   end
 
@@ -320,6 +330,14 @@ describe API::DeployTokens do
         group.add_maintainer(user)
       end
 
+      it { is_expected.to have_gitlab_http_status(:forbidden) }
+    end
+
+    context 'when authenticated as owner' do
+      before do
+        group.add_owner(user)
+      end
+
       it 'calls the deploy token destroy service' do
         expect(::Groups::DeployTokens::DestroyService).to receive(:new)
           .with(group, user, token_id: group_deploy_token.id)