Prevent username overriding when creating a Deploy Token via the API

f2e6e7dc · ayoub mrini · ayoub mrini · 3006fcb9 · f2e6e7dc · f2e6e7dc
Commit f2e6e7dc authored Mar 27, 2020 by ayoub mrini Committed by ayoub mrini Apr 16, 2020
3 changed files
--- a/changelogs/unreleased/28175-fix-username-override.yml
+++ b/changelogs/unreleased/28175-fix-username-override.yml
+---
+title: Prevent overriding the username when creating a Deploy Token via the API
+merge_request: 28175
+author: Ayoub Mrini
+type: fixed
--- a/lib/api/deploy_tokens.rb
+++ b/lib/api/deploy_tokens.rb
@@ -8,7 +8,7 @@ module API
      def scope_params
        scopes = params.delete(:scopes)
-        result_hash = {}
+        result_hash = Hashie::Mash.new
        result_hash[:read_registry] = scopes.include?('read_registry')
        result_hash[:write_registry] = scopes.include?('write_registry')
        result_hash[:read_repository] = scopes.include?('read_repository')

--- a/spec/requests/api/deploy_tokens_spec.rb
+++ b/spec/requests/api/deploy_tokens_spec.rb
@@ -205,10 +205,11 @@ describe API::DeployTokens do
  context 'deploy token creation' do
    shared_examples 'creating a deploy token' do |entity, unauthenticated_response|
+      let(:expires_time) { 1.year.from_now }
      let(:params) do
        {
          name: 'Foo',
-          expires_at: 1.year.from_now,
+          expires_at: expires_time,
          scopes: [
            'read_repository'
          ],
@@ -240,6 +241,10 @@ describe API::DeployTokens do
          expect(response).to have_gitlab_http_status(:created)
          expect(response).to match_response_schema('public_api/v4/deploy_token')
+          expect(json_response['name']).to eq('Foo')
+          expect(json_response['scopes']).to eq(['read_repository'])
+          expect(json_response['username']).to eq('Bar')
+          expect(json_response['expires_at'].to_time.to_i).to eq(expires_time.to_i)
        end
        context 'with no optional params given' do