Commit 6e311075 authored by Rubén Dávila's avatar Rubén Dávila

Delete PATs when transfering project to a free group

Project's Personal Access Tokens are only available for premium hosted
plans hence we should make them invalid when the project is transferred
to a group with a free plan.

Changelog: fixed
MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/65803
EE: true
parent 8439b05d
...@@ -89,6 +89,8 @@ module Projects ...@@ -89,6 +89,8 @@ module Projects
update_integrations update_integrations
remove_paid_features
project.old_path_with_namespace = @old_path project.old_path_with_namespace = @old_path
update_repository_configuration(@new_path) update_repository_configuration(@new_path)
...@@ -109,6 +111,10 @@ module Projects ...@@ -109,6 +111,10 @@ module Projects
move_pages(project) move_pages(project)
end end
# Overridden in EE
def remove_paid_features
end
def transfer_missing_group_resources(group) def transfer_missing_group_resources(group)
Labels::TransferService.new(current_user, group, project).execute Labels::TransferService.new(current_user, group, project).execute
......
...@@ -45,6 +45,20 @@ module EE ...@@ -45,6 +45,20 @@ module EE
::Elastic::ProcessInitialBookkeepingService.backfill_projects!(project) if project.maintaining_elasticsearch? ::Elastic::ProcessInitialBookkeepingService.backfill_projects!(project) if project.maintaining_elasticsearch?
end end
end end
override :remove_paid_features
def remove_paid_features
revoke_project_access_tokens
end
def revoke_project_access_tokens
return if new_namespace.feature_available_non_trial?(:resource_access_token)
PersonalAccessTokensFinder
.new(user: project.bots, impersonation: false)
.execute
.update_all(revoked: true)
end
end end
end end
end end
...@@ -126,4 +126,52 @@ RSpec.describe Projects::TransferService do ...@@ -126,4 +126,52 @@ RSpec.describe Projects::TransferService do
end end
end end
end end
describe 'project access tokens' do
let_it_be(:premium_group) { create(:group_with_plan, plan: :premium_plan) }
let_it_be(:free_group) { create(:group) }
before do
premium_group.add_owner(user)
free_group.add_owner(user)
ResourceAccessTokens::CreateService.new(user, project).execute
end
def revoked_tokens
PersonalAccessToken.without_impersonation.for_users(project.bots).revoked
end
context 'with a self managed instance' do
before do
stub_ee_application_setting(should_check_namespace_plan: false)
end
it 'does not revoke PATs' do
subject.execute(group)
expect { subject.execute(group) }.not_to change { revoked_tokens.count }
end
end
context 'with GL.com' do
before do
stub_ee_application_setting(should_check_namespace_plan: true)
end
context 'when target namespace has a premium plan' do
it 'does not revoke PATs' do
subject.execute(premium_group)
expect { subject.execute(group) }.not_to change { revoked_tokens.count }
end
end
context 'when target namespace has a free plan' do
it 'revoke PATs' do
expect { subject.execute(free_group) }.to change { revoked_tokens.count }.from(0).to(1)
end
end
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment