Add API for actions for InstanceVariables

Adds CRUD actions API for managing instance level CI/CD variables

lib/api/admin/ci/variables.rb

+# frozen_string_literal: true
+
+module API
+  module Admin
+    module Ci
+      class Variables < Grape::API
+        include PaginationParams
+
+        before { authenticated_as_admin! }
+
+        namespace 'admin' do
+          namespace 'ci' do
+            namespace 'variables' do
+              desc 'Get instance-level variables' do
+                success Entities::Variable
+              end
+              params do
+                use :pagination
+              end
+              get '/' do
+                variables = ::Ci::InstanceVariable.all
+
+                present paginate(variables), with: Entities::Variable
+              end
+
+              desc 'Get a specific variable from a group' do
+                success Entities::Variable
+              end
+              params do
+                requires :key, type: String, desc: 'The key of the variable'
+              end
+              get ':key' do
+                key = params[:key]
+                variable = ::Ci::InstanceVariable.find_by_key(key)
+
+                break not_found!('InstanceVariable') unless variable
+
+                present variable, with: Entities::Variable
+              end
+
+              desc 'Create a new instance-level variable' do
+                success Entities::Variable
+              end
+              params do
+                requires :key,
+                  type: String,
+                  desc: 'The key of the variable'
+
+                requires :value,
+                  type: String,
+                  desc: 'The value of the variable'
+
+                optional :protected,
+                  type: String,
+                  desc: 'Whether the variable is protected'
+
+                optional :masked,
+                  type: String,
+                  desc: 'Whether the variable is masked'
+
+                optional :variable_type,
+                  type: String,
+                  values: ::Ci::InstanceVariable.variable_types.keys,
+                  desc: 'The type of variable, must be one of env_var or file. Defaults to env_var'
+              end
+              post '/' do
+                variable_params = declared_params(include_missing: false)
+
+                variable = ::Ci::InstanceVariable.new(variable_params)
+
+                if variable.save
+                  present variable, with: Entities::Variable
+                else
+                  render_validation_error!(variable)
+                end
+              end
+
+              desc 'Update an existing instance-variable' do
+                success Entities::Variable
+              end
+              params do
+                optional :key,
+                  type: String,
+                  desc: 'The key of the variable'
+
+                optional :value,
+                  type: String,
+                  desc: 'The value of the variable'
+
+                optional :protected,
+                  type: String,
+                  desc: 'Whether the variable is protected'
+
+                optional :masked,
+                  type: String,
+                  desc: 'Whether the variable is masked'
+
+                optional :variable_type,
+                  type: String,
+                  values: ::Ci::InstanceVariable.variable_types.keys,
+                  desc: 'The type of variable, must be one of env_var or file'
+              end
+              put ':key' do
+                variable = ::Ci::InstanceVariable.find_by_key(params[:key])
+
+                break not_found!('InstanceVariable') unless variable
+
+                variable_params = declared_params(include_missing: false).except(:key)
+
+                if variable.update(variable_params)
+                  present variable, with: Entities::Variable
+                else
+                  render_validation_error!(variable)
+                end
+              end
+
+              desc 'Delete an existing instance-level variable' do
+                success Entities::Variable
+              end
+              params do
+                requires :key, type: String, desc: 'The key of the variable'
+              end
+              delete ':key' do
+                variable = ::Ci::InstanceVariable.find_by_key(params[:key])
+                not_found!('InstanceVariable') unless variable
+
+                variable.destroy
+
+                no_content!
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

lib/api/api.rb

@@ -120,6 +120,7 @@ module API
 
       # Keep in alphabetical order
       mount ::API::AccessRequests
+      mount ::API::Admin::Ci::Variables
       mount ::API::Admin::Sidekiq
       mount ::API::Appearance
       mount ::API::Applications

spec/requests/api/admin/ci/variables_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe ::API::Admin::Ci::Variables do
+  let_it_be(:admin) { create(:admin) }
+  let_it_be(:user) { create(:user) }
+
+  describe 'GET /admin/ci/variables' do
+    let!(:variable) { create(:ci_instance_variable) }
+
+    it 'returns instance-level variables for admins', :aggregate_failures do
+      get api('/admin/ci/variables', admin)
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(json_response).to be_a(Array)
+    end
+
+    it 'does not return instance-level variables for regular users' do
+      get api('/admin/ci/variables', user)
+
+      expect(response).to have_gitlab_http_status(:forbidden)
+    end
+
+    it 'does not return instance-level variables for unauthorized users' do
+      get api('/admin/ci/variables')
+
+      expect(response).to have_gitlab_http_status(:unauthorized)
+    end
+  end
+
+  describe 'GET /admin/ci/variables/:key' do
+    let!(:variable) { create(:ci_instance_variable) }
+
+    it 'returns instance-level variable details for admins', :aggregate_failures do
+      get api("/admin/ci/variables/#{variable.key}", admin)
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(json_response['value']).to eq(variable.value)
+      expect(json_response['protected']).to eq(variable.protected?)
+      expect(json_response['variable_type']).to eq(variable.variable_type)
+    end
+
+    it 'responds with 404 Not Found if requesting non-existing variable' do
+      get api('/admin/ci/variables/non_existing_variable', admin)
+
+      expect(response).to have_gitlab_http_status(:not_found)
+    end
+
+    it 'does not return instance-level variable details for regular users' do
+      get api("/admin/ci/variables/#{variable.key}", user)
+
+      expect(response).to have_gitlab_http_status(:forbidden)
+    end
+
+    it 'does not return instance-level variable details for unauthorized users' do
+      get api("/admin/ci/variables/#{variable.key}")
+
+      expect(response).to have_gitlab_http_status(:unauthorized)
+    end
+  end
+
+  describe 'POST /admin/ci/variables' do
+    context 'authorized user with proper permissions' do
+      let!(:variable) { create(:ci_instance_variable) }
+
+      it 'creates variable for admins', :aggregate_failures do
+        expect do
+          post api('/admin/ci/variables', admin),
+            params: {
+              key: 'TEST_VARIABLE_2',
+              value: 'PROTECTED_VALUE_2',
+              protected: true,
+              masked: true
+            }
+        end.to change { ::Ci::InstanceVariable.count }.by(1)
+
+        expect(response).to have_gitlab_http_status(:created)
+        expect(json_response['key']).to eq('TEST_VARIABLE_2')
+        expect(json_response['value']).to eq('PROTECTED_VALUE_2')
+        expect(json_response['protected']).to be_truthy
+        expect(json_response['masked']).to be_truthy
+        expect(json_response['variable_type']).to eq('env_var')
+      end
+
+      it 'creates variable with optional attributes', :aggregate_failures do
+        expect do
+          post api('/admin/ci/variables', admin),
+            params: {
+              variable_type: 'file',
+              key: 'TEST_VARIABLE_2',
+              value: 'VALUE_2'
+            }
+        end.to change { ::Ci::InstanceVariable.count }.by(1)
+
+        expect(response).to have_gitlab_http_status(:created)
+        expect(json_response['key']).to eq('TEST_VARIABLE_2')
+        expect(json_response['value']).to eq('VALUE_2')
+        expect(json_response['protected']).to be_falsey
+        expect(json_response['masked']).to be_falsey
+        expect(json_response['variable_type']).to eq('file')
+      end
+
+      it 'does not allow to duplicate variable key' do
+        expect do
+          post api('/admin/ci/variables', admin),
+            params: { key: variable.key, value: 'VALUE_2' }
+        end.not_to change { ::Ci::InstanceVariable.count }
+
+        expect(response).to have_gitlab_http_status(:bad_request)
+      end
+    end
+
+    context 'authorized user with invalid permissions' do
+      it 'does not create variable' do
+        post api('/admin/ci/variables', user)
+
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+    end
+
+    context 'unauthorized user' do
+      it 'does not create variable' do
+        post api('/admin/ci/variables')
+
+        expect(response).to have_gitlab_http_status(:unauthorized)
+      end
+    end
+  end
+
+  describe 'PUT /admin/ci/variables/:key' do
+    let!(:variable) { create(:ci_instance_variable) }
+
+    context 'authorized user with proper permissions' do
+      it 'updates variable data', :aggregate_failures do
+        put api("/admin/ci/variables/#{variable.key}", admin),
+          params: {
+            variable_type: 'file',
+            value: 'VALUE_1_UP',
+            protected: true,
+            masked: true
+          }
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(variable.reload.value).to eq('VALUE_1_UP')
+        expect(variable.reload).to be_protected
+        expect(json_response['variable_type']).to eq('file')
+        expect(json_response['masked']).to be_truthy
+      end
+
+      it 'responds with 404 Not Found if requesting non-existing variable' do
+        put api('/admin/ci/variables/non_existing_variable', admin)
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+
+    context 'authorized user with invalid permissions' do
+      it 'does not update variable' do
+        put api("/admin/ci/variables/#{variable.key}", user)
+
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+    end
+
+    context 'unauthorized user' do
+      it 'does not update variable' do
+        put api("/admin/ci/variables/#{variable.key}")
+
+        expect(response).to have_gitlab_http_status(:unauthorized)
+      end
+    end
+  end
+
+  describe 'DELETE /admin/ci/variables/:key' do
+    let!(:variable) { create(:ci_instance_variable) }
+
+    context 'authorized user with proper permissions' do
+      it 'deletes variable' do
+        expect do
+          delete api("/admin/ci/variables/#{variable.key}", admin)
+
+          expect(response).to have_gitlab_http_status(:no_content)
+        end.to change { ::Ci::InstanceVariable.count }.by(-1)
+      end
+
+      it 'responds with 404 Not Found if requesting non-existing variable' do
+        delete api('/admin/ci/variables/non_existing_variable', admin)
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+
+    context 'authorized user with invalid permissions' do
+      it 'does not delete variable' do
+        delete api("/admin/ci/variables/#{variable.key}", user)
+
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+    end
+
+    context 'unauthorized user' do
+      it 'does not delete variable' do
+        delete api("/admin/ci/variables/#{variable.key}")
+
+        expect(response).to have_gitlab_http_status(:unauthorized)
+      end
+    end
+  end
+end