Skip to content

Remove revoked agent tokens from API's

Pam Artiaga requested to merge pam/remove-revoked-agent-tokens-from-api into master

What does this MR do and why?

This excludes the revoked agent tokens from both the REST and GraphQL APIs. In detail, that means:

GraphQL API

Query Change
ClusterAgent.tokens The resulting list only includes active agent tokens

REST API

Command Endpoint Change
List Tokens GET /projects/:id/cluster_agents/:agent_id/tokens The resulting list only includes active agent tokens
Get Token GET /projects/:id/cluster_agents/:agent_id/tokens/:token_id Returns a 404 if the agent token specified is revoked

Issue: #382131 (closed)

Deprecation Issue (released in %15.8): #382129 (closed)

Screenshots or screen recordings

Setup

List of Agent Tokens with one revoked token

setup_agent_tokens_with_revoked

Tests

GraphQL API

Query Screenshot
ClusterAgent.tokens graphql_list_tokens

REST API

Command Screenshot
List Tokens restapi_list_tokens
Get Token (Active) restapi_get_token_active
Get Token (Revoked) restapi_get_token_revoked

How to set up and validate locally

Setup

  1. In an example project, navigate to Infrastructure -> Kubernetes clusters and register a new agent (there is no need to connect to a K8s cluster as we are just testing the tokens)
  2. Navigate to the new Agent's page, and go to the Agent Tokens tab
  3. Create several tokens, and revoke and of the token

Test

UI

Reload the Agent Tokens page in the setup, and verify that the revoked agent tokens are not displayed

API

Run the following commands in the terminal.

  • REST API - List Agent Tokens

    curl -k -X GET \
    --header "Authorization: Bearer $PERSONAL_ACCESS_TOKEN" \
    "https://gdk.test:3443/api/v4/projects/:project_id/cluster_agents/:agent_id/tokens" \
    | json_pp -json_opt pretty,canonical
  • REST API - Get Agent Token

    curl -k -X GET \
    --header "Authorization: Bearer $PERSONAL_ACCESS_TOKEN" \
    "https://gdk.test:3443/api/v4/projects/:project_Id/cluster_agents/:agent_id/tokens/:token_id" \
    | json_pp -json_opt pretty,canonical
  • GraphQL API - ClusterAgent.tokens

    curl "https://gdk.test:3443/api/graphql" \
    -k -X POST \
    --header "Authorization: Bearer $PERSONAL_ACCESS_TOKEN" \
    --header "Content-Type: application/json" \
    --data "{\"query\": \"query {project(fullPath: \\\"<project-full-path>\\\") {name clusterAgent(name: \\\"<agent-name>\\\") {name tokens {nodes {id name status}}}}}\"}" \
    | json_pp -json_opt pretty,canonical

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Pam Artiaga

Merge request reports

Loading