Admin Mode: Add `admin_mode` scope for PATs
What does this MR do and why?
This MR is part of the implementation plan in #42692 (comment 1222832412) to extend the Admin Mode feature to the API access using a personal access token (PAT).
This MR:
- adds a background migration to add the
admin_mode
scope to all active personal access tokens of administrators - prohibits users from selecting the new
admin_mode
scope when creating a personal access token (UI & API) at the moment - adds a model callback to automatically add the
admin_mode
scope if a persoanl access token is created for an administrator
Further information:
- Issue: #42692 (closed)
- Suggestion: !58530 (comment 1191932927)
/cc @bufferoverflow
How to set up and validate locally
- Before checking out this MR (branch): add some personal access tokens for administrators and other users
- Check out this MR (branch) and run database migrations
- Verify that all active (not revoked, not expired) personal access tokens of administrators also contains the
admin_mode
scope
$ gdk psql
gitlabhq_development=# select * from personal_access_tokens;
- Add new personal access token for an administrator (UI or API) and verify that it also contains the
admin_mode
scope
$ curl --request POST --header "PRIVATE-TOKEN: <token>" --data "name=mytoken" --data "scopes[]=api" "http://localhost:3000/api/v4/users/1/personal_access_tokens"
{"id":6,"name":"mytoken","revoked":false,"created_at":"2022-12-28T12:38:18.625Z","scopes":["api","admin_mode"],"user_id":1,"last_used_at":null,"active":true,"expires_at":null,"token":"***"}
- Add new personal access token for a normal user (UI or API) and verify that it does not contain the
admin_mode
scope
$ curl --request POST --header "PRIVATE-TOKEN: <token>" --data "name=mytoken" --data "scopes[]=api" "http://localhost:3000/api/v4/users/5/personal_access_tokens"
{"id":10,"name":"mytoken","revoked":false,"created_at":"2022-12-28T14:07:05.405Z","scopes":["api"],"user_id":5,"last_used_at":null,"active":true,"expires_at":null,"token":"***"}
- Try to add a new personal access token for an administrator selecting the and verify that it fails
$ curl --request POST --header "PRIVATE-TOKEN: <token>" --data "name=mytoken" --data "scopes[]=admin_mode" "http://localhost:3000/api/v4/users/1/personal_access_tokens"
{"message":"Scopes can only contain available scopes"}
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.