feat: add support for groups_allowlist in job_token_scope

TimKnight-DWP · TimKnight-DWP · commit a815a6f3cee0 · 2024-03-28T10:34:45.000Z
Signed-off-by: Tim Knight &lt;tim.knight1@engineering.digital.dwp.gov.uk&gt;
diff --git a/docs/gl_objects/job_token_scope.rst b/docs/gl_objects/job_token_scope.rst
@@ -69,3 +69,24 @@ Remove a project from the project's inbound allowlist::
    Similar to above, the ID attributes you receive from the create and list
    APIs are not consistent. To safely retrieve the ID of the allowlisted project
    regardless of how the object was created, always use its ``.get_id()`` method.
+
+Get a project's CI/CD job token inbound groups allowlist::
+
+    allowlist = scope.groups_allowlist.list()
+
+Add a project to the project's inbound groups allowlist::
+
+    allowed_project = scope.groups_allowlist.create({"target_project_id": 42})
+
+Remove a project from the project's inbound agroups llowlist::
+
+    allowed_project.delete()
+    # or directly using a Group ID
+    scope.groups_allowlist.delete(42)
+
+.. warning::
+
+   Similar to above, the ID attributes you receive from the create and list
+   APIs are not consistent. To safely retrieve the ID of the allowlisted group
+   regardless of how the object was created, always use its ``.get_id()`` method.
+
diff --git a/gitlab/v4/objects/job_token_scope.py b/gitlab/v4/objects/job_token_scope.py
@@ -24,6 +24,7 @@ class ProjectJobTokenScope(RefreshMixin, SaveMixin, RESTObject):
     _id_attr = None
 
     allowlist: "AllowlistedProjectManager"
+    groups_allowlist: "AllowlistedGroupManager"
 
 
 class ProjectJobTokenScopeManager(GetWithoutIdMixin, UpdateMixin, RESTManager):
@@ -54,3 +55,23 @@ class AllowlistedProjectManager(ListMixin, CreateMixin, DeleteMixin, RESTManager
     _obj_cls = AllowlistedProject
     _from_parent_attrs = {"project_id": "project_id"}
     _create_attrs = RequiredOptional(required=("target_project_id",))
+
+
+class AllowlistedGroup(ObjectDeleteMixin, RESTObject):
+    _id_attr = "target_group_id"  # note: only true for create endpoint
+
+    def get_id(self) -> int:
+        """Returns the id of the resource. This override deals with
+        the fact that either an `id` or a `target_project_id` attribute
+        is returned by the server depending on the endpoint called."""
+        try:
+            return cast(int, getattr(self, self._id_attr))
+        except AttributeError:
+            return cast(int, getattr(self, "id"))
+
+
+class AllowlistedGroupManager(ListMixin, CreateMixin, DeleteMixin, RESTManager):
+    _path = "/projects/{project_id}/job_token_scope/groups_allowlist"
+    _obj_cls = AllowlistedProject
+    _from_parent_attrs = {"project_id": "project_id"}
+    _create_attrs = RequiredOptional(required=("target_group_id",))
diff --git a/tests/functional/api/test_project_job_token_scope.py b/tests/functional/api/test_project_job_token_scope.py
@@ -1,3 +1,26 @@
+# https://docs.gitlab.com/ee/ci/jobs/ci_job_token.html#allow-any-project-to-access-your-project
+def test_enable_limit_access_to_this_project(gl, project):
+    scope = project.job_token_scope.get()
+
+    scope.enabled = True
+    scope.save()
+
+    scope.refresh()
+
+    assert scope.inbound_enabled
+
+
+def test_disable_limit_access_to_this_project(gl, project):
+    scope = project.job_token_scope.get()
+
+    scope.enabled = False
+    scope.save()
+
+    scope.refresh()
+
+    assert not scope.inbound_enabled
+
+
 def test_add_project_to_job_token_scope_allowlist(gl, project):
     project_to_add = gl.projects.create({"name": "Ci_Cd_token_add_proj"})
 
@@ -12,8 +35,6 @@ def test_add_project_to_job_token_scope_allowlist(gl, project):
 
 def test_projects_job_token_scope_allowlist_contains_added_project_name(gl, project):
     scope = project.job_token_scope.get()
-    assert len(scope.allowlist.list()) == 0
-
     project_name = "Ci_Cd_token_named_proj"
     project_to_add = gl.projects.create({"name": project_name})
     scope.allowlist.create({"target_project_id": project_to_add.id})
@@ -26,18 +47,70 @@ def test_projects_job_token_scope_allowlist_contains_added_project_name(gl, proj
 
 def test_remove_project_by_id_from_projects_job_token_scope_allowlist(gl, project):
     scope = project.job_token_scope.get()
-    assert len(scope.allowlist.list()) == 0
 
     project_to_add = gl.projects.create({"name": "Ci_Cd_token_remove_proj"})
 
     scope.allowlist.create({"target_project_id": project_to_add.id})
 
     scope.refresh()
-    assert len(scope.allowlist.list()) != 0
 
-    scope.allowlist.remove(project_to_add.id)
+    scope.allowlist.delete(project_to_add.id)
 
     scope.refresh()
-    assert len(scope.allowlist.list()) == 0
+    assert not any(
+        allowed.id == project_to_add.id for allowed in scope.allowlist.list()
+    )
 
     project_to_add.delete()
+
+
+def test_add_group_to_job_token_scope_allowlist(gl, project):
+    group_to_add = gl.groups.create(
+        {"name": "add_group", "path": "allowlisted-add-test"}
+    )
+
+    scope = project.job_token_scope.get()
+    resp = scope.groups_allowlist.create({"target_group_id": group_to_add.id})
+
+    assert resp.source_project_id == project.id
+    assert resp.target_group_id == group_to_add.id
+
+    group_to_add.delete()
+
+
+def test_projects_job_token_scope_groups_allowlist_contains_added_group_name(
+    gl, project
+):
+    scope = project.job_token_scope.get()
+    group_name = "list_group"
+    group_to_add = gl.groups.create(
+        {"name": group_name, "path": "allowlisted-add-and-list-test"}
+    )
+
+    scope.groups_allowlist.create({"target_group_id": group_to_add.id})
+
+    scope.refresh()
+    assert any(allowed.name == group_name for allowed in scope.groups_allowlist.list())
+
+    group_to_add.delete()
+
+
+def test_remove_group_by_id_from_projects_job_token_scope_groups_allowlist(gl, project):
+    scope = project.job_token_scope.get()
+
+    group_to_add = gl.groups.create(
+        {"name": "delete_group", "path": "allowlisted-delete-test"}
+    )
+
+    scope.groups_allowlist.create({"target_group_id": group_to_add.id})
+
+    scope.refresh()
+
+    scope.groups_allowlist.delete(group_to_add.id)
+
+    scope.refresh()
+    assert not any(
+        allowed.name == group_to_add.name for allowed in scope.groups_allowlist.list()
+    )
+
+    group_to_add.delete()
diff --git a/tests/functional/fixtures/.env b/tests/functional/fixtures/.env
@@ -1,2 +1,2 @@
 GITLAB_IMAGE=gitlab/gitlab-ee
-GITLAB_TAG=16.9.1-ee.0
+GITLAB_TAG=16.10.1-ee.0
diff --git a/tests/unit/objects/test_job_token_scope.py b/tests/unit/objects/test_job_token_scope.py
@@ -6,12 +6,55 @@
 import responses
 
 from gitlab.v4.objects import ProjectJobTokenScope
+from gitlab.v4.objects.job_token_scope import (
+    AllowlistedGroupManager,
+    AllowlistedProjectManager,
+)
 
 job_token_scope_content = {
     "inbound_enabled": True,
     "outbound_enabled": False,
 }
 
+project_allowlist_content = [
+    {
+        "id": 4,
+        "description": "",
+        "name": "Diaspora Client",
+        "name_with_namespace": "Diaspora / Diaspora Client",
+        "path": "diaspora-client",
+        "path_with_namespace": "diaspora/diaspora-client",
+        "created_at": "2013-09-30T13:46:02Z",
+        "default_branch": "main",
+        "tag_list": ["example", "disapora client"],
+        "topics": ["example", "disapora client"],
+        "ssh_url_to_repo": "git@gitlab.example.com:diaspora/diaspora-client.git",
+        "http_url_to_repo": "https://gitlab.example.com/diaspora/diaspora-client.git",
+        "web_url": "https://gitlab.example.com/diaspora/diaspora-client",
+        "avatar_url": "https://gitlab.example.com/uploads/project/avatar/4/uploads/avatar.png",
+        "star_count": 0,
+        "last_activity_at": "2013-09-30T13:46:02Z",
+        "namespace": {
+            "id": 2,
+            "name": "Diaspora",
+            "path": "diaspora",
+            "kind": "group",
+            "full_path": "diaspora",
+            "parent_id": "",
+            "avatar_url": "",
+            "web_url": "https://gitlab.example.com/diaspora",
+        },
+    }
+]
+
+groups_allowlist_content = [
+    {
+        "id": 4,
+        "web_url": "https://gitlab.example.com/groups/diaspora/diaspora-group",
+        "name": "namegroup",
+    }
+]
+
 
 @pytest.fixture
 def resp_get_job_token_scope():
@@ -26,6 +69,32 @@ def resp_get_job_token_scope():
         yield rsps
 
 
+@pytest.fixture
+def resp_get_allowlist():
+    with responses.RequestsMock(assert_all_requests_are_fired=False) as rsps:
+        rsps.add(
+            method=responses.GET,
+            url="http://localhost/api/v4/projects/1/job_token_scope/allowlist",
+            json=project_allowlist_content,
+            content_type="application/json",
+            status=200,
+        )
+        yield rsps
+
+
+@pytest.fixture
+def resp_get_groups_allowlist():
+    with responses.RequestsMock(assert_all_requests_are_fired=False) as rsps:
+        rsps.add(
+            method=responses.GET,
+            url="http://localhost/api/v4/projects/1/job_token_scope/groups_allowlist",
+            json=groups_allowlist_content,
+            content_type="application/json",
+            status=200,
+        )
+        yield rsps
+
+
 @pytest.fixture
 def resp_patch_job_token_scope():
     with responses.RequestsMock(assert_all_requests_are_fired=False) as rsps:
@@ -61,3 +130,19 @@ def test_save_job_token_scope(job_token_scope, resp_patch_job_token_scope):
 
 def test_update_job_token_scope(project, resp_patch_job_token_scope):
     project.job_token_scope.update(new_data={"enabled": False})
+
+
+def test_get_projects_allowlist(job_token_scope, resp_get_allowlist):
+    allowlist = job_token_scope.allowlist
+    assert isinstance(allowlist, AllowlistedProjectManager)
+
+    allowlist_content = allowlist.list()
+    assert isinstance(allowlist_content, list)
+
+
+def test_get_groups_allowlist(job_token_scope, resp_get_groups_allowlist):
+    allowlist = job_token_scope.groups_allowlist
+    assert isinstance(allowlist, AllowlistedGroupManager)
+
+    allowlist_content = allowlist.list()
+    assert isinstance(allowlist_content, list)

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`GITLAB_IMAGE=gitlab/gitlab-ee`
`2`		`-GITLAB_TAG=16.9.1-ee.0`
	`2`	`+GITLAB_TAG=16.10.1-ee.0`