Merge branch '46075-automatically-provide-deploy-token-when-autodevops-is-enabled' into 'master'

Resolve "Automatically provide a Deploy Token to projects when Auto DevOps is enabled"

Closes #46075

See merge request gitlab-org/gitlab-ce!19507

5 files changed, 133 insertions, 0 deletions

diff --git a/app/models/project_auto_devops.rb b/app/models/project_auto_devops.rb
index ed6c1eddbc1..c6c990dfa00 100644
--- a/app/models/project_auto_devops.rb
+++ b/app/models/project_auto_devops.rb
@@ -6,6 +6,8 @@ class ProjectAutoDevops < ActiveRecord::Base
 
   validates :domain, allow_blank: true, hostname: { allow_numeric_hostname: true }
 
+  after_save :create_gitlab_deploy_token, if: :needs_to_create_deploy_token?
+
   def instance_domain
     Gitlab::CurrentSettings.auto_devops_domain
   end
@@ -22,4 +24,23 @@ class ProjectAutoDevops < ActiveRecord::Base
       end
     end
   end
+
+  private
+
+  def create_gitlab_deploy_token
+    project.deploy_tokens.create!(
+      name: DeployToken::GITLAB_DEPLOY_TOKEN_NAME,
+      read_registry: true
+    )
+  end
+
+  def needs_to_create_deploy_token?
+    auto_devops_enabled? &&
+      !project.public? &&
+      !project.deploy_tokens.find_by(name: DeployToken::GITLAB_DEPLOY_TOKEN_NAME).present?
+  end
+
+  def auto_devops_enabled?
+    Gitlab::CurrentSettings.auto_devops_enabled? || enabled?
+  end
 end
diff --git a/changelogs/unreleased/46075-automatically-provide-deploy-token-when-autodevops-is-enabled.yml b/changelogs/unreleased/46075-automatically-provide-deploy-token-when-autodevops-is-enabled.yml
new file mode 100644
index 00000000000..6974be07716
--- /dev/null
+++ b/changelogs/unreleased/46075-automatically-provide-deploy-token-when-autodevops-is-enabled.yml
@@ -0,0 +1,5 @@
+---
+title: Automatize Deploy Token creation for Auto Devops
+merge_request: 19507
+author:
+type: added
diff --git a/doc/topics/autodevops/index.md b/doc/topics/autodevops/index.md
index 4bcc7fc6512..e2edee42717 100644
--- a/doc/topics/autodevops/index.md
+++ b/doc/topics/autodevops/index.md
@@ -426,6 +426,15 @@ no longer be valid as soon as the deployment job finishes. This means that
 Kubernetes can run the application, but in case it should be restarted or
 executed somewhere else, it cannot be accessed again.
 
+> [Introduced][ce-19507] in GitLab 11.0.
+
+For internal and private projects a [GitLab Deploy Token](../../user/project/deploy_tokens/index.md###gitlab-deploy-token) 
+will be automatically created, when Auto DevOps is enabled and the Auto DevOps settings are saved. This Deploy Token
+can be used for permanent access to the registry.
+
+Note: **Note**
+When the GitLab Deploy Token has been manually revoked, it won't be automatically created.
+
 ### Auto Monitoring
 
 NOTE: **Note:**
@@ -809,3 +818,4 @@ curl --data "value=true" --header "PRIVATE-TOKEN: personal_access_token" https:/
 [Auto DevOps template]: https://gitlab.com/gitlab-org/gitlab-ci-yml/blob/master/Auto-DevOps.gitlab-ci.yml
 [GitLab Omnibus Helm Chart]: ../../install/kubernetes/gitlab_omnibus.md
 [ee]: https://about.gitlab.com/products/
+[ce-19507]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/19507
diff --git a/spec/factories/project_auto_devops.rb b/spec/factories/project_auto_devops.rb
index 5ce1988c76f..0e8b507f9ce 100644
--- a/spec/factories/project_auto_devops.rb
+++ b/spec/factories/project_auto_devops.rb
@@ -3,5 +3,9 @@ FactoryBot.define do
     project
     enabled true
     domain "example.com"
+
+    trait :disabled do
+      enabled false
+    end
   end
 end
diff --git a/spec/models/project_auto_devops_spec.rb b/spec/models/project_auto_devops_spec.rb
index 7545c0797e9..4778bf4052b 100644
--- a/spec/models/project_auto_devops_spec.rb
+++ b/spec/models/project_auto_devops_spec.rb
@@ -71,4 +71,97 @@ describe ProjectAutoDevops do
       { key: 'AUTO_DEVOPS_DOMAIN', value: 'example.com', public: true }
     end
   end
+
+  describe '#set_gitlab_deploy_token' do
+    let(:auto_devops) { build(:project_auto_devops, project: project) }
+
+    context 'when the project is public' do
+      let(:project) { create(:project, :repository, :public) }
+
+      it 'should not create a gitlab deploy token' do
+        expect do
+          auto_devops.save
+        end.not_to change { DeployToken.count }
+      end
+    end
+
+    context 'when the project is internal' do
+      let(:project) { create(:project, :repository, :internal) }
+
+      it 'should create a gitlab deploy token' do
+        expect do
+          auto_devops.save
+        end.to change { DeployToken.count }.by(1)
+      end
+    end
+
+    context 'when the project is private' do
+      let(:project) { create(:project, :repository, :private) }
+
+      it 'should create a gitlab deploy token' do
+        expect do
+          auto_devops.save
+        end.to change { DeployToken.count }.by(1)
+      end
+    end
+
+    context 'when autodevops is enabled at project level' do
+      let(:project) { create(:project, :repository, :internal) }
+      let(:auto_devops) { build(:project_auto_devops, project: project) }
+
+      it 'should create a deploy token' do
+        expect do
+          auto_devops.save
+        end.to change { DeployToken.count }.by(1)
+      end
+    end
+
+    context 'when autodevops is enabled at instancel level' do
+      let(:project) { create(:project, :repository, :internal) }
+      let(:auto_devops) { build(:project_auto_devops, :disabled, project: project) }
+
+      it 'should create a deploy token' do
+        allow(Gitlab::CurrentSettings).to receive(:auto_devops_enabled?).and_return(true)
+
+        expect do
+          auto_devops.save
+        end.to change { DeployToken.count }.by(1)
+      end
+    end
+
+    context 'when autodevops is disabled' do
+      let(:project) { create(:project, :repository, :internal) }
+      let(:auto_devops) { build(:project_auto_devops, :disabled, project: project) }
+
+      it 'should not create a deploy token' do
+        expect do
+          auto_devops.save
+        end.not_to change { DeployToken.count }
+      end
+    end
+
+    context 'when the project already has an active gitlab-deploy-token' do
+      let(:project) { create(:project, :repository, :internal) }
+      let!(:deploy_token) { create(:deploy_token, :gitlab_deploy_token, projects: [project]) }
+      let(:auto_devops) { build(:project_auto_devops, project: project) }
+
+      it 'should not create a deploy token' do
+        expect do
+          auto_devops.save
+        end.not_to change { DeployToken.count }
+      end
+    end
+
+    context 'when the project already has a revoked gitlab-deploy-token' do
+      let(:project) { create(:project, :repository, :internal) }
+      let!(:deploy_token) { create(:deploy_token, :gitlab_deploy_token, :expired, projects: [project]) }
+      let(:auto_devops) { build(:project_auto_devops, project: project) }
+
+      it 'should not create a deploy token' do
+        expect do
+          auto_devops.save
+        end.not_to change { DeployToken.count }
+      end
+    end
+  end
 end