Merge branch 'sfang-token-read-write-permissions' into 'master'

Create new policies for read, destroy, and create tokens See merge request gitlab-org/gitlab!56464

Merge branch 'sfang-token-read-write-permissions' into 'master'
Create new policies for read, destroy, and create tokens See merge request gitlab-org/gitlab!56464
8d8c1e2e · Alex Kalderimis · 2f2e69d3 · 22b99a52 · 8d8c1e2e · 8d8c1e2e
Commit 8d8c1e2e authored Mar 26, 2021 by Alex Kalderimis
23 changed files
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -268,7 +268,8 @@ class GroupsController < Groups::ApplicationController
      :subgroup_creation_level,
      :default_branch_protection,
      :default_branch_name,
-      :allow_mfa_for_subgroups
+      :allow_mfa_for_subgroups,
+      :resource_access_token_creation_allowed
    ]
  end

--- a/app/controllers/projects/settings/access_tokens_controller.rb
+++ b/app/controllers/projects/settings/access_tokens_controller.rb
@@ -6,7 +6,9 @@ module Projects
      include ProjectsHelper
      layout 'project_settings'
-      before_action :check_feature_availability
+      before_action -> { check_permission(:read_resource_access_tokens) }, only: [:index]
+      before_action -> { check_permission(:destroy_resource_access_tokens) }, only: [:revoke]
+      before_action -> { check_permission(:create_resource_access_tokens) }, only: [:create]
      feature_category :authentication_and_authorization
@@ -43,8 +45,8 @@ module Projects
      private
-      def check_feature_availability
+      def check_permission(action)
-        render_404 unless project_access_token_available?(@project)
+        render_404 unless can?(current_user, action, @project)
      end
      def create_params

--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -809,10 +809,6 @@ module ProjectsHelper
      can?(current_user, :destroy_container_image, project)
  end
-  def project_access_token_available?(project)
-    can?(current_user, :admin_resource_access_tokens, project)
-  end
  def build_project_breadcrumb_link(project)
    project_name = simple_sanitize(project.name)

--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -119,6 +119,7 @@ class Group < Namespace
  end
  delegate :default_branch_name, to: :namespace_settings
+  delegate :resource_access_token_creation_allowed, :resource_access_token_creation_allowed=, :resource_access_token_creation_allowed?, to: :namespace_settings
  class << self
    def sort_by_attribute(method)

--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -61,7 +61,8 @@ class GroupPolicy < BasePolicy
  end
  with_scope :subject
-  condition(:resource_access_token_available) { resource_access_token_available? }
+  condition(:resource_access_token_feature_available) { resource_access_token_feature_available? }
+  condition(:resource_access_token_creation_allowed) { resource_access_token_creation_allowed? }
  with_scope :subject
  condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? }
@@ -213,8 +214,13 @@ class GroupPolicy < BasePolicy
  rule { developer & dependency_proxy_available }
    .enable :admin_dependency_proxy
-  rule { resource_access_token_available & can?(:admin_group) }.policy do
+  rule { can?(:admin_group) & resource_access_token_feature_available }.policy do
-    enable :admin_resource_access_tokens
+    enable :read_resource_access_tokens
+    enable :destroy_resource_access_tokens
+  end
+  rule { resource_access_token_creation_allowed & can?(:read_resource_access_tokens) }.policy do
+    enable :create_resource_access_tokens
  end
  rule { support_bot & has_project_with_service_desk_enabled }.policy do
@@ -242,9 +248,13 @@ class GroupPolicy < BasePolicy
    @subject
  end
-  def resource_access_token_available?
+  def resource_access_token_feature_available?
    true
  end
+  def resource_access_token_creation_allowed?
+    group.resource_access_token_creation_allowed?
+  end
 end
 GroupPolicy.prepend_if_ee('EE::GroupPolicy')
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -108,7 +108,8 @@ class ProjectPolicy < BasePolicy
  condition(:service_desk_enabled) { @subject.service_desk_enabled? }
  with_scope :subject
-  condition(:resource_access_token_available) { resource_access_token_available? }
+  condition(:resource_access_token_feature_available) { resource_access_token_feature_available? }
+  condition(:resource_access_token_creation_allowed) { resource_access_token_creation_allowed? }
  # We aren't checking `:read_issue` or `:read_merge_request` in this case
  # because it could be possible for a user to see an issuable-iid
@@ -632,11 +633,18 @@ class ProjectPolicy < BasePolicy
  rule { project_bot }.enable :project_bot_access
-  rule { resource_access_token_available & can?(:admin_project) }.policy do
+  rule { can?(:admin_project) & resource_access_token_feature_available }.policy do
-    enable :admin_resource_access_tokens
+    enable :read_resource_access_tokens
+    enable :destroy_resource_access_tokens
  end
-  rule { can?(:project_bot_access) }.prevent :admin_resource_access_tokens
+  rule { can?(:read_resource_access_tokens) & resource_access_token_creation_allowed }.policy do
+    enable :create_resource_access_tokens
+  end
+  rule { can?(:project_bot_access) }.policy do
+    prevent :create_resource_access_tokens
+  end
  rule { user_defined_variables_allowed | can?(:maintainer_access) }.policy do
    enable :set_pipeline_variables
@@ -720,10 +728,18 @@ class ProjectPolicy < BasePolicy
    end
  end
-  def resource_access_token_available?
+  def resource_access_token_feature_available?
    true
  end
+  def resource_access_token_creation_allowed?
+    group = project.group
+    return true unless group # always enable for projects in personal namespaces
+    group.resource_access_token_creation_allowed
+  end
  def project
    @subject
  end

--- a/app/services/resource_access_tokens/create_service.rb
+++ b/app/services/resource_access_tokens/create_service.rb
@@ -39,7 +39,7 @@ module ResourceAccessTokens
    attr_reader :resource_type, :resource
    def has_permission_to_create?
-      %w(project group).include?(resource_type) && can?(current_user, :admin_resource_access_tokens, resource)
+      %w(project group).include?(resource_type) && can?(current_user, :create_resource_access_tokens, resource)
    end
    def create_user

--- a/app/services/resource_access_tokens/revoke_service.rb
+++ b/app/services/resource_access_tokens/revoke_service.rb
@@ -14,7 +14,7 @@ module ResourceAccessTokens
    end
    def execute
-      return error("#{current_user.name} cannot delete #{bot_user.name}") unless can_destroy_bot_member?
+      return error("#{current_user.name} cannot delete #{bot_user.name}") unless can_destroy_token?
      return error("Failed to find bot user") unless find_member
      access_token.revoke!
@@ -37,14 +37,8 @@ module ResourceAccessTokens
      DeleteUserWorker.perform_async(current_user.id, bot_user.id, skip_authorization: true)
    end
-    def can_destroy_bot_member?
+    def can_destroy_token?
-      if resource.is_a?(Project)
+      %w(project group).include?(resource.class.name.downcase) && can?(current_user, :destroy_resource_access_tokens, resource)
-        can?(current_user, :admin_project_member, @resource)
-      elsif resource.is_a?(Group)
-        can?(current_user, :admin_group_member, @resource)
-      else
-        false
-      end
    end
    def find_member

--- a/app/views/layouts/nav/sidebar/_project.html.haml
+++ b/app/views/layouts/nav/sidebar/_project.html.haml
@@ -407,7 +407,7 @@
                = link_to project_hooks_path(@project), title: _('Webhooks'), data: { qa_selector: 'webhooks_settings_link' } do
                  %span
                    = _('Webhooks')
-              - if project_access_token_available?(@project)
+              - if can?(current_user, :read_resource_access_tokens, @project)
                = nav_link(controller: [:access_tokens]) do
                  = link_to project_settings_access_tokens_path(@project), title: _('Access Tokens'), data: { qa_selector: 'access_tokens_settings_link' } do
                    %span

--- a/app/views/projects/settings/access_tokens/index.html.haml
+++ b/app/views/projects/settings/access_tokens/index.html.haml
@@ -20,12 +20,13 @@
          type: type,
          new_token_value: @new_project_access_token
-    = render 'shared/access_tokens/form',
+    - if current_user.can?(:create_resource_access_tokens, @project)
-        type: type,
+      = render 'shared/access_tokens/form',
-        path: project_settings_access_tokens_path(@project),
+          type: type,
-        token: @project_access_token,
+          path: project_settings_access_tokens_path(@project),
-        scopes: @scopes,
+          token: @project_access_token,
-        prefix: :project_access_token
+          scopes: @scopes,
+          prefix: :project_access_token
    = render 'shared/access_tokens/table',
        active_tokens: @active_project_access_tokens,

--- a/changelogs/unreleased/sfang-token-read-write-permissions.yml
+++ b/changelogs/unreleased/sfang-token-read-write-permissions.yml
+---
+title: Create new policies for read, destroy, and create tokens
+merge_request: 56464
+author:
+type: changed
--- a/db/migrate/20210312193532_add_resource_access_token_creation_allowed_to_namespace_settings.rb
+++ b/db/migrate/20210312193532_add_resource_access_token_creation_allowed_to_namespace_settings.rb
+# frozen_string_literal: true
+class AddResourceAccessTokenCreationAllowedToNamespaceSettings < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+  DOWNTIME = false
+  disable_ddl_transaction!
+  def up
+    with_lock_retries do
+      add_column :namespace_settings, :resource_access_token_creation_allowed, :boolean, default: true, null: false
+    end
+  end
+  def down
+    with_lock_retries do
+      remove_column :namespace_settings, :resource_access_token_creation_allowed
+    end
+  end
+end
--- a/db/schema_migrations/20210312193532
+++ b/db/schema_migrations/20210312193532
+93e92e8eca0765cb8e6e08ec90ce0143d9b31d13e4d61e1b9690dbaed5a1bb63
\ No newline at end of file
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -14681,6 +14681,7 @@ CREATE TABLE namespace_settings (
    default_branch_name text,
    repository_read_only boolean DEFAULT false NOT NULL,
    delayed_project_removal boolean DEFAULT false NOT NULL,
+    resource_access_token_creation_allowed boolean DEFAULT true NOT NULL,
    CONSTRAINT check_0ba93c78c7 CHECK ((char_length(default_branch_name) <= 255))
 );
--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -391,12 +391,13 @@ module EE
    end
    # Available in Core for self-managed but only paid, non-trial for .com to prevent abuse
-    override :resource_access_token_available?
+    override :resource_access_token_feature_available?
-    def resource_access_token_available?
+    def resource_access_token_feature_available?
-      return true unless ::Gitlab.com?
+      value_from_super = super
-      ::Feature.enabled?(:resource_access_token_feature, group, default_enabled: true) &&
+      return value_from_super unless ::Gitlab.com?
-        group.feature_available_non_trial?(:resource_access_token)
+      value_from_super && group.feature_available_non_trial?(:resource_access_token)
    end
  end
 end
--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -423,9 +423,11 @@ module EE
    end
    # Available in Core for self-managed but only paid, non-trial for .com to prevent abuse
-    override :resource_access_token_available?
+    override :resource_access_token_feature_available?
-    def resource_access_token_available?
+    def resource_access_token_feature_available?
-      return true unless ::Gitlab.com?
+      value_from_super = super
+      return value_from_super unless ::Gitlab.com?
      group = project.namespace

--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -1385,7 +1385,25 @@ RSpec.describe GroupPolicy do
          group.add_owner(owner)
        end
-        it { is_expected.to be_allowed(:admin_resource_access_tokens) }
+        context 'create resource access tokens' do
+          it { is_expected.to be_allowed(:create_resource_access_tokens) }
+          context 'when resource access token creation is not allowed' do
+            before do
+              group.namespace_settings.update_column(:resource_access_token_creation_allowed, false)
+            end
+            it { is_expected.not_to be_allowed(:create_resource_access_tokens) }
+          end
+        end
+        context 'read resource access tokens' do
+          it { is_expected.to be_allowed(:read_resource_access_tokens) }
+        end
+        context 'destroy resource access tokens' do
+          it { is_expected.to be_allowed(:destroy_resource_access_tokens) }
+        end
      end
      context 'with developer' do
@@ -1395,7 +1413,17 @@ RSpec.describe GroupPolicy do
          group.add_developer(developer)
        end
-        it { is_expected.not_to be_allowed(:admin_resource_access_tokens)}
+        context 'create resource access tokens' do
+          it { is_expected.not_to be_allowed(:create_resource_access_tokens) }
+        end
+        context 'read resource access tokens' do
+          it { is_expected.not_to be_allowed(:read_resource_access_tokens) }
+        end
+        context 'destroy resource access tokens' do
+          it { is_expected.not_to be_allowed(:destroy_resource_access_tokens) }
+        end
      end
    end
  end

--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -1577,24 +1577,55 @@ RSpec.describe ProjectPolicy do
        allow(::Gitlab).to receive(:com?).and_return(true)
      end
-      context 'with maintainer' do
+      context 'with maintainer access' do
        let(:current_user) { maintainer }
        before do
          project.add_maintainer(maintainer)
        end
-        it { is_expected.to be_allowed(:admin_resource_access_tokens) }
+        context 'create resource access tokens' do
+          it { is_expected.to be_allowed(:create_resource_access_tokens) }
+          context 'when resource access token creation is not allowed' do
+            let(:group) { create(:group) }
+            let(:project) { create(:project, group: group) }
+            before do
+              group.namespace_settings.update_column(:resource_access_token_creation_allowed, false)
+            end
+            it { is_expected.not_to be_allowed(:create_resource_access_tokens) }
+          end
+        end
+        context 'read resource access tokens' do
+          it { is_expected.to be_allowed(:read_resource_access_tokens) }
+        end
+        context 'destroy resource access tokens' do
+          it { is_expected.to be_allowed(:destroy_resource_access_tokens) }
+        end
      end
-      context 'with developer' do
+      context 'with developer access' do
        let(:current_user) { developer }
        before do
          project.add_developer(developer)
        end
-        it { is_expected.not_to be_allowed(:admin_resource_access_tokens)}
+        context 'create resource access tokens' do
+          it { is_expected.not_to be_allowed(:create_resource_access_tokens) }
+        end
+        context 'read resource access tokens' do
+          it { is_expected.not_to be_allowed(:read_resource_access_tokens) }
+        end
+        context 'destroy resource access tokens' do
+          it { is_expected.not_to be_allowed(:destroy_resource_access_tokens) }
+        end
      end
    end
  end

--- a/lib/api/resource_access_tokens.rb
+++ b/lib/api/resource_access_tokens.rb
@@ -19,7 +19,7 @@ module API
        get ":id/access_tokens" do
          resource = find_source(source_type, params[:id])
-          next unauthorized! unless has_permission_to_read?(resource)
+          next unauthorized! unless current_user.can?(:read_resource_access_tokens, resource)
          tokens = PersonalAccessTokensFinder.new({ user: resource.bots, impersonation: false }).execute
@@ -85,10 +85,6 @@ module API
      def find_token(resource, token_id)
        PersonalAccessTokensFinder.new({ user: resource.bots, impersonation: false }).find_by_id(token_id)
      end
-      def has_permission_to_read?(resource)
-        can?(current_user, :project_bot_access, resource) || can?(current_user, :admin_resource_access_tokens, resource)
-      end
    end
  end
 end
--- a/spec/features/projects/settings/access_tokens_spec.rb
+++ b/spec/features/projects/settings/access_tokens_spec.rb
@@ -5,7 +5,8 @@ require 'spec_helper'
 RSpec.describe 'Project > Settings > Access Tokens', :js do
  let_it_be(:user) { create(:user) }
  let_it_be(:bot_user) { create(:user, :project_bot) }
-  let_it_be(:project) { create(:project) }
+  let_it_be(:group) { create(:group) }
+  let_it_be(:project) { create(:project, group: group) }
  before_all do
    project.add_maintainer(user)
@@ -57,6 +58,18 @@ RSpec.describe 'Project > Settings > Access Tokens', :js do
      expect(active_project_access_tokens).to have_text('read_api')
      expect(created_project_access_token).not_to be_empty
    end
+    context 'when token creation is not allowed' do
+      before do
+        group.namespace_settings.update_column(:resource_access_token_creation_allowed, false)
+      end
+      it 'does not show project access token creation form' do
+        visit project_settings_access_tokens_path(project)
+        expect(page).not_to have_selector('.new_project_access_token')
+      end
+    end
  end
  describe 'active tokens' do

--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -511,7 +511,7 @@ RSpec.describe ProjectPolicy do
        project.add_maintainer(project_bot)
      end
-      it { is_expected.not_to be_allowed(:admin_resource_access_tokens)}
+      it { is_expected.not_to be_allowed(:create_resource_access_tokens)}
    end
  end

--- a/spec/requests/api/resource_access_tokens_spec.rb
+++ b/spec/requests/api/resource_access_tokens_spec.rb
@@ -151,6 +151,23 @@ RSpec.describe API::ResourceAccessTokens do
          expect(User.exists?(project_bot.id)).to be_falsy
        end
+        context "when using project access token to DELETE other project access token" do
+          let_it_be(:other_project_bot) { create(:user, :project_bot) }
+          let_it_be(:other_token) { create(:personal_access_token, user: other_project_bot) }
+          let_it_be(:token_id) { other_token.id }
+          before do
+            project.add_maintainer(other_project_bot)
+          end
+          it "deletes the project access token from the project" do
+            delete_token
+            expect(response).to have_gitlab_http_status(:no_content)
+            expect(User.exists?(other_project_bot.id)).to be_falsy
+          end
+        end
        context "when attempting to delete a non-existent project access token" do
          let_it_be(:token_id) { non_existing_record_id }

--- a/spec/support/shared_examples/policies/resource_access_token_shared_examples.rb
+++ b/spec/support/shared_examples/policies/resource_access_token_shared_examples.rb
@@ -5,16 +5,47 @@ RSpec.shared_examples 'Self-managed Core resource access tokens' do
    allow(::Gitlab).to receive(:com?).and_return(false)
  end
-  context 'with owner' do
+  context 'with owner access' do
    let(:current_user) { owner }
-    it { is_expected.to be_allowed(:admin_resource_access_tokens) }
+    context 'create resource access tokens' do
+      it { is_expected.to be_allowed(:create_resource_access_tokens) }
+      context 'when resource access token creation is not allowed' do
+        let(:group) { create(:group) }
+        let(:project) { create(:project, group: group) }
+        before do
+          group.namespace_settings.update_column(:resource_access_token_creation_allowed, false)
+        end
+        it { is_expected.not_to be_allowed(:create_resource_access_tokens) }
+      end
+    end
+    context 'read resource access tokens' do
+      it { is_expected.to be_allowed(:read_resource_access_tokens) }
+    end
+    context 'destroy resource access tokens' do
+      it { is_expected.to be_allowed(:destroy_resource_access_tokens) }
+    end
  end
-  context 'with developer' do
+  context 'with developer access' do
    let(:current_user) { developer }
-    it { is_expected.not_to be_allowed(:admin_resource_access_tokens) }
+    context 'create resource access tokens' do
+      it { is_expected.not_to be_allowed(:create_resource_access_tokens) }
+    end
+    context 'read resource access tokens' do
+      it { is_expected.not_to be_allowed(:read_resource_access_tokens) }
+    end
+    context 'destroy resource access tokens' do
+      it { is_expected.not_to be_allowed(:destroy_resource_access_tokens) }
+    end
  end
 end
@@ -24,9 +55,19 @@ RSpec.shared_examples 'GitLab.com Core resource access tokens' do
    stub_ee_application_setting(should_check_namespace_plan: true)
  end
-  context 'with owner' do
+  context 'with owner access' do
    let(:current_user) { owner }
-    it { is_expected.not_to be_allowed(:admin_resource_access_tokens) }
+    context 'create resource access tokens' do
+      it { is_expected.not_to be_allowed(:create_resource_access_tokens) }
+    end
+    context 'read resource access tokens' do
+      it { is_expected.not_to be_allowed(:read_resource_access_tokens) }
+    end
+    context 'destroy resource access tokens' do
+      it { is_expected.not_to be_allowed(:destroy_resource_access_tokens) }
+    end
  end
 end