Merge topic 'pat-create-endpoint-fixes'

a9f4be2 api/personal_access_tokens: fix creation endpoint scopes

Acked-by: Kitware Robot <kwrobot@kitware.com>
Tested-by: buildbot <buildbot@kitware.com>
Acked-by: Brad King <brad.king@kitware.com>
Merge-request: !470

Author: mathstuf

CHANGELOG.md

@@ -5,6 +5,12 @@
   * Actually build the
     `/project/:project/issues/:issue_iid/related_merge_requests` endpoint.
 
+## Breaking changes
+
+  * `api::users::CreatePersonalAccessToken` now uses
+    `PersonalAccessTokenCreateScope` as this endpoint is actually quite limited
+    compared to the `CreatePersonalAccessTokenForUser` endpoint.
+
 # v0.1611.1
 
 ## Additions

src/api/users/personal_access_tokens.rs

@@ -16,8 +16,9 @@ mod create_for_user;
 pub use self::create::CreatePersonalAccessToken;
 pub use self::create::CreatePersonalAccessTokenBuilder;
 pub use self::create::CreatePersonalAccessTokenBuilderError;
-pub use self::create::PersonalAccessTokenScope;
+pub use self::create::PersonalAccessTokenCreateScope;
 
 pub use self::create_for_user::CreatePersonalAccessTokenForUser;
 pub use self::create_for_user::CreatePersonalAccessTokenForUserBuilder;
 pub use self::create_for_user::CreatePersonalAccessTokenForUserBuilderError;
+pub use self::create_for_user::PersonalAccessTokenScope;

src/api/users/personal_access_tokens/create.rs

@@ -15,57 +15,21 @@ use crate::api::ParamValue;
 /// Scopes for personal access tokens.
 #[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord)]
 #[non_exhaustive]
-pub enum PersonalAccessTokenScope {
-    /// Access the API and perform git reads and writes.
-    Api,
-    /// Access to read the user information.
-    ReadUser,
-    /// Access read-only API endpoints.
-    ReadApi,
-    /// Read access to repositories.
-    ReadRepository,
-    /// Write access to repositories.
-    WriteRepository,
-    /// Read access to Docker registries.
-    ReadRegistry,
-    /// Write access to Docker registries.
-    WriteRegistry,
-    /// Permission to `sudo` as other users (administrator only).
-    Sudo,
-    /// Permission to access administrator API actions.
-    AdminMode,
-    /// Permission to create instance runners.
-    CreateRunner,
-    /// Access to AI features (GitLab Duo for JetBrains).
-    AiFeatures,
+pub enum PersonalAccessTokenCreateScope {
     /// Access to perform Kubernetes API calls.
     K8sProxy,
-    /// Access to the Service Ping payload.
-    ReadServicePing,
 }
 
-impl PersonalAccessTokenScope {
+impl PersonalAccessTokenCreateScope {
     /// The scope as a query parameter.
     pub(crate) fn as_str(self) -> &'static str {
         match self {
-            Self::Api => "api",
-            Self::ReadUser => "read_user",
-            Self::ReadApi => "read_api",
-            Self::ReadRepository => "read_repository",
-            Self::WriteRepository => "write_repository",
-            Self::ReadRegistry => "read_registry",
-            Self::WriteRegistry => "write_registry",
-            Self::Sudo => "sudo",
-            Self::AdminMode => "admin_mode",
-            Self::CreateRunner => "create_runner",
-            Self::AiFeatures => "ai_features",
             Self::K8sProxy => "k8s_proxy",
-            Self::ReadServicePing => "read_service_ping",
         }
     }
 }
 
-impl ParamValue<'static> for PersonalAccessTokenScope {
+impl ParamValue<'static> for PersonalAccessTokenCreateScope {
     fn as_value(&self) -> Cow<'static, str> {
         self.as_str().into()
     }
@@ -80,7 +44,7 @@ pub struct CreatePersonalAccessToken<'a> {
     name: Cow<'a, str>,
     /// The scopes to allow the token to access.
     #[builder(setter(name = "_scopes"), private)]
-    scopes: BTreeSet<PersonalAccessTokenScope>,
+    scopes: BTreeSet<PersonalAccessTokenCreateScope>,
 
     /// When the token expires.
     #[builder(default)]
@@ -96,15 +60,15 @@ impl<'a> CreatePersonalAccessToken<'a> {
 
 impl<'a> CreatePersonalAccessTokenBuilder<'a> {
     /// Add a scope for the token.
-    pub fn scope(&mut self, scope: PersonalAccessTokenScope) -> &mut Self {
+    pub fn scope(&mut self, scope: PersonalAccessTokenCreateScope) -> &mut Self {
         self.scopes.get_or_insert_with(BTreeSet::new).insert(scope);
         self
     }
 
     /// Add scopes for the token.
     pub fn scopes<I>(&mut self, scopes: I) -> &mut Self
     where
-        I: Iterator<Item = PersonalAccessTokenScope>,
+        I: Iterator<Item = PersonalAccessTokenCreateScope>,
     {
         self.scopes.get_or_insert_with(BTreeSet::new).extend(scopes);
         self
@@ -139,34 +103,15 @@ mod tests {
     use http::Method;
 
     use crate::api::users::personal_access_tokens::{
-        CreatePersonalAccessToken, CreatePersonalAccessTokenBuilderError, PersonalAccessTokenScope,
+        CreatePersonalAccessToken, CreatePersonalAccessTokenBuilderError,
+        PersonalAccessTokenCreateScope,
     };
     use crate::api::{self, Query};
     use crate::test::client::{ExpectedUrl, SingleTestClient};
 
     #[test]
-    fn personal_access_token_scope_as_str() {
-        let items = &[
-            (PersonalAccessTokenScope::Api, "api"),
-            (PersonalAccessTokenScope::ReadUser, "read_user"),
-            (PersonalAccessTokenScope::ReadApi, "read_api"),
-            (PersonalAccessTokenScope::ReadRepository, "read_repository"),
-            (
-                PersonalAccessTokenScope::WriteRepository,
-                "write_repository",
-            ),
-            (PersonalAccessTokenScope::ReadRegistry, "read_registry"),
-            (PersonalAccessTokenScope::WriteRegistry, "write_registry"),
-            (PersonalAccessTokenScope::Sudo, "sudo"),
-            (PersonalAccessTokenScope::AdminMode, "admin_mode"),
-            (PersonalAccessTokenScope::CreateRunner, "create_runner"),
-            (PersonalAccessTokenScope::AiFeatures, "ai_features"),
-            (PersonalAccessTokenScope::K8sProxy, "k8s_proxy"),
-            (
-                PersonalAccessTokenScope::ReadServicePing,
-                "read_service_ping",
-            ),
-        ];
+    fn personal_access_token_create_scope_as_str() {
+        let items = &[(PersonalAccessTokenCreateScope::K8sProxy, "k8s_proxy")];
 
         for (i, s) in items {
             assert_eq!(i.as_str(), *s);
@@ -182,7 +127,7 @@ mod tests {
     #[test]
     fn name_is_necessary() {
         let err = CreatePersonalAccessToken::builder()
-            .scope(PersonalAccessTokenScope::Api)
+            .scope(PersonalAccessTokenCreateScope::K8sProxy)
             .build()
             .unwrap_err();
         crate::test::assert_missing_field!(err, CreatePersonalAccessTokenBuilderError, "name");
@@ -201,7 +146,7 @@ mod tests {
     fn user_name_and_scopes_are_sufficient() {
         CreatePersonalAccessToken::builder()
             .name("name")
-            .scope(PersonalAccessTokenScope::ReadUser)
+            .scope(PersonalAccessTokenCreateScope::K8sProxy)
             .build()
             .unwrap();
     }
@@ -212,14 +157,14 @@ mod tests {
             .method(Method::POST)
             .endpoint("users/personal_access_tokens")
             .content_type("application/x-www-form-urlencoded")
-            .body_str(concat!("name=name", "&scopes%5B%5D=api"))
+            .body_str(concat!("name=name", "&scopes%5B%5D=k8s_proxy"))
             .build()
             .unwrap();
         let client = SingleTestClient::new_raw(endpoint, "");
 
         let endpoint = CreatePersonalAccessToken::builder()
             .name("name")
-            .scopes([PersonalAccessTokenScope::Api].iter().cloned())
+            .scopes([PersonalAccessTokenCreateScope::K8sProxy].iter().cloned())
             .build()
             .unwrap();
         api::ignore(endpoint).query(&client).unwrap();
@@ -234,15 +179,15 @@ mod tests {
             .body_str(concat!(
                 "name=name",
                 "&expires_at=2022-01-01",
-                "&scopes%5B%5D=api",
+                "&scopes%5B%5D=k8s_proxy",
             ))
             .build()
             .unwrap();
         let client = SingleTestClient::new_raw(endpoint, "");
 
         let endpoint = CreatePersonalAccessToken::builder()
             .name("name")
-            .scope(PersonalAccessTokenScope::Api)
+            .scope(PersonalAccessTokenCreateScope::K8sProxy)
             .expires_at(NaiveDate::from_ymd_opt(2022, 1, 1).unwrap())
             .build()
             .unwrap();

src/api/users/personal_access_tokens/create_for_user.rs

@@ -10,7 +10,74 @@ use chrono::NaiveDate;
 use derive_builder::Builder;
 
 use crate::api::endpoint_prelude::*;
-use crate::api::users::personal_access_tokens::PersonalAccessTokenScope;
+use crate::api::ParamValue;
+
+/// Scopes for personal access tokens.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord)]
+#[non_exhaustive]
+pub enum PersonalAccessTokenScope {
+    /// Access the API and perform git reads and writes.
+    Api,
+    /// Access to read the user information.
+    ReadUser,
+    /// Access read-only API endpoints.
+    ReadApi,
+    /// Read access to repositories.
+    ReadRepository,
+    /// Write access to repositories.
+    WriteRepository,
+    /// Read access to Docker registries.
+    ReadRegistry,
+    /// Write access to Docker registries.
+    WriteRegistry,
+    /// Permission to `sudo` as other users (administrator only).
+    Sudo,
+    /// Permission to access administrator API actions.
+    AdminMode,
+    /// Permission to create instance runners.
+    CreateRunner,
+    /// Access to AI features (GitLab Duo for JetBrains).
+    AiFeatures,
+    /// Access to perform Kubernetes API calls.
+    K8sProxy,
+    /// Access to the Service Ping payload.
+    ReadServicePing,
+}
+
+impl PersonalAccessTokenScope {
+    /// The scope as a query parameter.
+    pub(crate) fn as_str(self) -> &'static str {
+        match self {
+            Self::Api => "api",
+            Self::ReadUser => "read_user",
+            Self::ReadApi => "read_api",
+            Self::ReadRepository => "read_repository",
+            Self::WriteRepository => "write_repository",
+            Self::ReadRegistry => "read_registry",
+            Self::WriteRegistry => "write_registry",
+            Self::Sudo => "sudo",
+            Self::AdminMode => "admin_mode",
+            Self::CreateRunner => "create_runner",
+            Self::AiFeatures => "ai_features",
+            Self::K8sProxy => "k8s_proxy",
+            Self::ReadServicePing => "read_service_ping",
+        }
+    }
+
+    /// Transform into a `create` scope if possible.
+    pub fn as_create_scope(self) -> Option<super::PersonalAccessTokenCreateScope> {
+        match self {
+            Self::K8sProxy => Some(super::PersonalAccessTokenCreateScope::K8sProxy),
+            _ => None,
+        }
+    }
+}
+
+impl ParamValue<'static> for PersonalAccessTokenScope {
+    fn as_value(&self) -> Cow<'static, str> {
+        self.as_str().into()
+    }
+}
 
 /// Create a new personal access token for a user.
 #[derive(Debug, Builder, Clone)]
@@ -88,6 +155,35 @@ mod tests {
     use crate::api::{self, Query};
     use crate::test::client::{ExpectedUrl, SingleTestClient};
 
+    #[test]
+    fn personal_access_token_scope_as_str() {
+        let items = &[
+            (PersonalAccessTokenScope::Api, "api"),
+            (PersonalAccessTokenScope::ReadUser, "read_user"),
+            (PersonalAccessTokenScope::ReadApi, "read_api"),
+            (PersonalAccessTokenScope::ReadRepository, "read_repository"),
+            (
+                PersonalAccessTokenScope::WriteRepository,
+                "write_repository",
+            ),
+            (PersonalAccessTokenScope::ReadRegistry, "read_registry"),
+            (PersonalAccessTokenScope::WriteRegistry, "write_registry"),
+            (PersonalAccessTokenScope::Sudo, "sudo"),
+            (PersonalAccessTokenScope::AdminMode, "admin_mode"),
+            (PersonalAccessTokenScope::CreateRunner, "create_runner"),
+            (PersonalAccessTokenScope::AiFeatures, "ai_features"),
+            (PersonalAccessTokenScope::K8sProxy, "k8s_proxy"),
+            (
+                PersonalAccessTokenScope::ReadServicePing,
+                "read_service_ping",
+            ),
+        ];
+
+        for (i, s) in items {
+            assert_eq!(i.as_str(), *s);
+        }
+    }
+
     #[test]
     fn user_name_and_scopes_are_necessary() {
         let err = CreatePersonalAccessTokenForUser::builder()