From 167ce6ed80cbafd0a871c565c22665d898f6d81d Mon Sep 17 00:00:00 2001 From: tobiasbp Date: Thu, 16 Nov 2023 00:52:35 +0000 Subject: [PATCH] add-scope-to-token (#33) This PR adds the ability to set scopes for tokens (they can not be used for much without). Removed the _username_ from the _token resource_ as the owner can not be configured, as it will be owned by the user creating the resource. As far as I can tell, it's not possible to modify the scopes for a existing token using the API, so a token created by the provider will be recreated if the list of scopes is updated. This reflects what is possible using the GUI. This PR fixes this issue: https://gitea.com/gitea/terraform-provider-gitea/issues/32 Reviewed-on: https://gitea.com/gitea/terraform-provider-gitea/pulls/33 Co-authored-by: tobiasbp Co-committed-by: tobiasbp --- docs/resources/token.md | 16 ++---- examples/resources/gitea_token/resource.tf | 14 ++--- gitea/resource_gitea_token.go | 61 ++++++++++++++++++---- 3 files changed, 58 insertions(+), 33 deletions(-) diff --git a/docs/resources/token.md b/docs/resources/token.md index f583739..d885955 100644 --- a/docs/resources/token.md +++ b/docs/resources/token.md @@ -30,18 +30,10 @@ provider "gitea" { password = var.gitea_password } -resource "gitea_user" "test" { - username = "test" - login_name = "test" - password = "Geheim1!" - email = "test@user.dev" - must_change_password = false - admin = true -} - +// The token owner is the creator of the token resource "gitea_token" "test_token" { - username = resource.gitea_user.test.username - name = "test-token" + name = "test_token" + scopes = ["all"] } output "token" { @@ -56,7 +48,7 @@ output "token" { ### Required - `name` (String) The name of the Access Token -- `username` (String) The owner of the Access Token +- `scopes` (Set of String) List of string representations of scopes for the token ### Read-Only diff --git a/examples/resources/gitea_token/resource.tf b/examples/resources/gitea_token/resource.tf index a6707fe..eddad5b 100644 --- a/examples/resources/gitea_token/resource.tf +++ b/examples/resources/gitea_token/resource.tf @@ -5,18 +5,10 @@ provider "gitea" { password = var.gitea_password } -resource "gitea_user" "test" { - username = "test" - login_name = "test" - password = "Geheim1!" - email = "test@user.dev" - must_change_password = false - admin = true -} - +// The token owner is the creator of the token resource "gitea_token" "test_token" { - username = resource.gitea_user.test.username - name = "test-token" + name = "test_token" + scopes = ["all"] } output "token" { diff --git a/gitea/resource_gitea_token.go b/gitea/resource_gitea_token.go index 230e6dd..26893d4 100644 --- a/gitea/resource_gitea_token.go +++ b/gitea/resource_gitea_token.go @@ -9,12 +9,36 @@ import ( ) const ( - TokenUsername string = "username" TokenName string = "name" TokenHash string = "token" TokenLastEight string = "last_eight" + TokenScopes string = "scopes" ) +// validScopes contains the valid scopes for tokens as listed +// at https://docs.gitea.com/development/oauth2-provider#scopes +var validScopes = map[string]bool{ + "all": true, + "read:activitypub": true, + "write:activitypub": true, + "read:admin": true, + "write:admin": true, + "read:issue": true, + "write:issue": true, + "read:misc": true, + "write:misc": true, + "read:notification": true, + "write:notification": true, + "read:organization": true, + "write:organization": true, + "read:package": true, + "write:package": true, + "read:repository": true, + "write:repository": true, + "read:user": true, + "write:user": true, +} + func searchTokenById(c *gitea.Client, id int64) (res *gitea.AccessToken, err error) { page := 1 @@ -47,10 +71,23 @@ func resourceTokenCreate(d *schema.ResourceData, meta interface{}) (err error) { client := meta.(*gitea.Client) - var opt gitea.CreateAccessTokenOption - opt.Name = d.Get(TokenName).(string) + // Create a list of valid scopes. Thrown an error if an invalid scope is found + var scopes []gitea.AccessTokenScope + for _, s := range d.Get(TokenScopes).(*schema.Set).List() { + s := s.(string) + if validScopes[s] { + scopes = append(scopes, gitea.AccessTokenScope(s)) + } else { + return fmt.Errorf("Invalid token scope: '%s'", s) + } + } - token, _, err := client.CreateAccessToken(opt) + opts := gitea.CreateAccessTokenOption{ + Name: d.Get(TokenName).(string), + Scopes: scopes, + } + + token, _, err := client.CreateAccessToken(opts) if err != nil { return err @@ -106,6 +143,7 @@ func setTokenResourceData(token *gitea.AccessToken, d *schema.ResourceData) (err d.Set(TokenHash, token.Token) } d.Set(TokenLastEight, token.TokenLastEight) + d.Set(TokenScopes, token.Scopes) return } @@ -119,12 +157,6 @@ func resourceGiteaToken() *schema.Resource { StateContext: schema.ImportStatePassthroughContext, }, Schema: map[string]*schema.Schema{ - "username": { - Type: schema.TypeString, - Required: true, - ForceNew: true, - Description: "The owner of the Access Token", - }, "name": { Type: schema.TypeString, Required: true, @@ -141,6 +173,15 @@ func resourceGiteaToken() *schema.Resource { Type: schema.TypeString, Computed: true, }, + "scopes": { + Type: schema.TypeSet, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + Required: true, + ForceNew: true, + Description: "List of string representations of scopes for the token", + }, }, Description: "`gitea_token` manages gitea Access Tokens.\n\n" + "Due to upstream limitations (see https://gitea.com/gitea/go-sdk/issues/610) this resource\n" +