Limit the number of agent tokens created

This lowers the number of agent tokens that need to be managed, which helps with 1) security, and 2) performance This change is behind a feature flag. Changelog: changed

Limit the number of agent tokens created
bb7fee08 · Pam Artiaga · Kamil Trzciński · d427e9e5 · bb7fee08 · bb7fee08
--- a/app/services/clusters/agent_tokens/create_service.rb
+++ b/app/services/clusters/agent_tokens/create_service.rb
@@ -4,6 +4,7 @@ module Clusters
  module AgentTokens
    class CreateService
      ALLOWED_PARAMS = %i[agent_id description name].freeze
+      ACTIVE_TOKENS_LIMIT = 2

      attr_reader :agent, :current_user, :params

@@ -15,6 +16,7 @@ def initialize(agent:, current_user:, params:)

      def execute
        return error_no_permissions unless current_user.can?(:create_cluster, agent.project)
+        return error_active_tokens_limit_reached if active_tokens_limit_reached?

        token = ::Clusters::AgentToken.new(filtered_params.merge(agent_id: agent.id, created_by_user: current_user))

@@ -33,6 +35,16 @@ def error_no_permissions
        ServiceResponse.error(message: s_('ClusterAgent|User has insufficient permissions to create a token for this project'))
      end

+      def error_active_tokens_limit_reached
+        ServiceResponse.error(message: s_('ClusterAgent|An agent can have only two active tokens at a time'))
+      end
+
+      def active_tokens_limit_reached?
+        return false unless Feature.enabled?(:cluster_agents_limit_tokens_created)
+
+        ::Clusters::AgentTokensFinder.new(agent, current_user, status: :active).execute.count >= ACTIVE_TOKENS_LIMIT
+      end
+
      def filtered_params
        params.slice(*ALLOWED_PARAMS)
      end

--- a/config/feature_flags/development/cluster_agents_limit_tokens_created.yml
+++ b/config/feature_flags/development/cluster_agents_limit_tokens_created.yml
+---
+name: cluster_agents_limit_tokens_created
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/120825
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/412399
+milestone: '16.1'
+type: development
+group: group::environments
+default_enabled: false
--- a/doc/api/cluster_agents.md
+++ b/doc/api/cluster_agents.md
@@ -365,12 +365,15 @@ Example response:

 ## Create an agent token

-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/347046) in GitLab 15.0.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/347046) in GitLab 15.0.
+> - Two-token limit [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/361030) in GitLab 16.1.

 Creates a new token for an agent.

 You must have at least the Maintainer role to use this endpoint.

+An agent can have only two active tokens at one time.
+
 ```plaintext
 POST /projects/:id/cluster_agents/:agent_id/tokens
 ```

--- a/doc/user/clusters/agent/work_with_agent.md
+++ b/doc/user/clusters/agent/work_with_agent.md
@@ -91,6 +91,9 @@ For more information about debugging, see [troubleshooting documentation](troubl

 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/327152) in GitLab 14.9.
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/336641) in GitLab 14.10, the agent token can be revoked from the UI.
+> - Two-token limit [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/361030) in GitLab 16.1.
+
+An agent can have only two active tokens at one time.

 To reset the agent token without downtime:


--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -10415,6 +10415,9 @@ msgstr ""
 msgid "ClusterAgents|shared"
 msgstr ""
  
+msgid "ClusterAgent|An agent can have only two active tokens at a time"
+msgstr ""
+
 msgid "ClusterAgent|User has insufficient permissions to create a token for this project"
 msgstr ""
  
--- a/spec/graphql/mutations/clusters/agent_tokens/create_spec.rb
+++ b/spec/graphql/mutations/clusters/agent_tokens/create_spec.rb
@@ -50,6 +50,18 @@
        expect(token.description).to eq(description)
        expect(token.name).to eq(name)
      end
+
+      context 'when the active agent tokens limit is reached' do
+        before do
+          create(:cluster_agent_token, agent: cluster_agent)
+          create(:cluster_agent_token, agent: cluster_agent)
+        end
+
+        it 'raises an error' do
+          expect { subject }.not_to change { ::Clusters::AgentToken.count }
+          expect(subject[:errors]).to eq(["An agent can have only two active tokens at a time"])
+        end
+      end
    end
  end
 end
--- a/spec/requests/api/clusters/agent_tokens_spec.rb
+++ b/spec/requests/api/clusters/agent_tokens_spec.rb
@@ -162,6 +162,28 @@
        expect(response).to have_gitlab_http_status(:forbidden)
      end
    end
+
+    context 'when the active agent tokens limit is reached' do
+      before do
+        # create an additional agent token to make it 2
+        create(:cluster_agent_token, agent: agent)
+      end
+
+      it 'returns a bad request (400) error' do
+        params = {
+          name: 'test-token',
+          description: 'Test description'
+        }
+        post(api("/projects/#{project.id}/cluster_agents/#{agent.id}/tokens", user), params: params)
+
+        aggregate_failures "testing response" do
+          expect(response).to have_gitlab_http_status(:bad_request)
+
+          error_message = json_response['message']
+          expect(error_message).to eq('400 Bad request - An agent can have only two active tokens at a time')
+        end
+      end
+    end
  end

  describe 'DELETE /projects/:id/cluster_agents/:agent_id/tokens/:token_id' do

--- a/spec/services/clusters/agent_tokens/create_service_spec.rb
+++ b/spec/services/clusters/agent_tokens/create_service_spec.rb
@@ -78,6 +78,33 @@
          expect(subject.message).to eq(["Name can't be blank"])
        end
      end
+
+      context 'when the active agent tokens limit is reached' do
+        before do
+          create(:cluster_agent_token, agent: cluster_agent)
+          create(:cluster_agent_token, agent: cluster_agent)
+        end
+
+        it 'returns an error' do
+          expect(subject.status).to eq(:error)
+          expect(subject.message).to eq('An agent can have only two active tokens at a time')
+        end
+
+        context 'when cluster_agents_limit_tokens_created feature flag is disabled' do
+          before do
+            stub_feature_flags(cluster_agents_limit_tokens_created: false)
+          end
+
+          it 'creates a new token' do
+            expect { subject }.to change { ::Clusters::AgentToken.count }.by(1)
+          end
+
+          it 'returns success status', :aggregate_failures do
+            expect(subject.status).to eq(:success)
+            expect(subject.message).to be_nil
+          end
+        end
+      end
    end
  end
 end