diff --git a/README.md b/README.md index 909d586..70f89ad 100644 --- a/README.md +++ b/README.md @@ -111,7 +111,9 @@ The current authentication model requires providing Vault with a Gitlab Token. #### path -If `token_type` is `group-service-account` then the format of the path is `{groupId}/{serviceAccountName}` example `265/service_account_65c74d39b4f71fc3fdc72330fce28c28`. +##### `token_type` is `group-service-account` + +Format of the path is `{groupId}/{serviceAccountName}` example `265/service_account_65c74d39b4f71fc3fdc72330fce28c28`. #### name @@ -156,7 +158,7 @@ Depending on `gitlab_revokes_token` the TTL will change. #### access_level -It's not required if `token_type` is set to `personal` or `pipeline-project-trigger`. +It's not required if `token_type` is set to `personal`, `pipeline-project-trigger`, `project-deploy`, `group-deploy`. For a list of available roles check https://docs.gitlab.com/ee/user/permissions.html @@ -232,6 +234,7 @@ token_id 1 token_sha1_hash 9441e6e07d77a2d5601ab5d7cac5868d358d885c type self-managed gitlab_version 17.5.3-ee +gitlab_revision 9d81c27eee7 gitlab_is_enterprise true ``` @@ -252,6 +255,7 @@ token_id 2 token_sha1_hash c6e762667cadb936f0c8439b0d240661a270eba1 type saas gitlab_version 17.7.0-pre +gitlab_revision 22e9474dc6b gitlab_is_enterprise true ``` diff --git a/gitlab_client.go b/gitlab_client.go index 14636a4..4069593 100644 --- a/gitlab_client.go +++ b/gitlab_client.go @@ -6,6 +6,7 @@ import ( "fmt" "io" "net/http" + "strconv" "strings" "time" @@ -38,8 +39,12 @@ type Client interface { CreateUserServiceAccountAccessToken(ctx context.Context, username string, userId int, name string, expiresAt time.Time, scopes []string) (*EntryToken, error) RevokeUserServiceAccountAccessToken(ctx context.Context, token string) error RevokeGroupServiceAccountAccessToken(ctx context.Context, token string) error - CreatePipelineProjectTriggerAccessToken(ctx context.Context, name string, projectId int, description string) (*EntryToken, error) + CreatePipelineProjectTriggerAccessToken(ctx context.Context, path, name string, projectId int, description string, expiresAt *time.Time) (*EntryToken, error) RevokePipelineProjectTriggerAccessToken(ctx context.Context, projectId int, tokenId int) error + CreateProjectDeployToken(ctx context.Context, path string, projectId int, name string, expiresAt *time.Time, scopes []string) (et *EntryToken, err error) + RevokeProjectDeployToken(ctx context.Context, projectId, deployTokenId int) (err error) + CreateGroupDeployToken(ctx context.Context, path string, groupId int, name string, expiresAt *time.Time, scopes []string) (et *EntryToken, err error) + RevokeGroupDeployToken(ctx context.Context, groupId, deployTokenId int) (err error) } type gitlabClient struct { @@ -49,6 +54,83 @@ type gitlabClient struct { logger hclog.Logger } +func (gc *gitlabClient) CreateGroupDeployToken(ctx context.Context, path string, groupId int, name string, expiresAt *time.Time, scopes []string) (et *EntryToken, err error) { + var dt *g.DeployToken + defer func() { + gc.logger.Debug("Create group deploy token", "groupId", groupId, "name", name, "path", path, "expiresAt", expiresAt, "scopes", scopes, "error", err) + }() + + if dt, _, err = gc.client.DeployTokens.CreateGroupDeployToken( + groupId, + &g.CreateGroupDeployTokenOptions{ + Name: &name, + ExpiresAt: expiresAt, + Scopes: &scopes, + }, + g.WithContext(ctx), + ); err == nil { + et = &EntryToken{ + TokenID: dt.ID, + ParentID: strconv.Itoa(groupId), + Path: path, + Name: name, + Token: dt.Token, + TokenType: TokenTypeGroupDeploy, + Scopes: scopes, + AccessLevel: AccessLevelUnknown, + CreatedAt: g.Ptr(time.Now()), + } + } + return et, err +} + +func (gc *gitlabClient) CreateProjectDeployToken(ctx context.Context, path string, projectId int, name string, expiresAt *time.Time, scopes []string) (et *EntryToken, err error) { + var dt *g.DeployToken + defer func() { + gc.logger.Debug("Create project deploy token", "projectId", projectId, "name", name, "path", path, "expiresAt", expiresAt, "scopes", scopes, "error", err) + }() + if dt, _, err = gc.client.DeployTokens.CreateProjectDeployToken( + projectId, + &g.CreateProjectDeployTokenOptions{ + Name: &name, + ExpiresAt: expiresAt, + Scopes: &scopes, + }, + g.WithContext(ctx), + ); err == nil { + et = &EntryToken{ + TokenID: dt.ID, + ParentID: strconv.Itoa(projectId), + Path: path, + Name: name, + Token: dt.Token, + TokenType: TokenTypeProjectDeploy, + Scopes: scopes, + AccessLevel: AccessLevelUnknown, + CreatedAt: g.Ptr(time.Now()), + } + } + return et, err +} + +func (gc *gitlabClient) RevokeGroupDeployToken(ctx context.Context, groupId, deployTokenId int) (err error) { + defer func() { + gc.logger.Debug("Revoke group deploy token", "groupId", groupId, "deployTokenId", deployTokenId, "error", err) + }() + + _, err = gc.client.DeployTokens.DeleteGroupDeployToken(groupId, deployTokenId, g.WithContext(ctx)) + return err +} + +func (gc *gitlabClient) RevokeProjectDeployToken(ctx context.Context, projectId, deployTokenId int) (err error) { + defer func() { + gc.logger.Debug("Revoke project deploy token", "projectId", projectId, "deployTokenId", deployTokenId, "error", err) + }() + + _, err = gc.client.DeployTokens.DeleteProjectDeployToken(projectId, deployTokenId, g.WithContext(ctx)) + return err +} + func (gc *gitlabClient) Metadata(ctx context.Context) (metadata *g.Metadata, err error) { defer func() { gc.logger.Debug("Fetch metadata information", "metadata", metadata, "error", err) @@ -58,19 +140,39 @@ func (gc *gitlabClient) Metadata(ctx context.Context) (metadata *g.Metadata, err return metadata, err } -func (gc *gitlabClient) CreatePipelineProjectTriggerAccessToken(ctx context.Context, name string, projectId int, description string) (et *EntryToken, err error) { +func (gc *gitlabClient) CreatePipelineProjectTriggerAccessToken(ctx context.Context, path, name string, projectId int, description string, expiresAt *time.Time) (et *EntryToken, err error) { + var pt *g.PipelineTrigger defer func() { - gc.logger.Debug("Created a pipeline project trigger access token", "projectId", description, "description", "error", err) + gc.logger.Debug("Create a pipeline project trigger access token", "path", path, "name", name, "projectId", description, "description", "error", err) }() - return nil, err + if pt, _, err = gc.client.PipelineTriggers.AddPipelineTrigger( + projectId, + &g.AddPipelineTriggerOptions{Description: &description}, + g.WithContext(ctx), + ); err == nil { + et = &EntryToken{ + TokenID: pt.ID, + ParentID: strconv.Itoa(projectId), + Path: path, + Name: name, + Token: pt.Token, + TokenType: TokenTypePipelineProjectTrigger, + Scopes: []string{}, + AccessLevel: AccessLevelUnknown, + ExpiresAt: expiresAt, + } + } + + return et, err } func (gc *gitlabClient) RevokePipelineProjectTriggerAccessToken(ctx context.Context, projectId int, tokenId int) (err error) { defer func() { - gc.logger.Debug("Revoked pipeline project trigger access token", "projectId", projectId, "tokenId", tokenId, "error", err) + gc.logger.Debug("Revoke pipeline project trigger access token", "projectId", projectId, "tokenId", tokenId, "error", err) }() + _, err = gc.client.PipelineTriggers.DeletePipelineTrigger(projectId, tokenId, g.WithContext(ctx)) return err } @@ -102,7 +204,7 @@ func (gc *gitlabClient) GitlabClient(ctx context.Context) *g.Client { func (gc *gitlabClient) CreateGroupServiceAccountAccessToken(ctx context.Context, path string, groupId string, userId int, name string, expiresAt time.Time, scopes []string) (et *EntryToken, err error) { var at *g.PersonalAccessToken defer func() { - gc.logger.Debug("Created group service access token", "pat", at, "et", et, "path", path, "groupId", groupId, "userId", userId, "name", name, "expiresAt", expiresAt, "scopes", scopes, "error", err) + gc.logger.Debug("Create group service access token", "pat", at, "et", et, "path", path, "groupId", groupId, "userId", userId, "name", name, "expiresAt", expiresAt, "scopes", scopes, "error", err) }() at, _, err = gc.client.Groups.CreateServiceAccountPersonalAccessToken(groupId, userId, &g.CreateServiceAccountPersonalAccessTokenOptions{ Name: g.Ptr(name), @@ -129,7 +231,7 @@ func (gc *gitlabClient) CreateGroupServiceAccountAccessToken(ctx context.Context func (gc *gitlabClient) CreateUserServiceAccountAccessToken(ctx context.Context, username string, userId int, name string, expiresAt time.Time, scopes []string) (et *EntryToken, err error) { defer func() { - gc.logger.Debug("Created user service access token", "et", et, "username", username, "userId", userId, "name", name, "expiresAt", expiresAt, "scopes", scopes, "error", err) + gc.logger.Debug("Create user service access token", "et", et, "username", username, "userId", userId, "name", name, "expiresAt", expiresAt, "scopes", scopes, "error", err) }() et, err = gc.CreatePersonalAccessToken(ctx, username, userId, name, expiresAt, scopes) if err == nil && et != nil { @@ -174,36 +276,25 @@ func (gc *gitlabClient) RevokeGroupServiceAccountAccessToken(ctx context.Context return err } -func (gc *gitlabClient) CurrentVersionInfo(ctx context.Context) (v *g.Version, err error) { - defer func() { gc.logger.Debug("Current version info", "version", v, "error", err) }() - v, _, err = gc.client.Version.GetVersion(g.WithContext(ctx)) - if err != nil { - return nil, err - } - return v, nil -} - func (gc *gitlabClient) CurrentTokenInfo(ctx context.Context) (et *EntryToken, err error) { var pat *g.PersonalAccessToken defer func() { gc.logger.Debug("Current token info", "token", et, "error", err) }() - pat, _, err = gc.client.PersonalAccessTokens.GetSinglePersonalAccessToken(g.WithContext(ctx)) - if err != nil { - return nil, err - } - et = &EntryToken{ - TokenID: pat.ID, - UserID: pat.UserID, - ParentID: "", - Path: "", - Name: pat.Name, - Token: pat.Token, - TokenType: TokenTypePersonal, - CreatedAt: pat.CreatedAt, - ExpiresAt: (*time.Time)(pat.ExpiresAt), - Scopes: pat.Scopes, - AccessLevel: "", + if pat, _, err = gc.client.PersonalAccessTokens.GetSinglePersonalAccessToken(g.WithContext(ctx)); err == nil { + et = &EntryToken{ + TokenID: pat.ID, + UserID: pat.UserID, + ParentID: "", + Path: "", + Name: pat.Name, + Token: pat.Token, + TokenType: TokenTypePersonal, + CreatedAt: pat.CreatedAt, + ExpiresAt: (*time.Time)(pat.ExpiresAt), + Scopes: pat.Scopes, + AccessLevel: "", + } } - return et, nil + return et, err } func (gc *gitlabClient) RotateCurrentToken(ctx context.Context) (token *EntryToken, currentEntryToken *EntryToken, err error) { @@ -288,28 +379,26 @@ func (gc *gitlabClient) CreatePersonalAccessToken(ctx context.Context, username defer func() { gc.logger.Debug("Create personal access token", "pat", at, "et", et, "username", username, "userId", userId, "name", name, "expiresAt", expiresAt, "scopes", scopes, "error", err) }() - at, _, err = gc.client.Users.CreatePersonalAccessToken(userId, &g.CreatePersonalAccessTokenOptions{ + if at, _, err = gc.client.Users.CreatePersonalAccessToken(userId, &g.CreatePersonalAccessTokenOptions{ Name: g.Ptr(name), ExpiresAt: (*g.ISOTime)(&expiresAt), Scopes: &scopes, - }, g.WithContext(ctx)) - if err != nil { - return nil, err - } - et = &EntryToken{ - TokenID: at.ID, - UserID: userId, - ParentID: "", - Path: username, - Name: name, - Token: at.Token, - TokenType: TokenTypePersonal, - CreatedAt: at.CreatedAt, - ExpiresAt: (*time.Time)(at.ExpiresAt), - Scopes: scopes, - AccessLevel: AccessLevelUnknown, + }, g.WithContext(ctx)); err == nil { + et = &EntryToken{ + TokenID: at.ID, + UserID: userId, + ParentID: "", + Path: username, + Name: name, + Token: at.Token, + TokenType: TokenTypePersonal, + CreatedAt: at.CreatedAt, + ExpiresAt: (*time.Time)(at.ExpiresAt), + Scopes: scopes, + AccessLevel: AccessLevelUnknown, + } } - return et, nil + return et, err } func (gc *gitlabClient) CreateGroupAccessToken(ctx context.Context, groupId string, name string, expiresAt time.Time, scopes []string, accessLevel AccessLevel) (et *EntryToken, err error) { @@ -319,56 +408,57 @@ func (gc *gitlabClient) CreateGroupAccessToken(ctx context.Context, groupId stri }() var al = new(g.AccessLevelValue) *al = g.AccessLevelValue(accessLevel.Value()) - at, _, err = gc.client.GroupAccessTokens.CreateGroupAccessToken(groupId, &g.CreateGroupAccessTokenOptions{ + if at, _, err = gc.client.GroupAccessTokens.CreateGroupAccessToken(groupId, &g.CreateGroupAccessTokenOptions{ Name: g.Ptr(name), Scopes: &scopes, ExpiresAt: (*g.ISOTime)(&expiresAt), AccessLevel: al, - }, g.WithContext(ctx)) - if err != nil { - return nil, err + }, g.WithContext(ctx)); err == nil { + et = &EntryToken{ + TokenID: at.ID, + UserID: 0, + ParentID: groupId, + Path: groupId, + Name: name, + Token: at.Token, + TokenType: TokenTypeGroup, + CreatedAt: at.CreatedAt, + ExpiresAt: (*time.Time)(at.ExpiresAt), + Scopes: scopes, + AccessLevel: accessLevel, + } } - et = &EntryToken{ - TokenID: at.ID, - UserID: 0, - ParentID: groupId, - Path: groupId, - Name: name, - Token: at.Token, - TokenType: TokenTypeGroup, - CreatedAt: at.CreatedAt, - ExpiresAt: (*time.Time)(at.ExpiresAt), - Scopes: scopes, - AccessLevel: accessLevel, - } - return et, nil + return et, err } -func (gc *gitlabClient) CreateProjectAccessToken(ctx context.Context, projectId string, name string, expiresAt time.Time, scopes []string, accessLevel AccessLevel) (*EntryToken, error) { +func (gc *gitlabClient) CreateProjectAccessToken(ctx context.Context, projectId string, name string, expiresAt time.Time, scopes []string, accessLevel AccessLevel) (et *EntryToken, err error) { + var at *g.ProjectAccessToken + defer func() { + gc.logger.Debug("Create project access token", "gat", at, "et", et, "projectId", projectId, "name", name, "expiresAt", expiresAt, "scopes", scopes, "accessLevel", accessLevel, "error", err) + }() var al = new(g.AccessLevelValue) *al = g.AccessLevelValue(accessLevel.Value()) - at, _, err := gc.client.ProjectAccessTokens.CreateProjectAccessToken(projectId, &g.CreateProjectAccessTokenOptions{ + if at, _, err = gc.client.ProjectAccessTokens.CreateProjectAccessToken(projectId, &g.CreateProjectAccessTokenOptions{ Name: g.Ptr(name), Scopes: &scopes, ExpiresAt: (*g.ISOTime)(&expiresAt), AccessLevel: al, - }, g.WithContext(ctx)) - if err != nil { - return nil, err + }, g.WithContext(ctx)); err == nil { + et = &EntryToken{ + TokenID: at.ID, + UserID: 0, + ParentID: projectId, + Path: projectId, + Name: name, + Token: at.Token, + TokenType: TokenTypeProject, + CreatedAt: at.CreatedAt, + ExpiresAt: (*time.Time)(at.ExpiresAt), + Scopes: scopes, + AccessLevel: accessLevel, + } } - return &EntryToken{ - TokenID: at.ID, - UserID: 0, - ParentID: projectId, - Path: projectId, - Name: name, - Token: at.Token, - TokenType: TokenTypeProject, - CreatedAt: at.CreatedAt, - ExpiresAt: (*time.Time)(at.ExpiresAt), - Scopes: scopes, - AccessLevel: accessLevel, - }, nil + return et, err } func (gc *gitlabClient) RevokePersonalAccessToken(ctx context.Context, tokenId int) (err error) { diff --git a/helpers_test.go b/helpers_test.go index 16ea3ed..66d0b94 100644 --- a/helpers_test.go +++ b/helpers_test.go @@ -28,6 +28,8 @@ import ( gitlab "github.com/ilijamt/vault-plugin-secrets-gitlab" ) +var _ gitlab.Client = new(inMemoryClient) + var ( gitlabComPersonalAccessToken = cmp.Or(os.Getenv("GITLAB_COM_TOKEN"), "glpat-invalid-value") gitlabComUrl = cmp.Or(os.Getenv("GITLAB_COM_URL"), "https://gitlab.com") @@ -171,6 +173,10 @@ type inMemoryClient struct { createPipelineProjectTriggerAccessTokenError bool revokePipelineProjectTriggerAccessTokenError bool metadataError bool + revokeProjectDeployTokenError bool + revokeGroupDeployTokenError bool + createProjectDeployTokenError bool + createGroupDeployTokenError bool calledMainToken int calledRotateMainToken int @@ -182,6 +188,74 @@ type inMemoryClient struct { accessTokens map[string]gitlab.EntryToken } +func (i *inMemoryClient) CreateProjectDeployToken(ctx context.Context, path string, projectId int, name string, expiresAt *time.Time, scopes []string) (et *gitlab.EntryToken, err error) { + i.muLock.Lock() + defer i.muLock.Unlock() + if i.createProjectDeployTokenError { + return nil, fmt.Errorf("unable to create project deploy token") + } + i.internalCounter++ + var tokenId = i.internalCounter + key := fmt.Sprintf("%s_%v_%v", gitlab.TokenTypeProjectDeploy.String(), projectId, tokenId) + var entryToken = gitlab.EntryToken{ + TokenID: tokenId, + ParentID: strconv.Itoa(projectId), + Path: path, + Name: name, + Token: fmt.Sprintf("glpat-%s", uuid.New().String()), + TokenType: gitlab.TokenTypeProjectDeploy, + ExpiresAt: expiresAt, + CreatedAt: g.Ptr(time.Now()), + } + i.accessTokens[key] = entryToken + return &entryToken, nil +} + +func (i *inMemoryClient) CreateGroupDeployToken(ctx context.Context, path string, groupId int, name string, expiresAt *time.Time, scopes []string) (et *gitlab.EntryToken, err error) { + i.muLock.Lock() + defer i.muLock.Unlock() + if i.createGroupDeployTokenError { + return nil, fmt.Errorf("unable to create project deploy token") + } + i.internalCounter++ + var tokenId = i.internalCounter + key := fmt.Sprintf("%s_%v_%v", gitlab.TokenTypeGroupDeploy.String(), groupId, tokenId) + var entryToken = gitlab.EntryToken{ + TokenID: tokenId, + ParentID: strconv.Itoa(groupId), + Path: path, + Name: name, + Token: fmt.Sprintf("glpat-%s", uuid.New().String()), + TokenType: gitlab.TokenTypeGroupDeploy, + ExpiresAt: expiresAt, + CreatedAt: g.Ptr(time.Now()), + } + i.accessTokens[key] = entryToken + return &entryToken, nil +} + +func (i *inMemoryClient) RevokeProjectDeployToken(ctx context.Context, projectId, deployTokenId int) (err error) { + i.muLock.Lock() + defer i.muLock.Unlock() + if i.revokeProjectDeployTokenError { + return errors.New("revoke project deploy token error") + } + key := fmt.Sprintf("%s_%v_%v", gitlab.TokenTypeProjectDeploy.String(), projectId, deployTokenId) + delete(i.accessTokens, key) + return nil +} + +func (i *inMemoryClient) RevokeGroupDeployToken(ctx context.Context, groupId, deployTokenId int) (err error) { + i.muLock.Lock() + defer i.muLock.Unlock() + if i.revokeGroupDeployTokenError { + return errors.New("revoke group deploy token error") + } + key := fmt.Sprintf("%s_%v_%v", gitlab.TokenTypeGroupDeploy.String(), groupId, deployTokenId) + delete(i.accessTokens, key) + return nil +} + func (i *inMemoryClient) Metadata(ctx context.Context) (*g.Metadata, error) { if i.metadataError { return nil, errors.New("metadata error") @@ -193,7 +267,7 @@ func (i *inMemoryClient) Metadata(ctx context.Context) (*g.Metadata, error) { }, nil } -func (i *inMemoryClient) CreatePipelineProjectTriggerAccessToken(ctx context.Context, name string, projectId int, description string) (et *gitlab.EntryToken, err error) { +func (i *inMemoryClient) CreatePipelineProjectTriggerAccessToken(ctx context.Context, path, name string, projectId int, description string, expiresAt *time.Time) (et *gitlab.EntryToken, err error) { i.muLock.Lock() defer i.muLock.Unlock() if i.createPipelineProjectTriggerAccessTokenError { @@ -204,12 +278,12 @@ func (i *inMemoryClient) CreatePipelineProjectTriggerAccessToken(ctx context.Con key := fmt.Sprintf("%s_%v_%v", gitlab.TokenTypePipelineProjectTrigger.String(), projectId, tokenId) var entryToken = gitlab.EntryToken{ TokenID: tokenId, - UserID: projectId, - ParentID: "", + ParentID: strconv.Itoa(projectId), Path: strconv.Itoa(projectId), Name: name, Token: fmt.Sprintf("glptt-%s", uuid.New().String()), TokenType: gitlab.TokenTypePipelineProjectTrigger, + ExpiresAt: expiresAt, CreatedAt: g.Ptr(time.Now()), } i.accessTokens[key] = entryToken @@ -413,8 +487,6 @@ func (i *inMemoryClient) GetUserIdByUsername(ctx context.Context, username strin return idx, nil } -var _ gitlab.Client = new(inMemoryClient) - func sanitizePath(path string) string { var builder strings.Builder diff --git a/path_config_rotate.go b/path_config_rotate.go index 64f6f15..1f0016b 100644 --- a/path_config_rotate.go +++ b/path_config_rotate.go @@ -108,12 +108,13 @@ func (b *Backend) pathConfigTokenRotate(ctx context.Context, request *logical.Re lResp = &logical.Response{Data: config.LogicalResponseData()} lResp.Data["token"] = config.Token event(ctx, b.Backend, "config-token-rotate", map[string]string{ - "path": fmt.Sprintf("%s/%s", PathConfigStorage, name), - "expires_at": entryToken.ExpiresAt.Format(time.RFC3339), - "created_at": entryToken.CreatedAt.Format(time.RFC3339), - "scopes": strings.Join(entryToken.Scopes, ", "), - "token_id": strconv.Itoa(entryToken.TokenID), - "name": entryToken.Name, + "path": fmt.Sprintf("%s/%s", PathConfigStorage, name), + "expires_at": entryToken.ExpiresAt.Format(time.RFC3339), + "created_at": entryToken.CreatedAt.Format(time.RFC3339), + "scopes": strings.Join(entryToken.Scopes, ", "), + "token_id": strconv.Itoa(entryToken.TokenID), + "name": entryToken.Name, + "config_name": entryToken.ConfigName, }) b.SetClient(nil, name) diff --git a/path_role.go b/path_role.go index 89fc355..52ec526 100644 --- a/path_role.go +++ b/path_role.go @@ -250,7 +250,7 @@ func (b *Backend) pathRolesWrite(ctx context.Context, req *logical.Request, data var skipFields = []string{"config_name"} - // validate access level + // validate access level and which fields to skip for validation var validAccessLevels []string switch tokenType { case TokenTypePersonal: @@ -362,8 +362,9 @@ func (b *Backend) pathRolesWrite(ctx context.Context, req *logical.Request, data } event(ctx, b.Backend, "role-write", map[string]string{ - "path": "roles", - "role_name": roleName, + "path": "roles", + "role_name": roleName, + "config_name": role.ConfigName, }) b.Logger().Debug("Role written", "role", roleName) diff --git a/path_token_role.go b/path_token_role.go index 835b59a..e711c05 100644 --- a/path_token_role.go +++ b/path_token_role.go @@ -109,6 +109,11 @@ func (b *Backend) pathTokenRoleCreate(ctx context.Context, req *logical.Request, b.Logger().Debug("Creating group service account access token for role", "path", role.Path, "groupId", groupId, "userId", userId, "name", name, "expiresAt", expiresAt, "scopes", role.Scopes) token, err = client.CreateGroupServiceAccountAccessToken(ctx, role.Path, groupId, userId, name, expiresAt, role.Scopes) } + + case TokenTypeProjectDeploy: + case TokenTypeGroupDeploy: + case TokenTypePipelineProjectTrigger: + default: return logical.ErrorResponse("invalid token type"), fmt.Errorf("%s: %w", role.TokenType.String(), ErrUnknownTokenType) } @@ -148,6 +153,7 @@ func (b *Backend) pathTokenRoleCreate(ctx context.Context, req *logical.Request, "token_type": role.TokenType.String(), "scopes": strings.Join(role.Scopes, ","), "access_level": role.AccessLevel.String(), + "config_name": token.ConfigName, }) return resp, nil } diff --git a/secret_access_tokens.go b/secret_access_tokens.go index d156c61..550bbce 100644 --- a/secret_access_tokens.go +++ b/secret_access_tokens.go @@ -68,12 +68,6 @@ func (b *Backend) secretAccessTokenRevoke(ctx context.Context, req *logical.Requ configName = val.(string) } - // var config *EntryConfig - // config, err = getConfig(ctx, req.Storage, configName) - // if err != nil { - // return nil, err - // } - var tokenId int tokenId, err = convertToInt(req.Secret.InternalData["token_id"]) if err != nil { @@ -91,7 +85,7 @@ func (b *Backend) secretAccessTokenRevoke(ctx context.Context, req *logical.Requ var client Client client, err = b.getClient(ctx, req.Storage, configName) if err != nil { - return nil, fmt.Errorf("revoke token cannot get client: %w", err) + return nil, fmt.Errorf("revoke token cannot get client got %s config: %w", configName, err) } switch tokenType { @@ -107,6 +101,21 @@ func (b *Backend) secretAccessTokenRevoke(ctx context.Context, req *logical.Requ case TokenTypeGroupServiceAccount: var token = req.Secret.InternalData["token"].(string) err = client.RevokeGroupServiceAccountAccessToken(ctx, token) + case TokenTypePipelineProjectTrigger: + var projectId int + if projectId, err = strconv.Atoi(parentId); err == nil { + err = client.RevokePipelineProjectTriggerAccessToken(ctx, projectId, tokenId) + } + case TokenTypeGroupDeploy: + var groupId int + if groupId, err = strconv.Atoi(parentId); err == nil { + err = client.RevokeProjectDeployToken(ctx, groupId, tokenId) + } + case TokenTypeProjectDeploy: + var projectId int + if projectId, err = strconv.Atoi(parentId); err == nil { + err = client.RevokeProjectDeployToken(ctx, projectId, tokenId) + } } if err != nil && !errors.Is(err, ErrAccessTokenNotFound) { @@ -120,6 +129,7 @@ func (b *Backend) secretAccessTokenRevoke(ctx context.Context, req *logical.Requ "name": req.Secret.InternalData["name"].(string), "token_id": strconv.Itoa(tokenId), "token_type": tokenTypeValue, + "config_name": configName, "gitlab_revokes_token": strconv.FormatBool(gitlabRevokesToken), })