add impersonation token

3 files changed, 13 insertions, 14 deletions

diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index 211353ef2a9..4e8d2410496 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -706,6 +706,7 @@ module API
     end
 
     class PersonalAccessToken < BasicPersonalAccessToken
+      expose :impersonation
       expose :token
     end
   end
diff --git a/lib/api/users.rb b/lib/api/users.rb
index 450d678061e..2b48da6ea99 100644
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -367,6 +367,7 @@ module API
       params do
         requires :user_id, type: Integer
         optional :state, type: String, default: 'all', values: %w[all active inactive], desc: 'Filters (all|active|inactive) personal_access_tokens'
+        optional :impersonation, type: Boolean, default: false, desc: 'Filters only impersonation personal_access_token'
       end
       get ':user_id/personal_access_tokens' do
         authenticated_as_admin!
@@ -374,7 +375,8 @@ module API
         user = User.find_by(id: params[:user_id])
         not_found!('User') unless user
 
-        personal_access_tokens = user.personal_access_tokens
+        personal_access_tokens = PersonalAccessToken.and_impersonation_tokens.where(user_id: user.id)
+        personal_access_tokens = personal_access_tokens.impersonation if params[:impersonation]
 
         case params[:state]
         when "active"
@@ -392,6 +394,7 @@ module API
         requires :name, type: String, desc: 'The name of the personal access token'
         optional :expires_at, type: Date, desc: 'The expiration date in the format YEAR-MONTH-DAY of the personal access token'
         optional :scopes, type: Array, desc: 'The array of scopes of the personal access token'
+        optional :impersonation, type: Boolean, default: false, desc: 'The impersonation flag of the personal access token'
       end
       post ':user_id/personal_access_tokens' do
         authenticated_as_admin!
@@ -419,7 +422,7 @@ module API
         user = User.find_by(id: params[:user_id])
         not_found!('User') unless user
 
-        personal_access_token = PersonalAccessToken.find_by(id: params[:personal_access_token_id])
+        personal_access_token = PersonalAccessToken.and_impersonation_tokens.find_by(user_id: user.id, id: params[:personal_access_token_id])
         not_found!('PersonalAccessToken') unless personal_access_token
 
         personal_access_token.revoke!
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index 89db6c3da46..e48462a4bd6 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -18,8 +18,8 @@ module Gitlab
           build_access_token_check(login, password) ||
           lfs_token_check(login, password) ||
           oauth_access_token_check(login, password) ||
-          personal_access_token_check(login, password) ||
           user_with_password_for_git(login, password) ||
+          personal_access_token_check(password) ||
           Gitlab::Auth::Result.new
 
         rate_limit!(ip, success: result.success?, login: login)
@@ -102,14 +102,13 @@ module Gitlab
         end
       end
 
-      def personal_access_token_check(login, password)
-        if login && password
-          token = PersonalAccessToken.active.find_by_token(password)
-          validation = User.by_login(login)
+      def personal_access_token_check(password)
+        return unless password.present?
 
-          if valid_personal_access_token?(token, validation)
-            Gitlab::Auth::Result.new(validation, nil, :personal_token, full_authentication_abilities)
-          end
+        token = PersonalAccessToken.and_impersonation_tokens.active.find_by_token(password)
+
+        if token && (valid_api_token?(token) || token.impersonation)
+          Gitlab::Auth::Result.new(token.user, nil, :personal_token, full_authentication_abilities)
         end
       end
 
@@ -117,10 +116,6 @@ module Gitlab
         token && token.accessible? && valid_api_token?(token)
       end
 
-      def valid_personal_access_token?(token, user)
-        token && token.user == user && valid_api_token?(token)
-      end
-
       def valid_api_token?(token)
         AccessTokenValidationService.new(token).include_any_scope?(['api'])
       end