feat: allow non-admin config tokens to rotate using rotation API

ilijamt · May 23, 2024 · d86cf29 · d86cf29
1 parent aa7d6bc
commit d86cf29
Showing 1 changed file with 46 additions and 18 deletions.
diff --git a/gitlab_client.go b/gitlab_client.go
@@ -70,24 +70,29 @@ func (gc *gitlabClient) RotateCurrentToken(revokeOldToken bool) (*EntryToken, *E
 	}
 
 	var token *EntryToken
-	token, err = gc.CreatePersonalAccessToken(
-		usr.Username,
-		currentEntryToken.UserID,
-		fmt.Sprintf("%s-%d", currentEntryToken.Name, time.Now().Unix()),
-		time.Now().Add(durationTTL),
-		currentEntryToken.Scopes,
-	)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	gc.config.Token = token.Token
-	if token.ExpiresAt != nil {
-		gc.config.TokenExpiresAt = *token.ExpiresAt
-	}
-
-	if revokeOldToken {
-		_, err = gc.client.PersonalAccessTokens.RevokePersonalAccessToken(currentEntryToken.TokenID)
+	if usr.IsAdmin {
+		token, err = gc.CreatePersonalAccessToken(
+			usr.Username,
+			currentEntryToken.UserID,
+			fmt.Sprintf("%s-%d", currentEntryToken.Name, time.Now().Unix()),
+			time.Now().Add(durationTTL),
+			currentEntryToken.Scopes,
+		)
+		if err != nil {
+			return nil, nil, err
+		}
+
+		gc.config.Token = token.Token
+		if token.ExpiresAt != nil {
+			gc.config.TokenExpiresAt = *token.ExpiresAt
+		}
+
+		if revokeOldToken {
+			_, err = gc.client.PersonalAccessTokens.RevokePersonalAccessToken(currentEntryToken.TokenID)
+		}
+	} else { // Non-Admin users must use the token rotation API
+		// TODO: Return Warning if revokeOldToken is false, as it will be revoked as part of the rotation API
+		token, err = gc.RotateTokenApi(usr.Username, currentEntryToken.TokenID, expiresAt)
 	}
 
 	gc.client = nil
@@ -134,6 +139,29 @@ func (gc *gitlabClient) CreatePersonalAccessToken(username string, userId int, n
 	}, nil
 }
 
+// RotateTokenApi will use the gitlab token rotation API, as documented https://docs.gitlab.com/ee/api/personal_access_tokens.html#rotate-a-personal-access-token
+func (gc *gitlabClient) RotateTokenApi(username string, tokenID int, expiresAt time.Time) (*EntryToken, error) {
+	at, _, err := gc.client.PersonalAccessTokens.RotatePersonalAccessToken(tokenID, &g.RotatePersonalAccessTokenOptions{
+		ExpiresAt: (*g.ISOTime)(&expiresAt),
+	})
+	if err != nil {
+		return nil, err
+	}
+	return &EntryToken{
+		TokenID:     at.ID,
+		UserID:      at.UserID,
+		ParentID:    "",
+		Path:        username,
+		Name:        at.Name,
+		Token:       at.Token,
+		TokenType:   TokenTypePersonal,
+		CreatedAt:   at.CreatedAt,
+		ExpiresAt:   (*time.Time)(at.ExpiresAt),
+		Scopes:      at.Scopes,
+		AccessLevel: AccessLevelUnknown,
+	}, nil
+}
+
 func (gc *gitlabClient) CreateGroupAccessToken(groupId string, name string, expiresAt time.Time, scopes []string, accessLevel AccessLevel) (*EntryToken, error) {
 	var al = new(g.AccessLevelValue)
 	*al = g.AccessLevelValue(accessLevel.Value())