feat: add support for groups_allowlist in job_token_scope

TimKnight-DWP · TimKnight-DWP · commit 5aa3701698c4 · 2024-03-05T16:01:40.000Z
Signed-off-by: Tim Knight &lt;tim.knight1@engineering.digital.dwp.gov.uk&gt;
diff --git a/docs/gl_objects/job_token_scope.rst b/docs/gl_objects/job_token_scope.rst
@@ -69,3 +69,24 @@ Remove a project from the project's inbound allowlist::
    Similar to above, the ID attributes you receive from the create and list
    APIs are not consistent. To safely retrieve the ID of the allowlisted project
    regardless of how the object was created, always use its ``.get_id()`` method.
+
+Get a project's CI/CD job token inbound groups allowlist::
+
+    allowlist = scope.groups_allowlist.list()
+
+Add a project to the project's inbound groups allowlist::
+
+    allowed_project = scope.groups_allowlist.create({"target_project_id": 42})
+
+Remove a project from the project's inbound agroups llowlist::
+
+    allowed_project.delete()
+    # or directly using a Group ID
+    scope.groups_allowlist.delete(42)
+
+.. warning::
+
+   Similar to above, the ID attributes you receive from the create and list
+   APIs are not consistent. To safely retrieve the ID of the allowlisted group
+   regardless of how the object was created, always use its ``.get_id()`` method.
+
diff --git a/gitlab/v4/objects/job_token_scope.py b/gitlab/v4/objects/job_token_scope.py
@@ -24,6 +24,7 @@ class ProjectJobTokenScope(RefreshMixin, SaveMixin, RESTObject):
     _id_attr = None
 
     allowlist: "AllowlistedProjectManager"
+    groups_allowlist: "AllowlistedGroupManager"
 
 
 class ProjectJobTokenScopeManager(GetWithoutIdMixin, UpdateMixin, RESTManager):
@@ -54,3 +55,23 @@ class AllowlistedProjectManager(ListMixin, CreateMixin, DeleteMixin, RESTManager
     _obj_cls = AllowlistedProject
     _from_parent_attrs = {"project_id": "project_id"}
     _create_attrs = RequiredOptional(required=("target_project_id",))
+
+
+class AllowlistedGroup(ObjectDeleteMixin, RESTObject):
+    _id_attr = "target_group_id"  # note: only true for create endpoint
+
+    def get_id(self) -> int:
+        """Returns the id of the resource. This override deals with
+        the fact that either an `id` or a `target_project_id` attribute
+        is returned by the server depending on the endpoint called."""
+        try:
+            return cast(int, getattr(self, self._id_attr))
+        except AttributeError:
+            return cast(int, getattr(self, "id"))
+
+
+class AllowlistedGroupManager(ListMixin, CreateMixin, DeleteMixin, RESTManager):
+    _path = "/projects/{project_id}/job_token_scope/groups_allowlist"
+    _obj_cls = AllowlistedProject
+    _from_parent_attrs = {"project_id": "project_id"}
+    _create_attrs = RequiredOptional(required=("target_group_id",))
diff --git a/tests/functional/api/test_project_job_token_scope.py b/tests/functional/api/test_project_job_token_scope.py
@@ -12,8 +12,6 @@ def test_add_project_to_job_token_scope_allowlist(gl, project):
 
 def test_projects_job_token_scope_allowlist_contains_added_project_name(gl, project):
     scope = project.job_token_scope.get()
-    assert len(scope.allowlist.list()) == 0
-
     project_name = "Ci_Cd_token_named_proj"
     project_to_add = gl.projects.create({"name": project_name})
     scope.allowlist.create({"target_project_id": project_to_add.id})
@@ -26,18 +24,70 @@ def test_projects_job_token_scope_allowlist_contains_added_project_name(gl, proj
 
 def test_remove_project_by_id_from_projects_job_token_scope_allowlist(gl, project):
     scope = project.job_token_scope.get()
-    assert len(scope.allowlist.list()) == 0
 
     project_to_add = gl.projects.create({"name": "Ci_Cd_token_remove_proj"})
 
     scope.allowlist.create({"target_project_id": project_to_add.id})
 
     scope.refresh()
-    assert len(scope.allowlist.list()) != 0
 
-    scope.allowlist.remove(project_to_add.id)
+    scope.allowlist.delete(project_to_add.id)
 
     scope.refresh()
-    assert len(scope.allowlist.list()) == 0
+    assert not any(
+        allowed.id == project_to_add.id for allowed in scope.allowlist.list()
+    )
 
     project_to_add.delete()
+
+
+def test_add_group_to_job_token_scope_allowlist(gl, project):
+    group_to_add = gl.groups.create(
+        {"name": "add_group", "path": "allowlisted-add-test"}
+    )
+
+    scope = project.job_token_scope.get()
+    resp = scope.groups_allowlist.create({"target_group_id": group_to_add.id})
+
+    assert resp.source_project_id == project.id
+    assert resp.target_group_id == group_to_add.id
+
+    group_to_add.delete()
+
+
+def test_projects_job_token_scope_groups_allowlist_contains_added_group_name(
+    gl, project
+):
+    scope = project.job_token_scope.get()
+    group_name = "list_group"
+    group_to_add = gl.groups.create(
+        {"name": group_name, "path": "allowlisted-add-and-list-test"}
+    )
+
+    scope.groups_allowlist.create({"target_group_id": group_to_add.id})
+
+    scope.refresh()
+    assert any(allowed.name == group_name for allowed in scope.groups_allowlist.list())
+
+    group_to_add.delete()
+
+
+def test_remove_group_by_id_from_projects_job_token_scope_groups_allowlist(gl, project):
+    scope = project.job_token_scope.get()
+
+    group_to_add = gl.groups.create(
+        {"name": "delete_group", "path": "allowlisted-delete-test"}
+    )
+
+    scope.groups_allowlist.create({"target_group_id": group_to_add.id})
+
+    scope.refresh()
+
+    scope.groups_allowlist.delete(group_to_add.id)
+
+    scope.refresh()
+    assert not any(
+        allowed.name == group_to_add.name for allowed in scope.groups_allowlist.list()
+    )
+
+    group_to_add.delete()
diff --git a/tests/functional/fixtures/.env b/tests/functional/fixtures/.env
@@ -1,2 +1,2 @@
 GITLAB_IMAGE=gitlab/gitlab-ee
-GITLAB_TAG=16.9.1-ee.0
+GITLAB_TAG=nightly

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`GITLAB_IMAGE=gitlab/gitlab-ee`
`2`		`-GITLAB_TAG=16.9.1-ee.0`
	`2`	`+GITLAB_TAG=nightly`