Include ProjectDeployTokens

Also: - Changes scopes from serializer to use boolean columns - Fixes broken specs
author: Mayra Cabrera <mcabrera@gitlab.com> 2018-04-05 12:22:34 -0500
committer: Mayra Cabrera <mcabrera@gitlab.com> 2018-04-06 21:20:16 -0500
commit: 8315861c9a50675b4f4f4ca536f0da90f27994f3 (patch)
tree: b5f25e5dbd74621ef77d480ba69f4f21d5c00d7d /app
parent: 72220a99d1cdbcf8a914f9e765c43e63eaee2548 (diff)
download: gitlab-ce-8315861c9a50675b4f4f4ca536f0da90f27994f3.tar.gz
10 files changed, 60 insertions, 44 deletions
diff --git a/app/controllers/projects/deploy_tokens_controller.rb b/app/controllers/projects/deploy_tokens_controller.rb
index a7d9590ba19..e3a2e5697b5 100644
--- a/app/controllers/projects/deploy_tokens_controller.rb
+++ b/app/controllers/projects/deploy_tokens_controller.rb
@@ -21,6 +21,6 @@ class Projects::DeployTokensController < Projects::ApplicationController
   private
 
   def deploy_token_params
-    params.require(:deploy_token).permit(:name, :expires_at, scopes: [])
+    params.require(:deploy_token).permit(:name, :expires_at, :read_repository, :read_registry)
   end
 end
diff --git a/app/controllers/projects/settings/repository_controller.rb b/app/controllers/projects/settings/repository_controller.rb
index ab6d8b3b10c..b6b8963948c 100644
--- a/app/controllers/projects/settings/repository_controller.rb
+++ b/app/controllers/projects/settings/repository_controller.rb
@@ -56,7 +56,7 @@ module Projects
 
       def define_deploy_token
         attributes = @deploy_tokens.attributes_deploy_token
-        @deploy_token = @project.deploy_tokens.build(attributes)
+        @deploy_token = DeployToken.new(attributes)
         @deploy_token.valid? unless attributes.empty?
       end
     end
diff --git a/app/models/deploy_token.rb b/app/models/deploy_token.rb
index c70d1457afb..6639cb17287 100644
--- a/app/models/deploy_token.rb
+++ b/app/models/deploy_token.rb
@@ -3,36 +3,51 @@ class DeployToken < ActiveRecord::Base
   include TokenAuthenticatable
   add_authentication_token_field :token
 
-  AVAILABLE_SCOPES = %w(read_repository read_registry).freeze
+  AVAILABLE_SCOPES = %i(read_repository read_registry).freeze
 
-  serialize :scopes, Array # rubocop:disable Cop/ActiveRecordSerialize
-
-  validates :scopes, presence: true
-  validates :project, presence: true
-
-  belongs_to :project
+  has_many :project_deploy_tokens, inverse_of: :deploy_token
+  has_many :projects, through: :project_deploy_tokens
 
+  validate :ensure_at_least_one_scope
   before_save :ensure_token
 
+  accepts_nested_attributes_for :project_deploy_tokens
+
   scope :active, -> { where("revoked = false AND (expires_at >= NOW() OR expires_at IS NULL)") }
+  scope :read_repository, -> { where(read_repository: true) }
+  scope :read_registry, -> { where(read_registry: true) }
 
-  def revoke!
-    update!(revoked: true)
+  def self.redis_shared_state_key(user_id)
+    "gitlab:deploy_token:user_#{user_id}"
   end
 
-  def redis_shared_state_key(user_id)
-    "gitlab:deploy_token:#{project_id}:#{user_id}"
+  def revoke!
+    update!(revoked: true)
   end
 
   def active?
     !revoked
   end
 
+  def scopes
+    AVAILABLE_SCOPES.select { |token_scope| send("#{token_scope}") }  # rubocop:disable GitlabSecurity/PublicSend
+  end
+
   def username
     "gitlab+deploy-token-#{id}"
   end
 
-  def has_access_to?(project)
-    self.project == project
+  def has_access_to?(requested_project)
+    self.projects.first == requested_project
+  end
+
+  def project
+    projects.first
+  end
+
+  private
+
+  def ensure_at_least_one_scope
+    errors.add(:base, "Scopes can't be blank") unless read_repository || read_registry
   end
 end
diff --git a/app/models/project.rb b/app/models/project.rb
index 3cfb163abf4..3f805dd1fc9 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -222,7 +222,8 @@ class Project < ActiveRecord::Base
   has_many :environments
   has_many :deployments
   has_many :pipeline_schedules, class_name: 'Ci::PipelineSchedule'
-  has_many :deploy_tokens
+  has_many :project_deploy_tokens
+  has_many :deploy_tokens, through: :project_deploy_tokens
 
   has_many :active_runners, -> { active }, through: :runner_projects, source: :runner, class_name: 'Ci::Runner'
 
diff --git a/app/models/project_deploy_token.rb b/app/models/project_deploy_token.rb
new file mode 100644
index 00000000000..2831b01e378
--- /dev/null
+++ b/app/models/project_deploy_token.rb
@@ -0,0 +1,14 @@
+class ProjectDeployToken < ActiveRecord::Base
+  belongs_to :project
+  belongs_to :deploy_token, inverse_of: :project_deploy_tokens
+
+  validates :deploy_token, presence: true
+  validates :project, presence: true
+  validates :deploy_token_id, uniqueness: { scope: [:project_id] }
+
+  accepts_nested_attributes_for :deploy_token
+
+  def redis_shared_state_key(user_id)
+    "gitlab:deploy_token:#{project_id}:#{user_id}"
+  end
+end
diff --git a/app/presenters/projects/settings/deploy_tokens_presenter.rb b/app/presenters/projects/settings/deploy_tokens_presenter.rb
index 26bb42e9e7e..f052324a219 100644
--- a/app/presenters/projects/settings/deploy_tokens_presenter.rb
+++ b/app/presenters/projects/settings/deploy_tokens_presenter.rb
@@ -5,18 +5,10 @@ module Projects
 
       presents :deploy_tokens
 
-      def available_scopes
-        DeployToken::AVAILABLE_SCOPES
-      end
-
       def length
         deploy_tokens.length
       end
 
-      def scope_description(scope)
-        scope_descriptions[scope]
-      end
-
       def each
         deploy_tokens.each do |deploy_token|
           yield deploy_token
@@ -42,15 +34,8 @@ module Projects
 
       private
 
-      def scope_descriptions
-        {
-          'read_repository' => s_('DeployTokens|Allows read-only access to the repository'),
-          'read_registry' => s_('DeployTokens|Allows read-only access to the registry images')
-        }
-      end
-
       def deploy_token_key
-        @deploy_token_key ||= project.deploy_tokens.new.redis_shared_state_key(current_user.id)
+        @deploy_token_key ||= DeployToken.redis_shared_state_key(current_user.id)
       end
     end
   end
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb
index 2ac35f5bd64..bb3ab856467 100644
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -145,7 +145,7 @@ module Auth
       has_authentication_ability?(:read_container_image) &&
         can_user?(:read_container_image, requested_project)
     end
-    
+
     def deploy_token_can_pull?(requested_project)
       has_authentication_ability?(:read_container_image) &&
         current_user.is_a?(DeployToken) &&
@@ -165,7 +165,7 @@ module Auth
 
     def user_can_push?(requested_project)
       has_authentication_ability?(:create_container_image) &&
-        can_user?(current_user, :create_container_image, requested_project)
+        can_user?(:create_container_image, requested_project)
     end
 
     def error(code, status:, message: '')
diff --git a/app/services/deploy_tokens/create_service.rb b/app/services/deploy_tokens/create_service.rb
index 0332bb54167..0555d62540c 100644
--- a/app/services/deploy_tokens/create_service.rb
+++ b/app/services/deploy_tokens/create_service.rb
@@ -1,7 +1,5 @@
 module DeployTokens
   class CreateService < BaseService
-    REDIS_EXPIRY_TIME = 3.minutes
-
     def execute
       @project.deploy_tokens.build.tap do |deploy_token|
         deploy_token.attributes = params
@@ -13,7 +11,7 @@ module DeployTokens
     private
 
     def store_deploy_token_info_in_redis(deploy_token)
-      deploy_token_key = deploy_token.redis_shared_state_key(current_user.id)
+      deploy_token_key = DeployToken.redis_shared_state_key(current_user.id)
 
       if deploy_token.persisted?
         store_in_redis(deploy_token_key, deploy_token.token)
@@ -31,7 +29,7 @@ module DeployTokens
 
     def store_in_redis(key, value)
       Gitlab::Redis::SharedState.with do |redis|
-        redis.set(key, value, ex: REDIS_EXPIRY_TIME)
+        redis.set(key, value, ex: 3.minutes)
       end
     end
   end
diff --git a/app/views/projects/deploy_tokens/_form.html.haml b/app/views/projects/deploy_tokens/_form.html.haml
index 001afcf1944..3e83a2aae46 100644
--- a/app/views/projects/deploy_tokens/_form.html.haml
+++ b/app/views/projects/deploy_tokens/_form.html.haml
@@ -14,8 +14,15 @@
 
   .form-group
     = f.label :scopes, class: 'label-light'
-    - presenter.available_scopes.each do |scope|
-      = render 'projects/deploy_tokens/scope_form', token: token, scope: scope, presenter: presenter
+    %fieldset
+      = f.check_box :read_repository
+      = label_tag ("deploy_token_read_repository"), 'read_repository'
+      %span= s_('DeployTokens|Allows read-only access to the repository')
+
+    %fieldset
+      = f.check_box :read_registry
+      = label_tag ("deploy_token_read_registry"), 'read_registry'
+      %span= s_('DeployTokens|Allows read-only access to the registry images')
 
   .prepend-top-default
     = f.submit s_('DeployTokens|Create deploy token'), class: 'btn btn-success'
diff --git a/app/views/projects/deploy_tokens/_scope_form.html.haml b/app/views/projects/deploy_tokens/_scope_form.html.haml
deleted file mode 100644
index f67701c8ee1..00000000000
--- a/app/views/projects/deploy_tokens/_scope_form.html.haml
+++ /dev/null
@@ -1,4 +0,0 @@
-%fieldset
-  = check_box_tag "deploy_token[scopes][]", scope, token.scopes.include?(scope), id: "deploy_token_scopes_#{scope}"
-  = label_tag ("deploy_token_scopes_#{scope}"), scope
-  %span= presenter.scope_description(scope)
author	Mayra Cabrera <mcabrera@gitlab.com>	2018-04-05 12:22:34 -0500
committer	Mayra Cabrera <mcabrera@gitlab.com>	2018-04-06 21:20:16 -0500
commit	8315861c9a50675b4f4f4ca536f0da90f27994f3 (patch)
tree	b5f25e5dbd74621ef77d480ba69f4f21d5c00d7d /app
parent	72220a99d1cdbcf8a914f9e765c43e63eaee2548 (diff)
download	gitlab-ce-8315861c9a50675b4f4f4ca536f0da90f27994f3.tar.gz