Add crate_scopes and endpoint_scopes fields to the PUT /me/tokens API endpoint (#5973)

Turbo87 · web-flow · commit bac756e51e44 · 2023-01-23T10:25:34.000+01:00
diff --git a/src/controllers/token.rs b/src/controllers/token.rs
@@ -5,6 +5,7 @@ use crate::schema::api_tokens;
 use crate::views::EncodableApiTokenWithToken;
 
 use crate::auth::AuthCheck;
+use crate::models::token::{CrateScope, EndpointScope};
 use axum::response::IntoResponse;
 use serde_json as json;
 
@@ -32,6 +33,8 @@ pub async fn new(app: AppState, req: BytesRequest) -> AppResult<Json<Value>> {
         #[derive(Deserialize, Serialize)]
         struct NewApiToken {
             name: String,
+            crate_scopes: Option<Vec<String>>,
+            endpoint_scopes: Option<Vec<String>>,
         }
 
         /// The incoming serialization format for the `ApiToken` model.
@@ -67,7 +70,32 @@ pub async fn new(app: AppState, req: BytesRequest) -> AppResult<Json<Value>> {
             )));
         }
 
-        let api_token = ApiToken::insert(&conn, user.id, name)?;
+        let crate_scopes = new
+            .api_token
+            .crate_scopes
+            .map(|scopes| {
+                scopes
+                    .into_iter()
+                    .map(CrateScope::try_from)
+                    .collect::<Result<Vec<_>, _>>()
+            })
+            .transpose()
+            .map_err(|_err| bad_request("invalid crate scope"))?;
+
+        let endpoint_scopes = new
+            .api_token
+            .endpoint_scopes
+            .map(|scopes| {
+                scopes
+                    .into_iter()
+                    .map(|scope| EndpointScope::try_from(scope.as_bytes()))
+                    .collect::<Result<Vec<_>, _>>()
+            })
+            .transpose()
+            .map_err(|_err| bad_request("invalid endpoint scope"))?;
+
+        let api_token =
+            ApiToken::insert_with_scopes(&conn, user.id, name, crate_scopes, endpoint_scopes)?;
         let api_token = EncodableApiTokenWithToken::from(api_token);
 
         Ok(Json(json!({ "api_token": api_token })))
diff --git a/src/tests/routes/me/tokens/create.rs b/src/tests/routes/me/tokens/create.rs
@@ -1,4 +1,5 @@
 use crate::util::{RequestHelper, TestApp};
+use cargo_registry::models::token::{CrateScope, EndpointScope};
 use cargo_registry::models::ApiToken;
 use cargo_registry::views::EncodableApiTokenWithToken;
 use diesel::prelude::*;
@@ -72,6 +73,8 @@ fn create_token_success() {
     assert_eq!(tokens[0].name, "bar");
     assert!(!tokens[0].revoked);
     assert_eq!(tokens[0].last_used_at, None);
+    assert_eq!(tokens[0].crate_scopes, None);
+    assert_eq!(tokens[0].endpoint_scopes, None);
 }
 
 #[test]
@@ -107,3 +110,108 @@ fn cannot_create_token_with_token() {
         json!({ "errors": [{ "detail": "cannot use an API token to create a new API token" }] })
     );
 }
+
+#[test]
+fn create_token_with_scopes() {
+    let (app, _, user) = TestApp::init().with_user();
+
+    let json = json!({
+        "api_token": {
+            "name": "bar",
+            "crate_scopes": ["tokio", "tokio-*"],
+            "endpoint_scopes": ["publish-update"],
+        }
+    });
+
+    let json: NewResponse = user
+        .put("/api/v1/me/tokens", &serde_json::to_vec(&json).unwrap())
+        .good();
+    assert_eq!(json.api_token.name, "bar");
+    assert!(!json.api_token.token.is_empty());
+
+    let tokens: Vec<ApiToken> =
+        app.db(|conn| assert_ok!(ApiToken::belonging_to(user.as_model()).load(conn)));
+    assert_eq!(tokens.len(), 1);
+    assert_eq!(tokens[0].name, "bar");
+    assert!(!tokens[0].revoked);
+    assert_eq!(tokens[0].last_used_at, None);
+    assert_eq!(
+        tokens[0].crate_scopes,
+        Some(vec![
+            CrateScope::try_from("tokio").unwrap(),
+            CrateScope::try_from("tokio-*").unwrap()
+        ])
+    );
+    assert_eq!(
+        tokens[0].endpoint_scopes,
+        Some(vec![EndpointScope::PublishUpdate])
+    );
+}
+
+#[test]
+fn create_token_with_null_scopes() {
+    let (app, _, user) = TestApp::init().with_user();
+
+    let json = json!({
+        "api_token": {
+            "name": "bar",
+            "crate_scopes": null,
+            "endpoint_scopes": null,
+        }
+    });
+
+    let json: NewResponse = user
+        .put("/api/v1/me/tokens", &serde_json::to_vec(&json).unwrap())
+        .good();
+    assert_eq!(json.api_token.name, "bar");
+    assert!(!json.api_token.token.is_empty());
+
+    let tokens: Vec<ApiToken> =
+        app.db(|conn| assert_ok!(ApiToken::belonging_to(user.as_model()).load(conn)));
+    assert_eq!(tokens.len(), 1);
+    assert_eq!(tokens[0].name, "bar");
+    assert!(!tokens[0].revoked);
+    assert_eq!(tokens[0].last_used_at, None);
+    assert_eq!(tokens[0].crate_scopes, None);
+    assert_eq!(tokens[0].endpoint_scopes, None);
+}
+
+#[test]
+fn create_token_with_empty_crate_scope() {
+    let (_, _, user) = TestApp::init().with_user();
+
+    let json = json!({
+        "api_token": {
+            "name": "bar",
+            "crate_scopes": ["", "tokio-*"],
+            "endpoint_scopes": ["publish-update"],
+        }
+    });
+
+    let response = user.put::<()>("/api/v1/me/tokens", &serde_json::to_vec(&json).unwrap());
+    assert_eq!(response.status(), StatusCode::BAD_REQUEST);
+    assert_eq!(
+        response.into_json(),
+        json!({ "errors": [{ "detail": "invalid crate scope" }] })
+    );
+}
+
+#[test]
+fn create_token_with_invalid_endpoint_scope() {
+    let (_, _, user) = TestApp::init().with_user();
+
+    let json = json!({
+        "api_token": {
+            "name": "bar",
+            "crate_scopes": ["tokio", "tokio-*"],
+            "endpoint_scopes": ["crash"],
+        }
+    });
+
+    let response = user.put::<()>("/api/v1/me/tokens", &serde_json::to_vec(&json).unwrap());
+    assert_eq!(response.status(), StatusCode::BAD_REQUEST);
+    assert_eq!(
+        response.into_json(),
+        json!({ "errors": [{ "detail": "invalid endpoint scope" }] })
+    );
+}
