add-scope-to-token (#33)

This PR adds the ability to set scopes for tokens (they can not be used for much without). Removed the _username_ from the _token resource_ as the owner can not be configured, as it will be owned by the user creating the resource. As far as I can tell, it's not possible to modify the scopes for a existing token using the API, so a token created by the provider will be recreated if the list of scopes is updated. This reflects what is possible using the GUI. This PR fixes this issue: https://gitea.com/gitea/terraform-provider-gitea/issues/32 Reviewed-on: https://gitea.com/gitea/terraform-provider-gitea/pulls/33 Co-authored-by: tobiasbp <tobiasbp@noreply.gitea.com> Co-committed-by: tobiasbp <tobiasbp@noreply.gitea.com>
2023-11-16 00:52:35 +00:00 · 2023-11-16 00:52:35 +00:00 · 167ce6ed80
parent 557ea2673a
commit 167ce6ed80
3 changed files with 58 additions and 33 deletions
--- a/docs/resources/token.md
+++ b/docs/resources/token.md
@ -30,18 +30,10 @@ provider "gitea" {
  password = var.gitea_password
 }

-resource "gitea_user" "test" {
-  username             = "test"
-  login_name           = "test"
-  password             = "Geheim1!"
-  email                = "test@user.dev"
-  must_change_password = false
-  admin                = true
-}
-
+// The token owner is the creator of the token
 resource "gitea_token" "test_token" {
-  username = resource.gitea_user.test.username
-  name     = "test-token"
+  name   = "test_token"
+  scopes = ["all"]
 }

 output "token" {
@ -56,7 +48,7 @@ output "token" {
 ### Required

 - `name` (String) The name of the Access Token
- `username` (String) The owner of the Access Token
+- `scopes` (Set of String) List of string representations of scopes for the token

 ### Read-Only

--- a/examples/resources/gitea_token/resource.tf
+++ b/examples/resources/gitea_token/resource.tf
@ -5,18 +5,10 @@ provider "gitea" {
  password = var.gitea_password
 }

-resource "gitea_user" "test" {
-  username             = "test"
-  login_name           = "test"
-  password             = "Geheim1!"
-  email                = "test@user.dev"
-  must_change_password = false
-  admin                = true
-}
-
+// The token owner is the creator of the token
 resource "gitea_token" "test_token" {
-  username = resource.gitea_user.test.username
-  name     = "test-token"
+  name   = "test_token"
+  scopes = ["all"]
 }

 output "token" {
--- a/gitea/resource_gitea_token.go
+++ b/gitea/resource_gitea_token.go
@ -9,12 +9,36 @@ import (
 )

 const (
-	TokenUsername  string = "username"
 	TokenName      string = "name"
 	TokenHash      string = "token"
 	TokenLastEight string = "last_eight"
+	TokenScopes    string = "scopes"
 )

+// validScopes contains the valid scopes for tokens as listed
+// at https://docs.gitea.com/development/oauth2-provider#scopes
+var validScopes = map[string]bool{
+	"all": true,
+	"read:activitypub": true,
+	"write:activitypub": true,
+	"read:admin": true,
+	"write:admin": true,
+	"read:issue": true,
+	"write:issue": true,
+	"read:misc": true,
+	"write:misc": true,
+	"read:notification": true,
+	"write:notification": true,
+	"read:organization": true,
+	"write:organization": true,
+	"read:package": true,
+	"write:package": true,
+	"read:repository": true,
+	"write:repository": true,
+	"read:user": true,
+	"write:user": true,
+}
+
 func searchTokenById(c *gitea.Client, id int64) (res *gitea.AccessToken, err error) {
 	page := 1

@ -47,10 +71,23 @@ func resourceTokenCreate(d *schema.ResourceData, meta interface{}) (err error) {

 	client := meta.(*gitea.Client)

-	var opt gitea.CreateAccessTokenOption
-	opt.Name = d.Get(TokenName).(string)
+	// Create a list of valid scopes. Thrown an error if an invalid scope is found
+	var scopes []gitea.AccessTokenScope
+	for _, s := range d.Get(TokenScopes).(*schema.Set).List() {
+		s := s.(string)
+		if validScopes[s] {
+			scopes = append(scopes, gitea.AccessTokenScope(s))
+		} else {
+			return fmt.Errorf("Invalid token scope: '%s'", s)
+		}
+	}

-	token, _, err := client.CreateAccessToken(opt)
+	opts := gitea.CreateAccessTokenOption{
+		Name: 	d.Get(TokenName).(string),
+		Scopes: scopes,
+	}
+
+	token, _, err := client.CreateAccessToken(opts)

 	if err != nil {
 		return err
@ -106,6 +143,7 @@ func setTokenResourceData(token *gitea.AccessToken, d *schema.ResourceData) (err
 		d.Set(TokenHash, token.Token)
 	}
 	d.Set(TokenLastEight, token.TokenLastEight)
+	d.Set(TokenScopes, token.Scopes)

 	return
 }
@ -119,12 +157,6 @@ func resourceGiteaToken() *schema.Resource {
 			StateContext: schema.ImportStatePassthroughContext,
 		},
 		Schema: map[string]*schema.Schema{
-			"username": {
-				Type:        schema.TypeString,
-				Required:    true,
-				ForceNew:    true,
-				Description: "The owner of the Access Token",
-			},
 			"name": {
 				Type:        schema.TypeString,
 				Required:    true,
@ -141,6 +173,15 @@ func resourceGiteaToken() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"scopes": {
+				Type: schema.TypeSet,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+				Required:    true,
+				ForceNew:    true,
+				Description: "List of string representations of scopes for the token",
+			},
 		},
 		Description: "`gitea_token` manages gitea Access Tokens.\n\n" +
 			"Due to upstream limitations (see https://gitea.com/gitea/go-sdk/issues/610) this resource\n" +