From 8315861c9a50675b4f4f4ca536f0da90f27994f3 Mon Sep 17 00:00:00 2001
From: Mayra Cabrera <mcabrera@gitlab.com>
Date: Thu, 5 Apr 2018 12:22:34 -0500
Subject: Include ProjectDeployTokens

Also:
- Changes scopes from serializer to use boolean columns
- Fixes broken specs
---
 app/models/deploy_token.rb | 41 ++++++++++++++++++++++++++++-------------
 1 file changed, 28 insertions(+), 13 deletions(-)

(limited to 'app/models/deploy_token.rb')

diff --git a/app/models/deploy_token.rb b/app/models/deploy_token.rb
index c70d1457afb..6639cb17287 100644
--- a/app/models/deploy_token.rb
+++ b/app/models/deploy_token.rb
@@ -3,36 +3,51 @@ class DeployToken < ActiveRecord::Base
   include TokenAuthenticatable
   add_authentication_token_field :token
 
-  AVAILABLE_SCOPES = %w(read_repository read_registry).freeze
+  AVAILABLE_SCOPES = %i(read_repository read_registry).freeze
 
-  serialize :scopes, Array # rubocop:disable Cop/ActiveRecordSerialize
-
-  validates :scopes, presence: true
-  validates :project, presence: true
-
-  belongs_to :project
+  has_many :project_deploy_tokens, inverse_of: :deploy_token
+  has_many :projects, through: :project_deploy_tokens
 
+  validate :ensure_at_least_one_scope
   before_save :ensure_token
 
+  accepts_nested_attributes_for :project_deploy_tokens
+
   scope :active, -> { where("revoked = false AND (expires_at >= NOW() OR expires_at IS NULL)") }
+  scope :read_repository, -> { where(read_repository: true) }
+  scope :read_registry, -> { where(read_registry: true) }
 
-  def revoke!
-    update!(revoked: true)
+  def self.redis_shared_state_key(user_id)
+    "gitlab:deploy_token:user_#{user_id}"
   end
 
-  def redis_shared_state_key(user_id)
-    "gitlab:deploy_token:#{project_id}:#{user_id}"
+  def revoke!
+    update!(revoked: true)
   end
 
   def active?
     !revoked
   end
 
+  def scopes
+    AVAILABLE_SCOPES.select { |token_scope| send("#{token_scope}") }  # rubocop:disable GitlabSecurity/PublicSend
+  end
+
   def username
     "gitlab+deploy-token-#{id}"
   end
 
-  def has_access_to?(project)
-    self.project == project
+  def has_access_to?(requested_project)
+    self.projects.first == requested_project
+  end
+
+  def project
+    projects.first
+  end
+
+  private
+
+  def ensure_at_least_one_scope
+    errors.add(:base, "Scopes can't be blank") unless read_repository || read_registry
   end
 end
-- 
cgit v1.2.1