Admin Token API: Identify Pipeline trigger tokens

This commit adds support for identifying pipeline trigger tokens to the Admin Token API. Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/506554 Changelog: changed

Admin Token API: Identify Pipeline trigger tokens
586772c3 · Nicholas Wittstruck · GitLab · 532c2a75 · 586772c3 · 586772c3
--- a/doc/api/admin/token.md
+++ b/doc/api/admin/token.md
@@ -17,6 +17,7 @@ DETAILS:
 > - [OAuth application secrets added](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/172985) in GitLab 17.7.
 > - [Cluster agent tokens added](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/172932) in GitLab 17.7.
 > - [Runner authentication tokens added](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173987) in GitLab 17.7.
+> - [Pipeline trigger tokens added](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174030) in GitLab 17.7.

 FLAG:
 The availability of this feature is controlled by a feature flag.
@@ -44,6 +45,7 @@ Supported tokens:
 - [OAuth application secrets](../../integration/oauth_provider.md)
 - [Cluster agent tokens](../../security/tokens/index.md#gitlab-cluster-agent-tokens)
 - [Runner authentication tokens](../../security/tokens/index.md#runner-authentication-tokens)
+- [Pipeline trigger tokens](../../ci/triggers/index.md#create-a-pipeline-trigger-token)

 ```plaintext
 POST /api/v4/admin/token

--- a/lib/api/admin/token.rb
+++ b/lib/api/admin/token.rb
@@ -49,7 +49,7 @@ def identify_token(plaintext)

          status :ok

-          present identified_token.revocable, with: identified_token.present_with
+          present identified_token.revocable, with: identified_token.present_with, current_user: current_user
        end
      end
    end

--- a/lib/authn/agnostic_token_identifier.rb
+++ b/lib/authn/agnostic_token_identifier.rb
@@ -10,7 +10,8 @@ class AgnosticTokenIdentifier
      ::Authn::Tokens::PersonalAccessToken,
      ::Authn::Tokens::OauthApplicationSecret,
      ::Authn::Tokens::ClusterAgentToken,
-      ::Authn::Tokens::RunnerAuthenticationToken
+      ::Authn::Tokens::RunnerAuthenticationToken,
+      ::Authn::Tokens::CiTriggerToken
    ].freeze

    def self.token_for(plaintext, source)

--- a/lib/authn/tokens/ci_trigger_token.rb
+++ b/lib/authn/tokens/ci_trigger_token.rb
+# frozen_string_literal:true
+
+module Authn
+  module Tokens
+    class CiTriggerToken
+      def self.prefix?(plaintext)
+        plaintext.start_with?(::Ci::Trigger::TRIGGER_TOKEN_PREFIX)
+      end
+
+      attr_reader :revocable, :source
+
+      def initialize(plaintext, source)
+        @revocable = ::Ci::Trigger.find_by_token(plaintext)
+        @source = source
+      end
+
+      def present_with
+        ::API::Entities::Trigger
+      end
+
+      def revoke!(_current_user)
+        raise ::Authn::AgnosticTokenIdentifier::NotFoundError, 'Not Found' if revocable.blank?
+
+        raise ::Authn::AgnosticTokenIdentifier::UnsupportedTokenError, 'Unsupported token type'
+      end
+    end
+  end
+end
--- a/spec/factories/ci/triggers.rb
+++ b/spec/factories/ci/triggers.rb
@@ -5,7 +5,7 @@
    owner

    factory :ci_trigger do
-      sequence(:token) { |n| "token#{n}" }
+      sequence(:token) { |n| "#{Ci::Trigger::TRIGGER_TOKEN_PREFIX}token#{n}" }
    end
  end
 end
--- a/spec/features/triggers_spec.rb
+++ b/spec/features/triggers_spec.rb
@@ -204,7 +204,7 @@
        find_by_testid('reveal-hide-values-button').click

        aggregate_failures 'shows truncated token, no clipboard button and no edit link' do
-          expect(page.find('.triggers-list')).to have_content(project.triggers.first.token[0..3])
+          expect(page.find('.triggers-list')).to have_content(project.triggers.first.short_token)
          expect(page.find('.triggers-list')).not_to have_selector('[data-testid="clipboard-btn"]')
          expect(page.find('.triggers-list .trigger-owner')).not_to have_content user.name
          expect(page.find('.triggers-list')).not_to have_selector('a[title="Edit"]')

--- a/spec/lib/authn/agnostic_token_identifier_spec.rb
+++ b/spec/lib/authn/agnostic_token_identifier_spec.rb
@@ -13,6 +13,7 @@
  let_it_be(:oauth_application_secret) { create(:oauth_application).plaintext_secret }
  let_it_be(:cluster_agent_token) { create(:cluster_agent_token, token_encrypted: nil).token }
  let_it_be(:runner_authentication_token) { create(:ci_runner, registration_type: :authenticated_user).token }
+  let_it_be(:ci_trigger_token) { create(:ci_trigger).token }

  subject(:token) { described_class.token_for(plaintext, :group_token_revocation_service) }

@@ -25,6 +26,7 @@
      ref(:oauth_application_secret) | ::Authn::Tokens::OauthApplicationSecret
      ref(:cluster_agent_token) | ::Authn::Tokens::ClusterAgentToken
      ref(:runner_authentication_token) | ::Authn::Tokens::RunnerAuthenticationToken
+      ref(:ci_trigger_token) | ::Authn::Tokens::CiTriggerToken
      'unsupported' | NilClass
    end


--- a/spec/lib/authn/tokens/ci_trigger_token_spec.rb
+++ b/spec/lib/authn/tokens/ci_trigger_token_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Authn::Tokens::CiTriggerToken, feature_category: :system_access do
+  let_it_be(:user) { create(:user) }
+
+  let(:ci_trigger) { create(:ci_trigger) }
+
+  subject(:token) { described_class.new(plaintext, :api_admin_token) }
+
+  context 'with valid ci trigger token' do
+    let(:plaintext) { ci_trigger.token }
+    let(:valid_revocable) { ci_trigger }
+
+    it_behaves_like 'finding the valid revocable'
+
+    describe '#revoke!' do
+      it 'does not support revocation yet' do
+        expect do
+          token.revoke!(user)
+        end.to raise_error(::Authn::AgnosticTokenIdentifier::UnsupportedTokenError, 'Unsupported token type')
+      end
+    end
+  end
+
+  it_behaves_like 'token handling with unsupported token type'
+end
--- a/spec/requests/api/admin/token_spec.rb
+++ b/spec/requests/api/admin/token_spec.rb
@@ -14,6 +14,7 @@
  let_it_be(:cluster_agent_token) { create(:cluster_agent_token, token_encrypted: nil) }
  let_it_be(:runner_authentication_token) { create(:ci_runner, registration_type: :authenticated_user) }
  let_it_be(:impersonation_token) { create(:personal_access_token, :impersonation, user: user) }
+  let_it_be(:ci_trigger) { create(:ci_trigger) }

  let(:plaintext) { nil }
  let(:params) { { token: plaintext } }
@@ -31,7 +32,8 @@
            [ref(:oauth_application), lazy { oauth_application.plaintext_secret }],
            [ref(:cluster_agent_token), lazy { cluster_agent_token.token }],
            [ref(:runner_authentication_token), lazy { runner_authentication_token.token }],
-            [ref(:impersonation_token), lazy { impersonation_token.token }]
+            [ref(:impersonation_token), lazy { impersonation_token.token }],
+            [ref(:ci_trigger), lazy { ci_trigger.token }]
          ]
        end


--- a/spec/requests/api/graphql/project_query_spec.rb
+++ b/spec/requests/api/graphql/project_query_spec.rb
@@ -69,7 +69,7 @@
            'description' => pipeline_trigger.description,
            'hasTokenExposed' => false,
            'lastUsed' => nil,
-            'token' => pipeline_trigger.token[0, 4]
+            'token' => pipeline_trigger.short_token
          })
        end
      end